Category: EU
25. November 2021
The EU Commission is working on a legislative package to combat child abuse, which will also regulate the exchange of child pornography on the internet. The scope of these regulations is expected to include automated searches for private encrypted communications via messaging apps.
When questioned, Olivier Onidi, Deputy Director General of the Directorate-General Migration and Home Affairs at the European Commission, said the proposal aims to “cover all forms of communication, including private communication”.
The EU Commissioner of Home Affairs, Ylva Johansson, declared the fight against child sexual abuse to be her top priority. The current Slovenian EU Council Presidency has also declared the fight against child abuse to be one of its main priorities and intends to focus on the “digital dimension”.
In May 2021, the EU Commission, the Council and the European Parliament reached a provisional agreement on an exemption to the ePrivacy Directive that would allow web-based email and messaging services to detect, remove, and report child sexual abuse material. Previously, the European Electronic Communications Code (EECC) had extended the legal protection of the ePrivacy Directive to private communications related to electronic messaging services. Unlike the General Data Protection Regulation, the ePrivacy Directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. For this reason, such an exception was necessary.
Critics see this form of preventive mass surveillance as a threat to privacy, IT security, freedom of expression and democracy. A critic to the agreement states:
This unprecedented deal means all of our private e-mails and messages will be subjected to privatized real-time mass surveillance using error-prone incrimination machines inflicting devastating collateral damage on users, children and victims alike.
However, the new legislative initiative goes even further. Instead of allowing providers of such services to search for such content on a voluntary basis, all providers would be required to search the services they offer for such content.
How exactly such a law would be implemented from a technical perspective will probably not be clear from the text of the law and is likely to be left up to the providers.
One possibility would be that software checks the hash of an attachment before it is sent and compares it with a database of hashes that have already been identified as illegal once. Such software is offered by Microsoft, for example, and such a database is operated by the National Center of Missing and Exploited Children in the United States. A hash is a kind of digital fingerprint of a file.
Another possibility would be the monitoring technology “client-side scanning”. This involves scanning messages before they are encrypted on the user’s device. However, this technology has been heavily criticized by numerous IT security researchers and encryption software manufacturers in a joint study. They describe CSS as a threat to privacy, IT security, freedom of expression and democracy, among other things because the technology creates security loopholes and thus opens up gateways for state actors and hackers.
The consequence of this law would be a significant intrusion into the privacy of all EU citizens, as every message would be checked automatically and without suspicion. The introduction of such a law would also have massive consequences for the providers of encrypted messaging services, as they would have to change their software fundamentally and introduce corresponding control mechanisms, but without jeopardizing the security of users, e.g., from criminal hackers.
There is another danger that must be considered: The introduction of such legally mandated automated control of systems for one area of application can always lead to a lowering of the inhibition threshold to use such systems for other purposes as well. This is because the same powers that are introduced in the name of combating child abuse could, of course, also be introduced for investigations in other areas.
It remains to be seen when the relevant legislation will be introduced and when and how it will be implemented. Originally, the bill was scheduled to be presented on December 1st, 2021, but this item has since been removed from the Commission’s calendar.
On November 19th, 2021, the European Data Protection Board (EDPB) published a new set of draft Guidelines 05/2021 on the interplay between the EU General Data Protection Regulation’s (GDPR) territorial scope, and the GDPR’s provisions on international data transfers.
The EDPB stated in their press release that “by clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.”
The Guidelines set forth three cumulative criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR, namely:
- the exporting controller or processor is subject to the GDPR for the given processing activity,
- the exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller, or a processor and
- the data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR.
If all three requirements are met, the processing activity is to be considered an international data transfer under the GDPR, which results in the requirements of Chapter V of the GDPR to be applicable.
The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. In an example, the EDPB indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such a case, the transfer tool should focus on the elements and principles that are specific to the importing jurisdiction. This includes particularly conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.
The EDPB offers its support in developing a transfer tool that would cover the above-mentioned situation.
The Guidelines are open for public consultation until January, 31st, 2022.
16. November 2021
In its October Infringements Package, the European Commission has stated it is pursuing legal actions against Belgium over concerns its Data Protection Authority (DPA) is not operating independently, as it should under the General Data Protection Regulation (GDPR).
The Commission stated that it “considers that Belgium violates Article 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation.”
According to the European Commission, however, some members of the Belgian DPA cannot be regarded as free from external influence, as they either report to a management committee depending on the Belgian government, they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee.
On June 9th, 2021, the Commission sent a letter of formal notice to Belgium, giving the member state two months to take corrective measures. Belgium’s response to the Commission’s letter did not address the issues raised and the members concerned have so far remained in their posts. The European Commission is now giving Belgium two months to take relevant action. If this fails, the Commission may decide to refer the case to the Court of Justice of the European Union.
25. October 2021
During its plenary session of October 2021, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on restrictions of data subject rights under Art. 23 of the General Data Protection Regulation (GDPR) following public consultation.
The Guidelines “provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR,” the EDPB stated in their press release.
Further, the Guidelines aim to analyze how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) GDPR, as well as the obligations and rights which may be restricted.
These Guidelines hope to recall the conditions surrounding the use of the restrictions by the Member States in light of the Charter of Fundamental Rights of the European Union, and to guide Member States if they wish to implement restrictions under national law.
5. October 2021
On September 27, 2021, the European Data Protection Board (EDPB) announced that it has established a “Cookie Banner” taskforce in order to coordinate the complaints and corresponding responses filed with several EU data protection authorities (DPA) by the non-governmental organization None of Your Business (NOYB) in relation to website cookie banners.
In May 2021 NOYB sent over 500 draft and formal complaints to companies residing in the EU regarding the use of their cookie banners. The complaints seem to focus on the absence of a “reject all” button on most of the websites as well as the way cookie banners use deceptive design in order to get data subjects to consent to the use of non-essential cookies. Another regular complaint is the difficulty for refusing cookies, as opposed to the simple way of consenting to them.
The EDPB stated that “this taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the DPAs”. The taskforce is meant to exchange views on legal analysis and possible infringements, provide support to activities on the national levels and streamline communication.
29. September 2021
The EU Whistleblower Directive was published in December 2019 and introduces minimum standards for the protection of individuals reporting breaches of EU law governing different areas of public interest, which are specified in the annex to the EU Whistleblower Directive. These include inter alia privacy and personal data protection as well as security of network information systems. The Directive aims to protect individuals who have become aware of such breaches in a work-related context, irrespective of their status from an employment law prospective. Employees, civil servants, self-employed service providers, freelance workers as well as volunteers and trainees and even shareholders will now be protected under the Whistleblower Directive.
Status of implementation in the EU Member states
EU member states are obliged to adapt the Whistleblower Directive into national law until December 17th, 2021. So far, the implementation is in process for at least 21 Member States.
Legislative proposals have been drafted in the following member states, and are up for discussion in their respective parliaments:
- Belgium,
- the Czech Republic,
- Denmark,
- France,
- Romania,
- the Netherlands.
First legislative steps have been taken in the following member states, where drafts are currently being planned or prepared:
- Bulgaria,
- Croatia,
- Estonia,
- Finland,
- Greece,
- Ireland,
- Latvia,
- Lithuania,
- Poland,
- Portugal.
Slovakia and Slovenia have enacted laws in first reaction to the Directive, however new laws for a full implementation are underway. In Germany, there is currently no comprehensive law that implements the Whistleblower Directive. At the time of this writing, a number of proposals are in development. The concrete implementation of the Directive in Germany has remained controversial between the governing parties. A draft bill of the Whistleblower Protection Act (Hinweisgeberschutzgesetz) submitted by the Federal Ministry of Justice was rejected within the government at the end of April 2021 because it provided for stricter regulations than the EU Directive. A new draft is yet to be passed on to the next stage.
Naturally, operating channels and procedures for internal reporting of EU law breaches will inevitably involve the processing of personal data, and the EU legislators were clearly aware of the consequences, as the Whistleblower Directive generally states that any processing of personal data pursuant to the Whistleblower Directive must be carried out in accordance with EU data protection law and the General Data Protection Regulation (GDPR) in particular.
What this means for companies in the EU
In order for companies to understand how to comply with the EU Whistleblower Directive, it is important for businesses to keep the following data protection elements in mind:
- Handle reports and the personal data of the reporter/whistleblower according to the principles of Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability;
- Have a legal basis for the processing of personal data and whistleblower reports (in this case Art. 6 para. 1 lit. c GDPR plus if applicable national data protection law in conjunction with the EU Whistleblower Directive);
- Purpose limitation and data minimization for reports through Privacy by Design and Default (configuration of the reporting tool in a way that allows only data relevant to the report to be collected, irrelevant data should be deleted without undue delay);
- Limit access to the reports by responsible employees only based on a strict and detailed authorization concept (Need-to-Know basis);
- Ensure that the identity of the reporter/whistleblower remains confidential;
- Inform all (potential) reporters/whistleblowers about the data processing activity in relation to the report and the following investigation process according to Art. 13 GDPR and the protection of their identity (preferably implemented in the reporting tools, so that the reporter/whistleblower is properly informed);
- Documentation of the processing activity in a Record of Processing Activities according to Art. 30 GDPR;
- Enter into GDPR compliant Data Processing Agreements with relevant service providers, if applicable;
- Have applicable and GDPR compliant Technical and Organizational Measures in place;
- Have a Retention Schedule in place (recommended deletion of personal data within two months after completion of the investigation unless legal proceedings follow);
- Keep reports local unless necessary to disclose to other group entities due to the reports affecting other locations.
To date, there is very little official guidance available from EU data protection regulators. Sooner or later, EU data protection regulators will have to either issue updated guidance before the transposition laws at EU Member State level kick in or will encourage industry stakeholders to draw up a code of conduct for whistleblower reporting.
On the business side, successful implementation can protect your business and promote a better workplace culture. The Directive establishes three options for the reporting of information by whistleblowers:
- Internal reporting channel within the business which are mandatory according to the Directive for businesses with 50 or more employees,
- External reporting Channels facilitated through relevant authorities on a national or EU-level,
- Under certain circumstances, the whistleblower can decide to publicly report the information, e.g. via social media.
These channels can either be:
- Written – online reporting platform, email or post,
- Verbal – phone hotline with messaging system or in-person.
We recommend staying updated on the developments on the EU Whistleblower Directive and the status of implementation within the EU member states. In the meantime, if you have questions on how the EU Whistleblower Directive might impact your business in Germany and the EU, do not hesitate to contact us.
11. August 2021
On August 6, 2021, Amazon disclosed the ruling of the Luxembourg data protection authority Commission nationale pour la protection des donées (CNPD) in an SEC filing, which imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (GDPR) on July 16, 2021.
Based on press reports and Amazon’s public statements, the fine appears to relate to Amazon’s use of customer data for targeted advertising purposes.
The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that aims to represent the interests of thousands of Europeans to ensure their data is used according to data protection law in an attempt to avoid Big Tech companies manipulating their behavior for political or commercial purposes. The complaint also targets Apple, Facebook, Google and LinkedIn and was filed on behalf of more than 10,000 customers and alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.
Amazon stated that they „strongly disagree with the CNPD’s ruling“ and intend to appeal. „The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The amount of the fine is substantially higher than the proposed fine in a draft decision that was previously reported in the press. The French data protection authority (CNIL) said Luxembourg’s decision, which is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.“
The CNIL confirmed the CNPD fined Amazon, and other European member states agreed to the Luxembourg decision. Amazon will have six months to correct the issue.
26. July 2021
In a joint statement, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) call for a general ban on the use of artificial intelligence for the automated recognition of human characteristics in publicly accessible spaces. This refers to surveillance technologies that recognise faces, human gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals. In addition to the AI-supported recognition of human characteristics in public spaces, the EDPS and EPDB also call for a ban of AI systems using biometrics to categorize individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights. With the exception of individual applications in the medical field, EDPS and the EDPB are also calling for a ban on AI for sentiment recognition.
In April, the EU Commission presented a first draft law on the regulation of AI applications. The draft explicitly excluded the area of international law enforcement cooperation. The EDPS and EDPB expressed “concern” about the exclusion of international law enforcement cooperation from the scope of the draft. The draft is based on a categorisation of different AI applications into different types of risk, which are to be regulated to different degrees depending on the level of risk to the fundamental rights. In principle, the EDPS and EDPB support this approach and the fact that the EU is addressing the issue in general. However, they call for this concept of fundamental rights risk to be adapted to the EU data protection framework.
Andrea Jelinek, EDPB Chair, and Wojciech Wiewiórowski, of the EDPS, are quoted:
Deploying remote biometric identification in publicly accessible spaces means the end of anonymity in those places. Applications such as live facial recognition interfere with fundamental rights and freedoms to such an extent that they may call into question the essence of these rights and freedoms.
The EDPS and EDPB explicitly support, that the draft provides for national data protection authorities to become competent supervisory authorities for the application of the new regulation and explicitly welcome, that the EDPS is intended to be the competent authority and the market surveillance authority for the supervision of the Union institutions, agencies and bodies. The idea that the Commission also gives itself a predominant role in the “European Artificial Intelligence Board” is questioned by the EU data protection authorities. “This contradicts the need for a European AI Board that is independent of political influence”. They call for the board to be given more autonomy, to ensure its independence.
Worldwide there is great resistance against the use of biometric surveillance systems in public spaces. A large global alliance of 175 civil society organisations, academics and activists is calling for a ban on biometric surveillance in public spaces. The concern is that the potential for abuse of these technologies is too great and the consequences too severe. For example, the BBC reports that China is testing a camera system on Uighurs in Xinjiang that uses AI and facial recognition to detect emotional states. This system is supposed to serve as a kind of modern lie detector and be used in criminal proceedings, for example.
5. July 2021
On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.
This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.
The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.
The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.
In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“
The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.
28. June 2021
Ransomware attacks are on a steep rise as the global pandemic continues. According to the cybersecurity firm SonicWall, there were more than 304 million attempted ransomware attacks tracked by them in 2020, which was a 62 percent increase over 2019. During the first five months of 2021, the firm detected another 116 percent increase in ransomware attempts compared to the same period in 2020. Another cybersecurity firm called Cybereason found in a recent study interviewing nearly 1,300 security professionals from all around the world that more than half of organisations have been the victim of a ransomware attack, and that 80 percent of businesses that decided to pay a ransom fee suffered a second ransomware attack, often times by the same cybercriminals.
Ransomware is a type of malicious software, which encrypts files, databases, or applications on a computer or network and perpetually holds them hostage or even threatens to publish data until the owner pays the attacker the requested fee. Captivated data may include Personal Data, business data and intellectual property. While Phishing attacks are the most common gateway for ransomware, there are also highly targeted attacks on financially strong companies and institutions (“Big game hunting”).
Alluding to the industry term Software-as-a-Service (SaaS), a new unlawful industry sub-branch has emerged in recent years, which according to security experts lowered the entrance barriers to this industry immensely: Ransomware-as-a-Service (RaaS). With RaaS, a typical monthly subscription could cost around 50 US-Dollars and the purchaser receives the ransomware code and decryption key. Sophisticated RaaS offerings even include customer service and dashboards that allow hackers to track the status of infections and the status of ransomware payments. Thus, cybercriminals do not necessarily have to have the technical skills themselves to create corresponding malware.
Experts point to various factors that are contributing to the recent increase in Ransomeware attacks. One factor is a consequence of the pandemic: the worldwide trend to work from home. Many companies and institutions were abruptly forced to introduce remote working and let employees use their own private equipment. Furthermore, many companies were not prepared to face the rising threats with respect to their cybersecurity management. Another reported factor has been the latest increase in value of the cryptocurrency Bitcoin which is the preferred currency by criminals for ransom payments.
Successful Ransomware attacks can lead to personal data breaches pursuant to Art. 4 No. 12 GDPR and can also lead to the subsequent obligation to report the data breach to the supervisory authorities (Art. 33 GDPR) and to the data subjects (Art. 34 GDPR) for the affected company. Businesses are called to implement appropriate technical and organisational measures based on the risk-based approach, Art. 32 GDPR.
Earlier this month, the Danish Data Protection Authority provided companies with practical guidance on how to mitigate the risk of ransomware attacks. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems when faced with ransomware may include providing regular trainings for employees, having a high level of technical protection of systems and networks in place, patching programs in a timely manner, and storing backups in an environment other than the normal network.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 22 23 24 Next 
