Category: General Data Protection Regulation

Database operators in Sweden exempt from GDPR

24. August 2018

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

France’s GDPR implementation law

3. August 2018

In June, France enacted the French Data Protection Act 2 (FDPA2), which implements the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – and the Directive (EU) 2016/680.

The French government decided not to repeal the French Data Protection Act of 1978 (FDPA). FDA2 amends the former FDPA. FDPA2 replaces the logic of prior formalities with the philosophy introduced by the GDPR of enhanced accountability of stakeholders.

The FDPA2 does not take full advantage of all the opening clauses provided by the GDPR. In November 2017, when the draft bill was published, the CNIL considered that this selection was judiciously made. It includes the following provisions:

  • The clarification of the scope of application of national law (Art. 10)
  • An open data approach for judicial decisions (Art. 13)
  • The definition of the age for “digital majority” (Art. 20)
  • The broadening of class-action’s scope to compensation (Art. 25)
  • The possibility for the Conseil d’Etat to temporarily suspend international data transfer at the request of the CNIL (Art. 27)

Article 32 of the FDPA2 empowers the government to proceed by ordinance to a general rewriting of the FDPA in order to improve the intelligibility and consistency with all legislation relating to the protection of personal data. It is therefore to be expected that the FDPA2 will undergo major changes in the near future but without any debate before the Parliament.

Data of patients disclosed in Singapore’s largest data breach in history

30. July 2018

A cyberattack has impacted data of 1.5 Mio patients of SingHealth clinics by stealing name, ID Card number, address, gender, race and date of birth as reported by ARN Net.

Due to “operational security reasons”, the authorities haven’t disclosed the identity of the responsibles behind the attack.

Even Singapore’s Prime Minister, Lee Hsien Loong, “had his personal particulars stolen as well as his outpatient dispensed medicines record.”

The report further states that all patients, whether or not they were affected will receive an SMS notification over the next five days, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

According to Channel Asia the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.

It is believed that the attack began on June 27th, 2018 and was detected on July 4th, 2018. Apparently, no further illegal exfiltration has been detected since and all Patient records in SingHealth’s IT system remain intact.

Several measures have been taken in terms of IT-security such as controls on workstations and servers, resetting user and systems accounts and installment of additional system monitoring controls.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

The EEA EFTA States incorporate the General Data Protection Regulation (GDPR) soon

9. July 2018

On 20th of July 2018 the European Data Law will come into effect also in the three EFTA States (Iceland, Norway and Liechtenstein). This has been the result of the incorporation Agreement by the EEA Joint Committee in Brussels on July 6th 2018.

Before the GDPR becomes applicable throughout all three states, each of the states shall notify the agreement by a parliamentary process.

As usual for the EEA Joint Agreements, the EFTA States are obligated to implement the EU Regulation and they are affected by the Jurisdiction of the European Court of Justice (ECJ). The supervisory authority of the EFTA States also participates in the activities of the European Data Protection Board, without having the right to vote and to stand for election as chair or deputy chairs of the board.

Switzerland is not part of this agreement and has its own legal basis for data protection.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Update on ePrivacy Regulation

12. June 2018

The council of the European Union’s Bulgarian presidency has released a progress report on the draft ePrivacy Regulation ahead of a council meeting June 8th, 2018.

The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) should replace the current ePrivacy Directive and was originally intended to enter into force together with the General Data Protection Regulation (GDPR) on May, 25th 2018.

The report offers several updates including its scope and link to the GDPR, processing of electronic communications content and metadata, among others. Latter mentioned has been one of the main concerns of the Member States. The balance between privacy and innovation regarding processing of metadata seems to be a key aspect of the ePrivacy Regulation.

Furthermore, significant changes of privacy settings according to the future Art. 10 are important for the Commission. The providers of software are only obliged to inform the end-users about the settings and the way the end-users may use them, at the time of installation or first usage and when updates change the privacy settings.

The report ends with three questions for the policy debate at the TTE Council on June 8th. Among others, the versions relating to the permitted processing of metadata and the protection of terminal equipment and privacy settings are open for discussion if it is an acceptable basis to move forward.

Spanish Football League app uses microphones and GPS to detect illegal broadcasting

11. June 2018

The official smartphone app of the Spanish football league (La Liga) can activate the microphone to search for unlicensed public broadcasts of league matches. Those responsible have admitted that the app activates the microphone during the league games in order to find out whether a public broadcast is taking place approximately to the smartphone. In addition, the app uses GPS to determine the exact location where the audio clip was recorded. If an unlicensed, public transmission is determined, the operators of the app receive a notification and can take action against those establishments.

Similar to other countries, Spanish establishments can only show pay-tv broadcasts of football matches in their restaurants with a special license. According to the league, unlicensed performances result in losses amounting to 150 million euros per year and the data obtained will only be used to fight piracy. With the help of the app the fans are to be acquired as “informers” in order to get to the scammers. The app is quite popular and was downloaded at least 10 million times.

The practice was revealed because of the General Data Protection Regulation (GDPR) which entered into force on May 25th 2018. The fact that the microphone authorisation is used for this purpose had not been explained in the terms of use. It merely said that the microphone was used for analysis of the audience. Due to the GDPR, in the newly data protection declaration it says that the app tries to find out via microphone whether the user is watching football and is searching for fraud. However, users in Spain have the possibility to revoke the permission to access the microphone at any time (iOS and Android), but must do so in the settings of their smartphone.

Pages: 1 2 3 4 5 6 Next
1 2 3 6