Category: General Data Protection Regulation
29. March 2022
The Italian data protection authority “Garante” has fined Clearview AI 20 million Euros for data protection violations regarding its facial recognition technology. Clearview AI’s facial recognition system uses over 10 billion images from the internet and prides themself to have the largest biometric image database in the world. The data protection authority has found Clearview AI to be in breach of numerous GDPR requirements. For example, fair and lawful processing was not carried out within the data protection framework, and there was no lawful basis for the collection of information and no appropriate transparency and data retention policies.
Last November, the UK ICO warned of a potential 17 million pound fine against Clearview, and in this context, and also ordered Clearview to stop processing data.
Then, in December, the French CNIL ordered Clearview to stop processing citizens’ data and gave it two months to delete all the data it had stored, but did not mention any explicit financial sanction.
In Italy, Clearview AI must now, in addition to the 20 million Euro fine, not only delete all images of Italian citizens from its database. It must also delete the biometric information needed to search for a specific face. Furthermore, the company must provide a EU representative as a point of contact for EU data subjects and the supervisory authority.
On March 25th, 2022, the United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework that aims at taking the place of the previous Privacy Shield framework.
The White House stated that the Trans-Atlantic Data Privacy Framework “will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union when it struck down in 2020 the Commission’s adequacy decision underlying the EU-US Privacy Shield framework”.
According to the joint statement of the US and the European Commission, “under the Trans-Atlantic Data Privacy Framework, the United States is to put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives, establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities”.
This new Trans-Atlantic Data Privacy Framework has been a strenuous work in the making and reflects more than a year of detailed negotiations between the US and EU led by Secretary of Commerce Gina Raimondo and Commissioner for Justice Didier Reynders.
It is hoped that this new framework will provide a durable basis for the data flows between the EU and the US, and underscores the shared commitment to privacy, data protection, the rule of law, and the collective security.
Like the Privacy Shield before, this new framework will represent a self-certification with the US Department of Commerce. Therefore, it will be crucial for data exporters in the EU to ensure that their data importers are certified under the new framework.
The establishment of a new “Data Protection Review Court” will be the responsible department in cases of the new two-tier redress system that will allow EU citizens to raise complaints in cases of access of their data by US intelligence authorities, aiming at investigating and resolving the complaints.
The US’ commitments will be concluded by an Executive Order, which will form the basis of the adequacy decision by the European Commission to put the new framework in place. While this represents a quicker solution to reach the goal, it also means that Executive Orders can be easily repealed by the next government of the US. Therefore, it remains to be seen if this new framework, so far only agreed upon in principle, will bring the much hoped closure on the topic of trans-Atlantic data flows that is intended to bring.
28. March 2022
In a long-awaited decision on the Transparency and Consent Framework (TCF), the Belgian data protection authority APD concludes that this technical standard, which advertisers use to collect consent for targeted advertising on the Internet, does not comply with the principles of legality and fairness. Accordingly, it violates the GDPR.
The ADP’s decision is aligned with other European data protection authorities and has consequences for cookie banners and behavioral online advertising in the EU. The advertising association IAB Europe, which develops and operates the TCF system, must now delete the personal data collected in this way and pay a fine of 250,000 euros. In addition, conditions have been determined for the advertising industry under which the TCF may continue to be used at all.
Almost all companies, including advertising companies such as Google or Amazon, use the mechanism to pass on users’ presumed consent to the processing of their personal data for personalized advertising purposes. This decision will have a major impact on the protection of users’ personal data. This is also confirmed by Hielke Hijmans from APD.
The basic structure of the targeted advertising system is that each visit to a participating website triggers an auction among the providers of advertisements. Based on the desired prices and the user’s data profile, among other things, a decision is made in milliseconds as to which advertisements she will see. For this real-time bidding (RTB) to work, the advertising companies collect data to compile target groups for ads.
If users accept cookies or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string, which contains information about consent decisions. This identifier forms the basis for the creation of individual profiles and for the auctions in which advertising spaces and, with them, the attention of the desired target group are auctioned off, and is forwarded to partners in the OpenRTB system.
According to the authority, the TC strings already constitute personal data because they enable users to be identified with the IP address and the cookies set by the TCF. In addition, IAB Europe is said to be jointly legally responsible for any data processing via the framework, although IAB Europe has not positioned itself as a data processor, only as a provider of a standard.
The TCF envisions advertising providers invoking a “legitimate interest” in data collection in cookie banners that pop up all the time, rather than asking for consent. This would have to be prohibited, for example, for it to be lawful. The principles of privacy by design and by default are also violated, since consent is literally tricked by design tricks, the data flows are not manageable, and revocation of consent is hardly possible.
23. March 2022
The Dutch Data Protection Authority, autoriteit persoonsgegevens (hereinafter “ap”) imposed a fine of €525,000 on DPG Media at the beginning of March.
The background to the fine were access and deletion requests of various data subjects who had a newspaper subscription or received increased advertising. If a data subject wanted to know what personal data the company had collected about him, he had to send an ID document to DPG Media to prove his identity. The same applied to anyone who asked the company to delete their data. The customer was supposed to either upload a scan of his ID document or send it to the company by mail or letter.
DPG Media’s procedure for proof of identity was criticized for several reasons. From ap’s point of view, too much data was requested and it was made too difficult for the data subjects to assert their rights to access and deletion. If, for example, DPG Media had requested blackened ID documents, this method of proof of identity would also have been questionable. The ap emphasizes that requesting blackened ID documents is often disproportionate.
It also notes that ID documents are documents that are particularly worthy of protection. Especially regarding possible identity theft, they must be handled very carefully.
Thus, ap clarifies that, even if an identification document is in principle suitable for identifying the data subject, less intrusive identifiers should be used in preference. Milder identifiers, but equally suitable in this specific case, are for example to request the postal address for a telephone inquiry or – as recital 57 states – the use of an “authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the data controller.“
7. March 2022
At the end of February 2022, The UK Information Commissioners’ Office (ICO) published a guidance for organizations that capture CCTVs footage in order to provide advice for when they operate video surveillance systems that view or record individuals.
The recommendations aim to focus on best practices for data activities related to “emerging capabilities that can assist human decision making, such as the use of Facial Recognition Technology and machine learning algorithms.” As per the Guidance, surveillance systems specifically include traditional CCTV, Automatic Number Plate Recognition, Body Worn Video, Drones, Facial Recognition Technology, dashcams and smart doorbell cameras.
In their Guidance, the ICO offers checklists with points that controllers can use in order to monitor their use of video surveillance and keep track of their compliance with the applicable law. It further touches on the principles of data protection and how they specifically apply to video surveillance. In addition, it helps companies with the documentation of a Data Processing Impact Assessment.
The Guidance gives in depth advice on video surveillance at the workplace as well as if video feeds should also record audio.
Overall, the Guidance aims to sensibilize controllers regarding the various issues faced with when using video surveillance, and gives them in depth help on what to do to be compliant with the data protection regulations in the UK.
15. February 2022
Tracking in apps enables the app providers to offer users personalized advertising. On the one hand, this causes higher financial revenues for app providers. On the other hand, it leads to approaches regarding data processing which are uncompliant with the GDPR.
For a year now data privacy labels are mandatory and designed to show personal data the app providers access (article in German) and provide to third parties. Although these labels on iPhones underline that data access does not take place, 80% of the analyzed applications that have these labels have access to data by tracking personal information. This is a conclusion of an analysis done by an IT specialist at the University of Oxford.
For example, the “RT News” app, which supposedly does not collect data, actually provides different sets of data to tracking services like Facebook, Google, ComScore and Taboola. However, data transfer activities have to be shown in the privacy labels of apps that may actually contain sensitive information of viewed content.
In particular, apps that access GPS location information are sold by data companies. This constitutes an abuse of data protection because personal data ishandled without being data protection law compliant and provided illegally to third parties.
In a published analysis in the Journal Internet Policy Review, tests of two million Android apps have shown that nearly 90 percent of Google’s Play Store apps share data with third parties directly after launching the app. However, Google indicates that these labels with false information about not tracking personal data come from the app provider. Google therefore evades responsibility for the implementation for these labels. Whereby, Apple asserts that controls of correctness are made.
Putting it into perspective, this issue raises the question whether these privacy labels make the use of apps safer in terms of data protection. One can argue that, if the app developers can simply give themselves these labels under Google, the Apple approach seems more legitimate. It remains to be seen if any actions will be taken in this regard.
31. January 2022
The German Federal Government expressed itself against a registration of vaccinated persons in a central vaccination register in December 2021. The Federal Minister of Justice Marco Buschmann from the liberal party (FDP) agrees with the statement from the government that a vaccination register is unenforcable under current German data protection law. But in contrast, the experts say that the register is a question of virological necessity, political will and legal design; data protection does not prevent an effective pandemic control.
In light of this, data protection experts say in an article in the Frankfurter Allgemeine Zeitung (FAZ) that the enforceability depends on the question “how” a legal register could be introduced but not on “if” it could be. They add: not only for the regulation of a vaccination register, but also for topics relating to COVID-19 apps, COVID-19 regulations in the workplace and even video conferencing softwares, the possibility of a data protection law compliant implementation is given. However, no further explanations regarding a permissible implementation are made.
Therefore, according to data protection experts, a general statement that the vaccination register is irreconcilable with data protection law is to be considered incorrect.
It remains to be seen if the German government changes its position after reflecting potential data protection compliant implementations.
21. January 2022
With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.
COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.
Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.
Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.
Austria was the first EU country to introduce mandatory Corona vaccination. From the beginning of February, Corona vaccination will be mandatory for all persons over 18 years of age, otherwise they will face fines of up to 3,600 euros from mid-March.
Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority explicitly denies the employer’s right to ask.
The Belgian government plans to make vaccination mandatory for health workers from April 2022.
Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully assess whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a legitimate reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for by law. The employer may require occupational health care to provide statistical data on the immunization coverage of its employees.
France: In general employers may not require their employees to disclose whether they have been vaccinated, unless specific circumstances determined by law apply.
In France, mandatory vaccination has been in effect since mid-September for healthcare workers, i.e., employees of hospitals, retirement and nursing homes, care services, and employees of emergency services and fire departments.
Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities with more than 50 visitors, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. Due to the Health Crisis Management Law No 2021-1040 of August 5, 2021 there are several workplaces where the health pass is mandatory for employees since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency.Visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information and the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.
Germany: Processing of COVID-19-related information is generally only allowed for employers in certain industries. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees.
Other employers are generally not permitted to inquire about the vaccination status of employees. But since §28b IfSG came into force on November 24, 2021, employees may only be granted access to company premises if they can prove that they have either been vaccinated, recently recovered or tested negative (so-called “3G status”). In this context, employers may require employees to provide proof of one of the three statuses but may not specifically ask about vaccination status. When it comes to processing and storing information obtained during access control, for data protection reasons, this information must be limited to the fact that employees have access to the premises (taking into account their documented status) and how long this access authorization has existed.
Under current law, while “vaccinated” status does not expire, the information may only be stored for 6 months. “Recently recovered” status is only valid for three months. After that, they must provide other proof that they meet one of the 3G criteria. A negative test is valid for either 24 or 48 hours, depending on the type of test.
Since November 2021, employers are required to verify whether an employee who has been sanctioned with a quarantine for COVID-19 infection was or could have been vaccinated prior to the infection. Under the fourth sentence of Section 56 (1) of the IfSG, an employee is not entitled to continued payment for the period of quarantine if the employee could have avoided the quarantine, e.g., by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to make an advance payment, the employer is also obliged to check whether the factual requirements for granting the benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying the compensation and to decide on this basis whether compensation can be considered in the individual case. The data protection law basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations under labor, social insurance and social protection law and there is no reason to assume that the interests of the data subjects worthy of protection in the exclusion of the processing outweigh this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and thus legally valid, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.
If employers are allowed to process the vaccination status of their employees, they should not copy the certificates, but only check to see if an employee has been vaccinated.
A mandatory vaccination for all german citizens is being discussed.
Greece: Corona vaccination became mandatory for nursing home staff in mid-August and for the healthcare sector on September 1. Since mid-September, all unvaccinated professionals have had to present a negative Corona rapid test twice a week – at their own expense – when they go to work.
Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September. In mid-October, mandatory vaccination was extended to employees of nursing homes.
Netherlands: Currently, there is no specific legislation that allows employers to process the vaccination data of their employees. Government guidelines for employers state that neither testing nor vaccination can be mandated for employees. Only occupational health services and company physicians are allowed to process vaccination data, for example, when employees are absent or reinstated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document or enforce the results of such tests.
Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.
4. January 2022
On December 8th, 2021, the Autoriteit Persoonsgegevens (the Dutch Data Protection Authority (DPA)) announced that it had fined the Belastingdienst (the Dutch Tax Administration) €2.75 million. The fine was imposed because, as part of the so-called Toeslagenaaffaire (Childcare Benefit Affair), the Belastingdienst processed data on the (dual) nationality of childcare benefit claimants in an unlawful, discriminatory and therefore unlawful manner over many years, in serious breach of the principles of the General Data Protection Regulation (GDPR).
In the 2010s, the Belastingdienst wrongly reclaimed child benefits from tens of thousands of parents. Even minor formal errors in filling out the forms led to enormous claims, and a supposedly false citizenship could lead to years of stigmatizing fraud investigations. As a result, many families who relied on government assistance were driven into bankruptcy. The Belastingdienst should have deleted the data on dual nationality of Dutch nationals in January 2014, as from that date the dual nationality of Dutch nationals no longer played a legal role in the assessment of applications for childcare benefits. Nevertheless, the Belastingdienst retained and used these data. In May 2018, there were still about 1.4 million people with dual nationality registered in the Belastingdienst’s systems. What initially appeared to be a simple administrative failure has evolved over the years into a major scandal. The final report of the investigative commission, presented in December, concludes that the tax offices systematically preyed on innocent citizens. The Belastingdienst also used the nationality of applicants as an indicator in a system that automatically classified certain applications as risky. Again, the data were not necessary for this purpose. Under the General Data Protection Regulation, it is unlawful to process data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. Under the GDPR, it is unlawful to process personal data on nationality in a discriminatory manner, as the data processing must not violate fundamental rights. These include the right to equality and non-discrimination. In addition, personal data may only be processed and stored for a specific, predetermined purpose. Processing without a purpose is inadmissible, and here there was no purpose, as nationality is legally irrelevant for the assessment of applications for childcare benefits.
In the statement DPA chair Aleid Wolfsen is quoted:
The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data.
That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.
That went horribly wrong at the Benefits Office, with all the associated consequences. Obviously this fine cannot undo any of the harm done. But it is an important step within a broader recovery process.
In the wake of the DPA investigation, the Belastingdienst began to clean up its internal systems. In the summer of 2020, the dual nationalities of Dutch nationals were completely deleted from the systems. According to the DPA, since October 2018, the Belastingdienst no longer uses the nationality of applicants to assess risk. And since February 2019, it no longer uses the data to fight organized fraud. The fine was imposed on the Minister of Finance because he is responsible for the processing of personal data within the Belastingdienst.
30. December 2021
On December 17th, 2021, the European Commission (Commission) announced in a statement it had adopted an adequacy decision for the transfer of personal data from the European Union (EU) to the Republic of Korea (South Korea) under the General Data Protection Regulation (GDPR).
An adequacy decision is one of the instruments available under the GDPR to transfer personal data from the EU to third countries that ensure a comparable level of protection for personal data as the EU. It is a Commission decision under which personal data can flow freely and securely from the EU to the third country in question without any further conditions or authorizations being required. In other words, the transfer of data to the third country in question can be handled in the same way as the transfer of data within the EU.
This adequacy decision allows for the free flow of personal data between the EU and South Korea without the need for any further authorization or transfer instrument, and it also applies to the transfer of personal data between public sector bodies. It complements the Free Trade Agreement (FTA) between the EU and South Korea, which entered into force in July 2011. The trade agreement has led to a significant increase in bilateral trade in goods and services and, inevitably, in the exchange of personal data.
Unlike the adequacy decision regarding the United Kingdom, this adequacy decision is not time-limited.
The Commission’s statement reads:
The adequacy decision will complement the EU – Republic of Korea Free Trade Agreement with respect to personal data flows. As such, it shows that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade can go hand in hand.
In South Korea, the processing of personal data is governed by the Personal Information Portection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law.
An important step in the adequacy talks was the reform of PIPA, which took effect in August 2020 and strengthened the investigative and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of South Korea. As part of the adequacy talks, both sides also agreed on several additional safeguards that will improve the protection of personal data processed in South Korea, such as transparency and onward transfers.
These safeguards provide stronger protections, for example, South Korean data importers will be required to inform Europeans about the processing of their data, and onward transfers to third countries must ensure that the data continue to enjoy the same level of protection. These regulations are binding and can be enforced by the PIPC and South Korean courts.
The Commission has also published a Q&A on the adequacy decision.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 14 15 16 Next 
