Category: General

European Court of Justice (ECJ): Facebook fanpages will be treated as a case of Joint Control

11. June 2018

With its judgment of June 5 2018, the ECJ decided that both the initiator of the fan pages (e.g. a company) and Facebook are jointly responsible in terms of the General Data Protection Regulation (GDPR) for the personal data collected within the scope of Facebook fan pages.

Fanpages are a Facebook profile of a company that can be used to easily communicate with customers.

Until now, information has been collected from customers who have contacted a company via Facebook. Depending on the type of use of the fan pages, the name and profile of the customer were stored. Facebook has also passed on information collected from users via tracking tools to the respective initiators of the fan pages. In the opinion of the ECJ, the affected users of the respective fan pages were not sufficiently informed about this fact, so that the following requirements must be observed in future:

Who visits a fan page must be informed about which data is collected for which purposes.

In consultation with Facebook, fan page operators must have their own knowledge of what data are collected in order to be able to inform them. This information is obligated pursuant to Art. 13 and 14 of the GDPR.

Before tracking tools and cookies are used, consent must be obtained.

Furthermore, companies and Facebook must become aware of their shared responsibility. It is not yet clear whether this will be done with a contract pursuant to Art. 26 GDPR on Joint Control or with an order data processing agreement pursuant to Art. 28 GDPR. Another solution may also be found.

However, this judgement will not only have consequences for Facebook, but will also affect all social media platforms. This not only affects companies that have their own company presence on Facebook, but also platforms such as LinkedIn, Twitter, Google+ etc., provided that similar tracking functions or other data surveys offer or are included.

Category: General

Under the new GDPR: Complaints against Google, Instagram, WhatsApp and Facebook

1. June 2018

On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.

The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).

The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.

The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.

The US Senate votes in favor of restoring Net Neutrality rules

17. May 2018

On June 11, anti-net-neutrality is set to take effect in the USA. In a resolution, the Senate has now declared itself in favour of its preservation. The U.S. Senate on Wednesday voted narrowly (52 to 47) to reverse the Federal Communications Commission (FCC) decision in December 2017 to repeal net neutrality rules. Three Republicans voted with all 47 Democrats and two Democratic-leaning senators to back the measure.

The FCC resolution is under the rarely used Congressional Review Act. It is a law that allows Congress, with a simple-majority vote in both houses, to repeal new regulations by federal agencies within 60 legislative days of implementation. Despite the Senate’s passing of the resolution, the measure is unlikely to be approved by the House of Representatives because at least two dozen Republicans must vote against the party line.

Net neutrality is the concept that internet service providers (or governments) treat all data on the internet the same regardless of content, user, platform, application or device. Network neutrality prevents all internet service providers from slowing down connections for people attempting to access certain sites, apps and services, and blocking legal content.

Category: General · USA
Tags:

In China National Standard on Personal Information Security (GB/T 35273-2017) Went into Effect

14. May 2018

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification not mandatory and it is not possible to enforce it directly. Nonetheless, it could become important in the sense of guideline or reference for their administration and enforcement agencies.
The “Specification” embodies a framework concerning the collection, retention, use, sharing and transfer of personal information.

The Information Security Technology – Personal Information Security Specification establishes primary rules for personal information security, notice and consent requirements, security measures, rights of data subjects and requirements related to internal administration and management.
It distinguishes between personal information and sensitive personal information. For the latter exist specific obligations for its collection and use.
Under the the „Specification“, sensitive personal information means information such as personal identity information (ID card or passport number), financial information (bank account number or credit information) and biological identifying information (fingerprint or iris information).

Even though the “Specification” is not binding it may become significant within China because it constitutes benchmarks for the processing of personal information by a wide variety of entities and organizations. Companies that collect or process personal information should make sure that their practices in China are in compliance with the „Specification“.

Category: General · Personal Data
Tags:

WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

Cambridge Analytica and Facebook under investigation

27. March 2018

As Bloomberg reports, the offices of Cambridge Analytica were investigated by the U.K. Information Commissioner’s Office (ICO) amid allegations that information of millions of Facebook’s users data was obtained without the data subject’s consents. Personal information from about 50 million people should be affected because 270.000 Facebook user should have used a personality-analysis app, which should not only have the permission to enter the users’ data, but also those of the users’ friends.

According to the ICO, the investigation should be a part of a larger look into “the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors”.

Facebook, because of this revelation not only lost a significant amount of its stock shares. As Forbes reports, the U.S. Federal Trade Commission (FTC) confirmed the launch of an own investigation against Facebook. It is said that according to Tom Pahl, the director of the FTC’s Bureau of Consumer Protection, the “FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook” and that “the FTC is confirming that it has an open non-public investigation into these practices.”

 

 

Category: General

How is a company transferring data with a non-European company able to ensure the data-protection standard according to the General Data Protection Regulation (GDPR)?

21. March 2018

A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.

Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.

This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.

In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

Happy New Year!

1. January 2018

Dear readers,

the team of the blog privacy-ticker.com wish you a happy new year and all the best for 2018.

Once again this year we will keep you up to date on the subject of data protection.

Best regards,

privacy-ticker.com

Category: General

Indian government urges people to sign up to Aadhaar – the world’s largest biometric ID system – while the Supreme Court still needs to determine its legality

28. December 2017

As reported in August of this year, the Indian Supreme Court (SC) acknowledged that the right to privacy is “intrinsic to life and liberty” and is “inherently protected under the various fundamental freedoms enshrined under Part III of the Indian Constitution.”

In the same context, the SC had announced it will be hearing petitions on Aadhaar related matters (the term – meaning “foundation” – stands for a 12 digit unique-identity number supposedly issued to all Indian residents based on their biometric and demographic data) in November.

According to a Bloomberg report, India’a Prime Minister Narendra Modi is calling for an expansion of Aadhaar, even though its constitutionality is still to be debated. The SC has set January 10th as the beginning of the final hearings.

While officials say Aadhaar is saving the government billions of dollars by better targeting beneficiaries of subsidized food and cash transfers, critics point to unfair exclusions and data leaks. The latter on the one hand also fear that the database might lead India into becoming a state of surveillance. On the other hand, they are concerned about the high risk of major leaks, such as the ones reported by a news agency in India, the PTI (Press Trust of India): “Personal details of several Aadhaar users were made public on over 200 central and state government websites.”

Meanwhile, Medianama, a source of information and analysis on Digital and Telecom businesses in India, has launched a list of already compromised leaks and encourages people to point out any similar incidents.

Category: Data breach · General · India · Personal Data
Tags: ,
Pages: 1 2 3 4 5 6 Next
1 2 3 6