Category: Privacy policy

Roskomnadzor publishes privacy guidelines for data operator

17. August 2017

The Russian data protection authority Roskomnadzor published guidelines for data operators on the drafting of privacy policies on July 31.

Russian data operators must adopt a privacy policy to comply with Russian data protection law. The policy must describe how they process of personal data. This policy shall be published online if personal data is collected online. In case of collecting personal data offline an unrestricted access to the policy has to be guaranteed.

The policy shall be detailed so that data subjects are aware of all potential actions.

According to the guidance the policy must contain in general the following information:

  • main purpose of the policy and definitions used in the policy
  • main rights and obligations of the data operator and data subjects,
  • purposes for personal data processing,
  • legal grounds for personal data processing
  • volume and categories of personal data processed. For each category of data subjects, Roskomnadzor recommends that a company list all the personal data it collects and processes tied to specific purposes and indicate all cases of processing special categories of personal data or biometric data,
  • procedures and conditions for personal data processing,
  • procedures for updating, correcting, deleting, or destroying personal data and
  • procedures for responding to data subjects’ requests.

In addition the guideline regulates the case of sharing personal data with third parties. The data operator has to explain the taken measures to protect personal data and beside the purpose of sharing, the volume of personal data to be transferred, the data use restrictions and security measures. Furthermore the name and the address of the the third party need to be published in the policy.

Finally it shall be mentioned that the guidance is recommendatory nature and non-binding. Nonetheless data operators should strongly take these recommendations into account if they develop new privacy policies to be compliant with the Personal Data Law.

Google may remove millions of apps from its Play Store

14. February 2017

Last week Google contacted millions of app developers informing them about their apps’ violation of Google’s User Data policy.

According to this policy, apps which handle personal or sensitive user data must post a privacy policy in the designated field in the Play Developer Console, as well as within the app itself and handle the user data securely, for example by using cryptography for transmitting them.

Millions of apps handling with personal data do not have a privacy policy and thus do not contribute to providing a clear and transparent experience for Play Store users. Google set a time limit of 5 weeks, until March 15 this year for the apps to comply with the User Data policy. Either the developers shall include a link to a valid privacy policy or remove any requests for sensitive permissions or user data. Otherwise Google might limit the visibility of those apps or even remove them from its Google Play Store.

The „right to disconnect“

16. January 2017

As a recent study shows (published by French research group Eleas in October), more than a third of French workers use their devices everyday in order to work out-of-hours.

Despite the fact that checking professional emails after work gives employees a sort of autonomy and flexibility speaking of working outside the office mode, such a habit may also lead to the „info-obesity“ (according to a report submitted in September 2015 by labour minister Myriam El Khomri).

Computing and work-life balance expert Anna Cox (University of College London – UCL) says: “Some of the challenges that come with flexibility are managing those boundaries between work and home and being able to say ‘actually I am not working now’.

From 1st of January therefore, French companies should guarantee a „right to disconnect“ to their employees, which means that the new employment law has just entered into force. Since then, all the organisations that employ over 50 workers will be obliged to define employees „disconection from technology“ rights.

Its aim is to minimise an overuse of digital devices by employees after their working hours, which lately surged in unpaid overtime.

To diminish the problem, some steps have already been taken, among which there are an automatic erasure of emails for employees on holiday or email connections cutoff.

Eventhough no sanction for a breach of this obligation is foreseen, the company should publish a charter with employees out-of-hours demands and rights.

ICO announces that Facebook agrees to suspend disclosures of personal data from WhatsApp’s users

8. November 2016

After WhatsApp announced in August changes in its privacy policy, several EU DPAs announced monitoring activities in order to ensure the proper use of WhatsApp user’s data. One of these changes on the privacy policy, involved disclosure of personal data of WhatsApp users to Facebook in order to fight spam and improve both, WhatsApp and Facebook’s services.

The EU DPAs had requested WhatsApp not to carry out such disclosures until an adequate level of data protection could be ensured.

On Monday, ICO announced that Facebook agreed to suspend these disclosures. ICO already remarked that consumers were not adequately protected and in most cases a valid consent was not in place. Moreover, it has requested both companies to undertake in writing to inform users about the purposes for which their data will be used. Until now, none of the companies has signed such committment.

If enforcement action takes place, huge fines may be imposed. This is especially relevant upon the applicability of the GDPR from May 2018.

Other EU DPAs, such as Spain, will contact Facebook regarding WhatsApp’s privacy policy.

On the other side, Facebook stated that it only collects the data necessary to offer their services and only a part of this data is shared with Facebook. A Facebook spokeswoman confirmed that WhatsApp’s update complies with applicable law, including UK law and that they will continue the conversations with the ICO regarding the questions raised on the Privacy Policy.

WhatsApp’s new Privacy Policy has been challenged

21. September 2016

Two Indian students have asked the Delhi High Court for a public-interest litigation against Facebook regarding the recent changes on WhatsApp’s privacy policy. The students state in their petition that the changes “compromise the security, safety and privacy of data that belongs to users”.

The students asked the Court to order the Government to issue guidelines for messaging apps so that users’ rights are not compromised by the use of such apps.

WhatsApp changed its privacy policy some weeks ago. The main changes refer to data sharing with Facebook that acquired WhatsApp in 2014. Furthermore targeted ads and direct messages from businesses will be also allowed.

India is not the only jurisdiction where this legal challenge takes place. Other jurisdictions such as the EU and the U.S. Federal Trade Commission are also examining the recent changes.

WhatsApp stated that users are given the possibility to opt-out by turning off the data sharing function and that the only shared information relates to user names and phone numbers. The company also remarks that the use of the app is voluntary.

Category: Privacy policy
Tags: ,