The Article 29 Working Party put a bad light on Yahoo and WhatsApp

31. October 2016

The IAPP reported, that the Article 29 Working Party issued a warning concerning possible violations of European data protection regulations in form of a letter to both Yahoo and Whatsapp.

Both companies have been topic of public debate due to the way they handle the personal data of users. The concerns of the Article 29 Working Party regarding WhatsApp are that the company shares data with Facebook. Whereas, the objections towards Yahoo are raised due to both data breaches in 2014 and due to the allegation that the company scans incoming user emails for U.S. law enforcement agencies.

Therefore, the Article 29 Working Party requests that both companies provide more information on the problems. It can not be ruled out that investigations are launched and fines are imposed.

EU-U.S. Privacy Shield is being challenged

28. October 2016

As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.

The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:

  • Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
  • There has been no comment from Digital Rights Ireland yet.
  • No documents have been published with regard to the case so far.
  • However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”

What to do in case of a data breach?

27. October 2016

The Federal Trade Commision just released Guidelines on how to act in case of a data breach. These are called Data Breach Response: A Guide for Business and also include a video and a business blog.

These Guidelines state the most imprtant steps to be taken in order to protect customer information:

  • securing physical areas
  • removal of improperly posted information from the web
  • take service providers into account
  • providing breach notification
  • information about whom to contact in case of a data breach eg. law enforcement, affected businesses, and individuals

Furthermore, a model data breach notification letter is also included so that companies get to know the best way to alert concerned parties about an attack.

Article 29 WP will release guidelines on the GDPR by the end of 2016

26. October 2016

As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.

Amongst others, the guidance to the GDPR shall refer to the following aspects:

  • The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
  • Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
  • The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
  • The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
  • A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.

At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.

Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.

Amendments to adequacy decisions and decisions on European Model Clauses?

25. October 2016

After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.

First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.

The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.

Due to this conflict another meeting has to be scheduled to which the  Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.

The application of the right to be forgotten in France challenged by Wikimedia

24. October 2016

Since the ECJ established the right to be delisted from search engines (right to be forgotten) in 2014, Google has received numerous requests from individuals and organizations regarding the deletion of search results that contain their personal data which is not any more current, correct, relevant or which causes damages to the data subjects. The right to be forgotten refers to certain domains, such as; fr, de, es or nl.

However the French DPA requested Google to delete these results from all Google search domains (including .com). As Google did not fully comply with this request, the French DPA (CNIL) imposed Google a fine early this year.

As the French Highest Court has still to decide about this, Wikimedia, the parent company of Wikipedia, filed a petition in order to take part in the case and support Google France regarding the ongoing dispute about implementation of the “right to be forgotten”. Wikimedia’s legal counsel said in a statement that “no single nation should attempt to control what information the entire world may access”. Furthermore, she added that the application of the right to be forgotten involves the disappearance of several Wikimedia websites, which has an impact on the availability of knowledge.

Not only in France, but also in other jurisdictions is Google facing similar processes regarding the application of the right to be forgotten.

“If you think instant messaging services are private, you are in for a big surprise …

… The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk,” concluded Sherif Elsayed-Ali, the head of Amnesty International’s Technology and Human Rights Team, after ranking 11 of the most popular messaging apps in a Message Privacy Ranking.

In this ranking, both Snapchat and Skype received some of the lowest scores. Snapchat only got 26 out of 100 on the organization’s scale, whereas Skype received 40 out of 100. This is due to the fact that end-to-end encryption is not used, although it is highly recommendet to do so, according to Amnesty.

The report explaines that “The apps were marked on their use of encryption and privacy safeguards, as well as how well they advised their users of the app’s security, and whether they released details of government requests for user data.” Furthermore, Sherif Elsayed-Ali stated that “It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption”.

Therefore, it is to note that although they are the world-leading messaging applications, Skype and Snapchat are among the least secure on the market, according to Amnesty.

European Court of Justice defines personal data

20. October 2016

The European Court of Justice clarified the definition and the scope of personal data.

The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.

In detail, the European Court of Justice concludes:

  • According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
  • The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
  • Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.

Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?

However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.

Decision in Microsoft case about to be challenged

18. October 2016

As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.

The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.

Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.


Not a single EU Member State has implemented the EU PNR so far

14. October 2016

The European Passenger Name Records Directive (EU PNR) was passed earlier this year.

Although the European Commission spent tens of millions Euros on 15 national PNR schemes, not a single member state has implemented the respective Directive. There were national PNR schemes in order to help lay the groundwork for an EU-wide level proposal.

A commission spokesman commented that member states have until May 2018 to integrate the directive into their national laws.

However, Dimitris Avramopoulos, the European Commissioner for migration said that “The commission will be putting pressure on member states to implement it as soon as possible: we cannot wait for two years”.

Category: EU Commission
Pages: Prev 1 2 3 ... 7 8 9 10 11 12 13 ... 21 22 23 Next
1 8 9 10 11 12 23