New Austrian Data Protection Law – undermining GDPR

8. May 2018

Austria’s governing parties passed a new law on data protection in the last month. This new law, which was intendet to implement the requirements of the General Data Protection Regulation (GDPR), complicates the enforcement of the new EU-wide data protection rules. This developement is result of a change in policy. Three years ago Austria’s justice minister complained that the EU’s forthcoming data protection rules were to weak, nowadays, the new government in Vienna says they are too strong.

It has been suggested, that the governing parties in Vienna are trying to turn the coountry into a sort of ‘safe haven’ – by complicating enforcement of the GDPR.

Purpose of the GDPR is, inter alia, to hand back the control of personal data to the data subjects. This aim could be undermined by the new provisions regarding the sanctions.

The GDPR stipulates, that sanctions are imposed by DPAs without any condition and without a room for specification or changes to member states’ law. In contrast to this the new Austrian data protection law contains a term that requires warnings before launching sanctions against violating firms. It must be feared, that most infringements will go unpunished.

The responsibles of the Austrian Data Protection Authority tried to weaken the concerns: The authority will still decide on a case-by-case basis whether to impose administrative fines or not – even it is the first violation of the company.

It remains to be seen how the new law will be applied in the future.

European Commission: more protection for whistleblowers

24. April 2018

The European Commission intends to grand more protection for Whistleblowers from retribution when they expose fraud, data breaches and other misdeeds, as Reuters reports. In order to reach this goal, the European Commission proposed new rules last Monday. However, also safeguards against malicious or abusive reports has been considered. The Vice President Francs Timmermans said, “There should be no punishment for doing the right thing”.

Before it can become law, the proposal has to be approved by the EU member states and the European Parliament. Such law would require companies to implement internal channels for whistleblowers while also protecting them from reprisals like sackings, demotion and litigation. Down to the present day, only 10 EU member states grant full protection to whistleblowers.

Application of the GDPR outside the EU

10. April 2018

When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?

In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.

If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).

Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).

United States vs. Microsoft II

4. April 2018

In the USA, the “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) came into force a few days ago with the signature of President Trump.

The Cloud Act stipulates that US investigators should have access to personal data located on servers outside the USA. To this end, bilateral agreements may be concluded authorizing investigators to contact the cloud provider directly.

As part of this, the US Department of Justice filed an application with the US Supreme Court to declare United States of America vs. Microsoft Corporation (New York Search Warrant Case) closed. The case dates from 2013 and has been highly controversial ever since.

The question is whether Microsoft must disclose personal data stored outside the US, here on servers in Ireland, to US authorities. The basis for this was a search warrant issued by a federal district court in New York, which was intended to oblige Microsoft to hand the data over. Microsoft complained about this. A ruling was actually expected in June of this year, but now the matter could be filed before a decision is taken.

Noel J. Francisco, the US government’s chief litigant, filed a petition with the Supreme Court, citing the Cloud Act, arguing that the Microsoft-US dispute is over and no longer needs to be heard. A new search warrant based on the Cloud Act has already been sent to Microsoft.

WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

Cambridge Analytica and Facebook under investigation

27. March 2018

As Bloomberg reports, the offices of Cambridge Analytica were investigated by the U.K. Information Commissioner’s Office (ICO) amid allegations that information of millions of Facebook’s users data was obtained without the data subject’s consents. Personal information from about 50 million people should be affected because 270.000 Facebook user should have used a personality-analysis app, which should not only have the permission to enter the users’ data, but also those of the users’ friends.

According to the ICO, the investigation should be a part of a larger look into “the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors”.

Facebook, because of this revelation not only lost a significant amount of its stock shares. As Forbes reports, the U.S. Federal Trade Commission (FTC) confirmed the launch of an own investigation against Facebook. It is said that according to Tom Pahl, the director of the FTC’s Bureau of Consumer Protection, the “FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook” and that “the FTC is confirming that it has an open non-public investigation into these practices.”

 

 

Category: General

How is a company transferring data with a non-European company able to ensure the data-protection standard according to the General Data Protection Regulation (GDPR)?

21. March 2018

A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.

Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.

This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.

In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.

Apple bows to Chinese government

5. March 2018

Apple backs down: The Chinese government has demanded that Apple no longer outsource control of Chinese users data to US-based servers, but hand them over to a Chinese company.

This is likely to give Chinese authorities access to the personal data of Chinese users.

Apple informed the users in the passed weeks. Users of Apples service iCloud were informed, that their data is not longer stored on servers in the USA. Since February 28th, is Guizhou-Cloud Big Data (GCBD) the server provider for the data of Chinese users. GCBD is a state-controlled internet company based in Guizhou Province in southern China.

Affected are iCloud users with a Chinese Apple-ID.

The measure is based on new Chinese cybersecurity law, that is in place since last year. According to the new law, personal data of Chinese users fall under Chinese law and not, like before, under the law, the provider falls under.

For the diffraction under the Chinese law, Apple is heavily criticized.

 

 

United States vs. Microsoft

28. February 2018

The United States Supreme Court (SCOTUS) heared yesterday the arguments in the case United States vs. Microsoft.

The dispute betwenn the US government and Microsoft has spanned several years, since 2013, and has major implications for the privacy profession.

Issue is, that the U.S. can compel Microsoft to turn over data stored on a server outside the United States. Basis of the the obligation is a warrant issued by a US court under the Stored Communications Act. Microsoft should turn over emails of a customer stored on Microsoft servers, both in the US and in Ireland. Microsoft handed out the data stored in the US, but reject to turn over the data stored in Ireland. Basis for the rejection is, according to the position of Microsoft, that a Irish court is responsible and not a US court, due to the Stored Communications Act cannot reach outside of the territorial jurisdiction of the US. The US position, adopted by the magistrate judge and district court is, that because Microsoft is a US company, and fully capable of accessing the information described in the warrant, the warrant is a valid exercise of wholly domestic power.

A judgement could be made in June.

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 22 23 24 Next
1 2 3 4 24