Council of Ministers votes on latest draft of GDPR

12. April 2016

In the past week, the EU national governments endorsed the latest draft of the European Union’s General Data Protection Regulation (GDPR) in a vote held by the Council of Ministers. It is now expected that the European Parliament will approve the GDPR within this week, along with a new Data Protection Directive for police and criminal justice authorities.

According to a press release of the Council of Ministers, which was published shortly after the vote last week, one of the main benefits of the Regulation is the fact that it provides for a single set of rules, which are valid across the EU and applicable both to European and non-European companies offering online services in the EU. Thus, the regulation provides the framework for increased cooperation between EU member states to ensure coherent application of the data protection rules.

The regulation follows a risk-based approach, which means that data controllers will be able to implement measures according to the risk involved in the data processing operations they perform. This will likely reduce administrative costs, as companies will not be forced to implement a “one-size-fits all“ solution.

Opinion of the Article 29WP on the EU-U.S. Privacy Shield “leaked” by the German DPAs

After the details of the draft of the new adequacy decision to carry out international data transfers between the EU and the U.S. have been released (“EU-U.S. Privacy Shield”), the Article 29 WP is expected to express its opinion on the proposed text within this week.

On the 6th and 7th April the German DPAs meet to discuss current privacy topics, among others about the EU-U.S. Privacy Shield. A link to the resolution related to this topic was uploaded in the webpages of each federal DPA. The link to the resolution was deleted afterwards. However, a permanent link to the resolution (in German) can be found under https://www.delegedata.de/wp-content/uploads/2016/04/Beschluss_Mandat_Privacy_Shield.pdf.

The resolution of the German DPAs seems to refer to the current draft of the Article 29WP on the EU-U.S. Privacy Shield:

“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

This paragraph suggests that the European DPAs may not release a positive opinion on the EU-U.S. Privacy Shield.

Although the opinion of the Article 29 WP is not binding for the EU Commission, the Article 29 WP may initiate legal actions through the local DPAs against the adequacy decision if it is approved, as stated in paragraph 4 of the above mentioned resolution.

Settlement in lawsuit against Sony Pictures Entertainment

11. April 2016

A multimillion-dollar settlement in a class-action lawsuit against Sony Pictures Entertainment filed by former employees, whose personal data was stolen when a data bleach took place, was appoved by an US District Judge last week.

About 437,000 people were affected by the data breach from the time of the 2014 hack through 2017.  In terms of the settlement Sony agreed to provide theft protection and an optional service covering up to $1 million in losses and furthermore, create a fund to cover any additional losses. As the deadline for workers to sign up for credit protection and reimbursement has not yet passed,  the exact amount of money for setteling is not yet available. However, up until today Sony had to pay $7 million in order to notify the people beingt affected by the breach and to establish a fund to compensate them. Nevertheless, this amount does not take millions of dollars into account that Sony had to pay for credit monitoring services and for attorney fees. Until now, 18,000 people have signed up for the mentioned optional service retailing for $350.

During the data breach sensitive personal data concerning current and former Sony Pictures Entertainment employees was stolen and posted online. The data breach was due to hackers, who broke into the company computers and released thousands of emails, documents and sensitive personal information.

 

European Council accelerates the process for adopting the GDPR

7. April 2016

The Council of the European Union announced that the process for adopting the GDPR will be accelerated. This is due to the the fact that the General Secretariat of the Council sent a Note requesting the Permanent Representatives Committee to use the so called “written procedure” in order to adopt the Council’s position. Initially a vote on the Council’s position was planned on 21st April 2016, when the next Justice and Home Affairs Council takes place. However, the Council has decided to accelerate the process for adoption by using the “written procedure”. Proceding this way is an exemption as it does not include public deliberation.

The mentioned Note states that the “need to send the Council’s position at first reading to the European Parliament during its April I plenary, will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7th April 2016 and would end on Friday 8th April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”

When looking on the next steps it is to say that once the Council’s position is adopted,  it will then be sent to the European Parliament. The European Parliament will go on by acknowledging the receipt during the next plenary session taking place on 11-13 April 2016. Afterwards, the Parliament’s Civil Liberties Committee will vote on a recommendation to Parliament regarding the Council’s position. These recommendation will then be used as a foundation for the Parliament’s adoption of the GDPR in one of the following plenary meetings.

WhatsApp just added end-to-end encryption

6. April 2016

WhatsApp is an online messaging service, that has grown into one of the most used applications, owned by Facebook. Messages, phone calls and photos are exchanged via WhatsApp by more than a billion people. Therefore, only Facebook itself operates a larger communications network.

This week was revealed that the company has added end-to-end encryption to every form of communication developed by a team of 15 of out of 50 overall employees for any person using the latest version of WhatsApp, so that all messages, phone calls and photos are encrypted. This regards any smartphone, from iPhones to Android phones to Windows phones. By encrypting end-to-end not even WhatsApp’s employees have access to the data sent through this communication network. This means that WhatsApp will not be able to comply with a court order demanding the disclosure of the content of messages, phone calls and photos sent by using its service.

This way of encryption has generally led to a public discussion between technology companies and governments. For example, in the UK, politicians have proposed banning this encryption so that companies should be forced to install “backdoors” in order to be able to disclose the content only to law enforcement.

 

Category: Countries · EU · USA
Tags: , ,

The French DPA fines Google

29. March 2016

The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.

The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.

Turkish parliament passes personal data protection law

With the refugee crisis, a new capital between Turkey and the EU has started. In order to receive visa liberalization for Turkish citizens in the EU, Turkey has to fulfill certain criteria. One of the required criteria for Turkey was to pass a personal data protection law. On March 24, the Turkish parliament has finally passed a personal data protection bill.

The Turkish personal data protection law will e. g. define personal data and sensitive personal data. Among others, it will also regulate data transfers and individual rights of the data subject.

Since the law has passed now, a next step will be creating a nine-member Committee of Personal Data Protection under the Personal Data Protection Institute, affiliated with the Prime Ministry.

EU Council releases statement at first reading on the upcoming GDPR

23. March 2016

On March 17th, the EU Council issued its position on the draft of the GDPR.

The statement of the EU Council identifies and analyzes the following key aspects of the GDPR:

  • Material, formal and territorial scope of application of the GDPR in order to achieve a harmonization at a EU level.
  • Principles of the data processing, especially “pseudonymization” and “data minimization”
  • Lawfulness of the processing based on the consent of the data subject, a contract, a legal obligation, etc.
  • Empowerment of data subjects through the enhancement of their rights as data subjects to access the information that is held about them, the right to be forgotten, right to transparency on the processing, right to object to the processing of their personal data, etc.
  • Controller and processor´s accountability for the processing operations. Additionally their obligation to appoint a Data Protection Officer (DPO) in order to ensure compliance with the GDPR.
  • Transfers of personal data to third countries on the basis of adequacy decisions or other mechanisms that ensure an adequate level of data protection in third countries.
  • The EU DPAs supervisory role on the application of the GDPR on each Member State.
  • Remedies, liabilities and penalties as compensation mechanism in case of data breaches or damages caused to the data subjects.
  • Specific data processing situations, for example regarding employee´s personal data

The EU Council remarks that the GDPR reflects the compromise reached between the EU Parliament and the EU Council. Furthermore, it invites the EU Parliament to formally approve the position of the EU Council.

Spanish Constitutional Court legitimates employee monitoring without prior information

17. March 2016

In March 2016, the Spanish Constitutional Court rectified the existing Spanish jurisprudence regarding employee monitoring. This rectification is based on a constitutional appeal from an employee of a well-known fashion store, who was dismissed due to misappropriation of money from the cash register.

The company found out this conduct through the video surveillance cameras that it had installed in its premises. A distinctive sign was placed at a visible place of the shop window. However, the employees were not informed about the use of the surveillance cameras.

According to Art. 5.1 and Art. 6.1 of the Spanish Data Protection Act, the data subject must be informed about the processing of his/her personal data and give his/her unambiguous consent to this processing.

In this sentence, the Spanish Constitutional Court declares that the prior information and consent of the employee to video recording is not required in this case because a video surveillance system aims at contributing to the control and security of employees. Additionally, as a visible distinctive sign had been placed at the premises, the employer was exempted from informing each employee individually. Furthermore, Art. 20 of the Spanish Statute of Rights for Workers allows the employer to control and monitor its employees, in order to ensure that they fulfill their obligations. In this sense, the monitoring cannot violate the employee´s dignity.

EU-U.S. Privacy Shield expected to be effective in June 2016

16. March 2016

On the 14th March, the Digital Commissioner Günther Oettinger spoke out on the EU-U.S. Privacy Shield at the CeBIT fair (Center for Office Automation, Information Technology and Telecommunication), which will take place in Hannover (Germany) from the 14th until the 18th March.

Oettinger stated that the EU DPAs will evaluate the EU-U.S. Privacy Shield in the upcoming weeks, so that the new Framework can be effective in June 2016. He also remarked that without a legal regulation for international transfers of personal data, “the trust in cloud services will be low”.

The EU DPAs are expected to meet on the 12th-13th April in order to issue their opinion on the EU-U.S. Privacy Shield. However, this opinion will not be binding.

Pages: Prev 1 2 3 ... 14 15 16 17 18 19 20 21 22 23 24 Next
1 20 21 22 23 24