WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

Cambridge Analytica and Facebook under investigation

27. March 2018

As Bloomberg reports, the offices of Cambridge Analytica were investigated by the U.K. Information Commissioner’s Office (ICO) amid allegations that information of millions of Facebook’s users data was obtained without the data subject’s consents. Personal information from about 50 million people should be affected because 270.000 Facebook user should have used a personality-analysis app, which should not only have the permission to enter the users’ data, but also those of the users’ friends.

According to the ICO, the investigation should be a part of a larger look into “the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors”.

Facebook, because of this revelation not only lost a significant amount of its stock shares. As Forbes reports, the U.S. Federal Trade Commission (FTC) confirmed the launch of an own investigation against Facebook. It is said that according to Tom Pahl, the director of the FTC’s Bureau of Consumer Protection, the “FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook” and that “the FTC is confirming that it has an open non-public investigation into these practices.”

 

 

Category: General

How is a company transferring data with a non-European company able to ensure the data-protection standard according to the General Data Protection Regulation (GDPR)?

21. March 2018

A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.

Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.

This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.

In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.

Apple bows to Chinese government

5. March 2018

Apple backs down: The Chinese government has demanded that Apple no longer outsource control of Chinese users data to US-based servers, but hand them over to a Chinese company.

This is likely to give Chinese authorities access to the personal data of Chinese users.

Apple informed the users in the passed weeks. Users of Apples service iCloud were informed, that their data is not longer stored on servers in the USA. Since February 28th, is Guizhou-Cloud Big Data (GCBD) the server provider for the data of Chinese users. GCBD is a state-controlled internet company based in Guizhou Province in southern China.

Affected are iCloud users with a Chinese Apple-ID.

The measure is based on new Chinese cybersecurity law, that is in place since last year. According to the new law, personal data of Chinese users fall under Chinese law and not, like before, under the law, the provider falls under.

For the diffraction under the Chinese law, Apple is heavily criticized.

 

 

United States vs. Microsoft

28. February 2018

The United States Supreme Court (SCOTUS) heared yesterday the arguments in the case United States vs. Microsoft.

The dispute betwenn the US government and Microsoft has spanned several years, since 2013, and has major implications for the privacy profession.

Issue is, that the U.S. can compel Microsoft to turn over data stored on a server outside the United States. Basis of the the obligation is a warrant issued by a US court under the Stored Communications Act. Microsoft should turn over emails of a customer stored on Microsoft servers, both in the US and in Ireland. Microsoft handed out the data stored in the US, but reject to turn over the data stored in Ireland. Basis for the rejection is, according to the position of Microsoft, that a Irish court is responsible and not a US court, due to the Stored Communications Act cannot reach outside of the territorial jurisdiction of the US. The US position, adopted by the magistrate judge and district court is, that because Microsoft is a US company, and fully capable of accessing the information described in the warrant, the warrant is a valid exercise of wholly domestic power.

A judgement could be made in June.

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

United Kingdom become a third country after Brexit

29. January 2018

Withdrawal of the United Kingdom from the Union and EU leads to United Kingdom become a third country.

The European Commission annouced, that on 30.03.2019, 00:00h (CET) the United Kingdom will no longer be member of the Union and EU, all Union and secondary law will cease to apply.

That means, tat all stakeholders processing personal data need to consider the legal repercussions of Brexit, beacuse as of the withdrawal date, the EU rules for transfer personal data to third countries apply. GDPR allows a transfer if the controller or processor provides appropriate safeguards.

Safeguards may be provided by:

  • Sandarad data protection clauses (SCC)
  • Binding corporate rules (BCR)
    • legally binding data protection rules approved by the competent data protection authority which apply within a corporate group
  • Condes of Conduct
    • Approved Codes of Conduct together with binding and enforceable commitments of the controller or processor in the third country
  • Certification mechanisms
    • Approved certification mechanisms together with binding and enforceable commitments of the controller or processor in the third country

Besides a transfer may take place based on consent, for the performance of a contract, for exercise of legal claims or for important reasons of public interest.

These procedures are already well-known to business operators beacuse they are uses today for the transfer of personal data to non EU-countries like the USA, Russia or China.

The decision is disappointing for everyone who were hoping for an adequate level of data protection in the United Kingdom.

Stakeholders should prepare for the requirements associated with recognition as a third country.

Category: EU Commission · European Union · GDPR · UK
Tags:

WP29 Guidelines on the notion of consent according to the GDPR – Part 1

26. January 2018

According to the GDPR, consent is one of the six lawful bases mentioned in Art. 6. In order for consent to be valid and compliant with the GDPR it needs to reflect the data subjects real choice and control.

The Working Party 29 (WP 29) clarifies and specifies the “requirements for obtaining and demonstrating” such a valid consent in its Guidelines released in December 2017.

The guidelines start off with an analysis of Article 4 (11) of the GDPR and then discusses the elements of valid consent. Referring to the Opinion 15/2011 on the definition of consent, “obtaining consent also does not negate or in any way diminish the controller’s obligations to observe the principles of processing enshrined in the GDPR, especially Article 5 of the GDPR with regard to fairness, necessity and proportionality, as well as data quality.”

The WP29 illustrates the elements of valid consent, such as the consent being freely given, specific, informed and unambiguous. For example, a consent is not considered as freely given if a mobile app for photo editing requires the users to have their GPS location activated simply in order to collect behavioural data aside from the photo editing. The WP29 emphasizes that consent to processing of unnecessary personal data “cannot be seen as a mandatory consideration in exchange for performance.”

Another important aspect taken into consideration is the imbalance of powers, e.g. in the matter of public authorities or in the context of employment. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences (e.g. substantial extra costs) if he/she does not consent. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. “

Art. 7(4) GDPR emphasizes that the performance of a contract is not supposed to be conditional on consent to the processing of personal data that is not necessary for the performance of the contract. The WP 29 states that “compulsion to agree with the use of personal data additional to what is strictly necessary limits data subject’s choices and stands in the way of free consent.” Depending on the scope of the contract or service, the term “necessary for the performance of a contract… …needs to be interpreted strictly”. The WP29 lays down examples of cases where the bundling of situations is acceptable.

If a service involves multiple processing operations or multiple purposes, the data subject should have the freedom to choose which purpose they accept. This concept of granularity requires the purposes to be separated and consent to be obtained for each purpose.

Withdrawal of consent has to be possible without any detriment, e.g. in terms of additional costs or downgrade of services. Any other negative consequence such as deception, intimidation or coercion is also considered to be invalidating. The WP29 therefore suggests controllers to ensure proof that consent has been given accordingly.

(will be soon continued in Part 2)

Will Visa Applicants for the USA have to reveal their Social Media Identities in future?

11. January 2018

The U.S. Department of State is aiming for Visa applicants to answer supplemental questions, including information about social media. A 30-Day notice has been published in November in order to gather opinions from all interested individuals and organizations. The goal is to establish a legal basis for the “proper collection of all information necessary to rigorously evaluate all grounds of inadmissibility or deportability, or grounds for the denial of other immigration benefits”.

In concrete terms, applicants are supposed to reveal their social media identifiers used during the last five years. The State Department stresses the fact that “the collection of social media platforms and identifiers will not be used to deny visas based on applicants’ race, religion, ethnicity, national origin, political views, gender, or sexual orientation.”

Meanwhile, the Electronic Privacy Information Center (EPIC) has submitted its comments asking for withdrawal of the proposal to collect social media identifiers and for review of the appropriateness of using social media to make visa determinations.

EPIC not only critizes the lack of transparency as it is “not clear how the State Department intends to use the social media identifiers” and further continues that “the benefits for national security” don’t seem precise. The organization also expresses concerns because the collection of these data enable enhanced profiling and tracking of individuals as well as large scale surveillance of innocent people, maybe even leading to secret profiles.

It remains to be seen how the situation develops and how the public opinion influences the outcome.

Risk of identity theft for a billion people in India

5. January 2018

A billion people in India may be victims of identity theft. The Tribune newspaper uncovered a security breach in the country’s vast biometric database. The database contains personal data of almost every citizen in India. The biometric ID program called Aadhaar is a flagship policy of Prime Minister Narendra Modi against corruption.
The reporters of the newspaper were able to access names, email addresses, phone numbers and postal codes by typing in 12-digit unique identification numbers of people in the government’s database, after paying about 6,50 € ($8, 500 rupees).
The seller also sold software to print out unique identification cards, called Aadhaar cards that can be used to access various government services.
The seller had gained access to the database through former workers who were initially tasked with making the Aadhaar cards.
India’s Unique Identification Authority said in an official statement “Claims of bypassing or duping the Aadhaar enrollment system are totally unfounded. Aadhaar data is fully safe and secure and has robust, uncompromised security.” The governing Party officially tweeted that the report was fake news.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 27 28 29 Next
1 5 6 7 8 9 29