EU commission working on allowing automated searches of the content of private and encrypted communications

25. November 2021

The EU Commission is working on a legislative package to combat child abuse, which will also regulate the exchange of child pornography on the Internet. The scope of these regulations is expected to include automated searches for private encrypted communications via messaging apps.

When questioned, Olivier Onidi, Deputy Director General of the Directorate-General Migration and Home Affairs at the European Commission, said the proposal aims to “cover all forms of communication, including private communication”.

The EU Commissioner of Home Affairs, Ylva Johansson, declared the fight against child sexual abuse to be her top priority. The current Slovenian EU Council Presidency has also declared the fight against child abuse to be one of its main priorities and intends to focus on the “digital dimension”.

In May 2021, the EU Commission, the Council and the European Parliament reached a provisional agreement on an exemption to the ePrivacy Directive that would allow web-based email and messaging services to detect, remove, and report child sexual abuse material. Previously, the European Electronic Communications Code (EECC) had extended the legal protection of the ePrivacy Directive to private communications related to electronic messaging services. Unlike the General Data Protection Regulation, the ePrivacy Directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. For this reason, such an exception was necessary.

Critics see this form of preventive mass surveillance as a threat to privacy, IT security, freedom of expression and democracy. A critic to the agreement states:

This unprecedented deal means all of our private e-mails and messages will be subjected to privatized real-time mass surveillance using error-prone incrimination machines inflicting devastating collateral damage on users, children and victims alike.

However, the new legislative initiative goes even further. Instead of allowing providers of such services to search for such content on a voluntary basis, all providers would be required to search the services they offer for such content.

How exactly such a law would be implemented from a technical perspective will probably not be clear from the text of the law and is likely to be left up to the providers.
One possibility would be that software checks the hash of an attachment before it is sent and compares it with a database of hashes that have already been identified as illegal once. Such software is offered by Microsoft, for example, and such a database is operated by the National Center of Missing and Exploited Children in the United States. A hash is a kind of digital fingerprint of a file.
Another possibility would be the monitoring technology “client-side scanning”. This involves scanning messages before they are encrypted on the user’s device. However, this technology has been heavily criticized by numerous IT security researchers and encryption software manufacturers in a joint study. They describe CSS as a threat to privacy, IT security, freedom of expression and democracy, among other things because the technology creates security loopholes and thus opens up gateways for state actors and hackers.

The consequence of this law would be a significant intrusion into the privacy of all EU citizens, as every message would be checked automatically and without suspicion. The introduction of such a law would also have massive consequences for the providers of encrypted messaging services, as they would have to change their software very fundamentally and introduce corresponding control mechanisms, but without jeopardizing the security of users, e.g., from criminal hackers.

There is another danger that must be considered: The introduction of such legally mandated automated control of systems for one area of application can always lead to a lowering of the inhibition threshold to use such systems for other purposes as well. This is because the same powers that are introduced in the name of combating child abuse could, of course, also be introduced for investigations in other areas.

It remains to be seen when the relevant legislation will be introduced and when and how it will be implemented. Originally, the bill was scheduled to be presented on 01 December 2021, but this item has since been removed from the Commission’s calendar.

 

EDPB publishes draft Guidelines regarding data transfer clarifications

On November 19, 2021, the European Data Protection Board (EDPB) published a new set of draft Guidelines 05/2021 on the interplay between the EU General Data Protection Regulation’s (GDPR) territorial scope, and the GDPR’s provisions on international data transfers.

The EDPB stated in their press release that “by clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.”

The Guidelines set forth three cumulative criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR, namely:

  • the exporting controller or processor is subject to the GDPR for the given processing activity,
  • the exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller, or a processor and
  • the data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR.

If all three requirements are met, the processing activity is to be considered an international data transfer under the GDPR, which results in the requirements of the Chapter V of the GDPR to be applicable.

The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. In an example, the EDPB indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such a case, the transfer tool should focus on the elements and principles that are specific to the importing jurisdiction. This includes particularly conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.

The EDPB offers its support in developing a transfer tool that would cover the above-mentioned situation.

The Guidelines are open for public consultation until 31st of January 2022.

European Commission pursues legal action against Belgium over independence of Data Protection Autority

16. November 2021

In its October Infringements Package, the European Commission has stated it is pursuing legal actions against Belgium over concerns its Data Protection Authority (DPA) is not operating independently, as it should under the General Data Protection Regulation (GDPR).

The Commission stated that it “considers that Belgium violates Article 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation.”

According to the European Commission, however, some members of the Belgian DPA cannot be regarded as free from external influence, as they either report to a management committee depending on the Belgian government, they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee.

On June 9th, 2021, the Commission sent a letter of formal notice to Belgium, giving the member state two months to take corrective measures. Belgium’s response to the Commission’s letter did not address the issues raised and the members concerned have so far remained in their posts. The European Commission is now giving Belgium two months to take relevant action. If this fails, the Commission may decide to refer the case to the Court of Justice of the European Union.

US court unsuccessfully demanded extensive information about user of the messenger app Signal

On October 27th, 2021 Signal published a search warrant for user data issued by a court in Santa Clara, California. The court ordered Signal to provide a variety of information, including a user’s name, address, correspondence, contacts, groups, and call records from the years 2019 and 2020. Signal was only able to provide two sets of data: the timestamp of when the account was created and the date of the last connection to the Signal server, as Signal does not store any other information about its users.

The warrant also included a confidentiality order that was extended four times. Signal stated:

Though the judge approved four consecutive non-disclosure orders, the court never acknowledged receipt of our motion to partially unseal, nor scheduled a hearing, and would not return counsel’s phone calls seeking to schedule a hearing.

A similar case was made public by Signal in 2016, when a court in Virginia requested the release of user data and ordered that the request not be made public. Signal fought the non-publication order in court and eventually won.

Signal is a messenger app that is highly regarded among privacy experts like Edward Snowden. That’s because Signal has used end-to-end encryption by default from the start, doesn’t ask its users for personal information or store personal data on its servers and is open source. The messenger is therefore considered particularly secure and trustworthy. Moreover, no security vulnerabilities have become known so far, which is definitely the case with numerous competing products.

Since 2018, Signal is beeing operated by the non-profit organization Signal Technology Foundation and the Signal Messenger LLC. At that time, WhatsApp co-founder Brian Acton, among others, joined the company and invested $50 million. Signal founder Moxie Marlinspike is also still on board.

The EU commission is planning a legislative package to fight the spread of child abuse on the Internet. The law will also include automated searches of the content of private and encrypted communications, for example via messenger apps. This would undermine the core functions of Signal in Europe. Critics call this form of preventive mass surveillance a threat to privacy, IT security, freedom of expression and democracy.

UK Supreme Court opposes billion-dollar privacy class action against Google

15. November 2021

On November 10th, 2021, the UK Supreme Court issued a long-awaited judgment in the Lloyd v Google case and denied the class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users back in 2011 and 2012 to proceed further. The 3 billion GBP lawsuit, which was filed on behalf of 4.4 million residents in England and Wales, had implications for other class-action lawsuits filed in the U.K.

The case was originally filed by Richard Lloyd on behalf of the group “Google You Owe Us.” The group accused Google of bypassing Apple iPhone security by collecting personal information of users on the phone’s Safari web browser between August 2011 and February 2012. A U.K. court dismissed the case in October 2018, but it was later overturned by the UK Court of Appeal.

In a final decision in the case dating from last week, the Supreme Court ruled in favor of Google, deciding that the representative claim against Google under the Data Protection Act 1998 (DPA) should not be allowed to proceed. In reaching its decision, the Supreme Court considered the following points:

  • the statutory scheme of the DPA does not permit recovery of compensation for the mere “loss of control” of personal data and
  • the representative claim by Lloyd on behalf of the 4.4 million affected individuals should not be allowed to proceed, as Lloyd was unable to demonstrate that each of those individuals who he represented in the claim had suffered a violation of their rights under the DPA and material damage because of that violation.

“The claimants seeks damages,” Judge George Leggatt stated the decision, “for each individual member of the represented class without attempting to show that any wrongful use was made by Google of personal data relating to that individual or that the individual suffered any material damage or distress as a result of a breach.” Judge Leggatt also said, “Without proof of these matters, a claim for damages cannot succeed.”

The decision will be welcomed by controllers, as it limits the prospects of representative claims of the nature of that advanced by Lloyd and further provides reassurance that mere technical breaches of the UK GDPR that do not result in material damage to data subjects do not represent sufficient ground for compensation.

China publishes Draft Measures on Security Assessment of Cross-border Data Transfer for public consultation

8. November 2021

On October 29th, 2021, the Cyberspace Administration of China (CAC) announced a public consultation on its “Draft Measures on Security Assessment of Cross-border Data Transfer”. This is the CAC’s third legislative attempt to build a cross-border data transfer mechanism in China, and it came only days before the effective date of the Personal Information Protection Law (PIPL) on November 1st, 2021.

The CAC said its proposed data transfer assessment aims to comply with China’s PIPL and Data Security Law, while specifically focusing on efforts to “regulate data export activities, protect the rights and interests of personal information, safeguard national security and social public interests, and promote the safe and free flow of data across borders”. If they were to be made final, the Draft Measures would apply to cross-border transfers of personal information and “important data” collected and generated in China under certain circumstances.

Data controllers, or data handlers according to the PIPL, would be subject to mandatory security assessments by the CAC in the following circumstances:

  • transfer of personal information and important data collected and generated by critical information infrastructure operators as defined under China’s Cybersecurity Law;
  • transfer of important data;
  • transfer of personal information by data handlers who process over 1 million individuals’ personal information;
  • cumulatively transferring personal information of more than 100,000 individuals or “sensitive” personal information of more than 10,000 individuals; or
  • other conditions to be specified by the CAC.

According to the Draft Measures, data handlers that require a mandatory security assessment would need to submit certain materials in connection with it, which include an application form, the data handler’s self-security assessment, and the relevant data transfer agreement.

Upon receiving the data handler’s application, the CAC would confirm whether it will accept the application within seven business days. The CAC would have 45 business days to complete the assessment after issuing the notice of acceptance. This period could be extended in complex cases or where the CAC requires supplementary documents, however according to the Draft Measures the timeline should not exceed 60 business days.

In evaluating a data handler’s mandatory security assessment, the CAC would aim to focus on:

  • the legality, propriety and necessity of the cross-border transfer;
  • the data protection laws and regulations of the data recipient’s jurisdiction, the security of the data being transferred, and whether the protections provided by the data recipient satisfy Chinese laws and regulations and mandatory national standards;
  • the volume, scope, type and sensitivity of the data being transferred and the risk of a leak, damage, corruption, loss and misuse;
  • whether the data transfer agreement adequately allocates responsibilities for data protection;
  • compliance with Chinese laws, administrative regulations and departmental regulations; and
  • other matters that are deemed necessary by the CAC.

The CAC’s mandatory security assessment result would be effective for two years, after which a new assessment is necessary. Under circumstances, a re-evaluation would have to take place, e.g. in cases of changes to the purpose, means, scope and type of the cross-border transfer or processing of personal information and/or important data by the data recipient, an extension of the retention period for the personal information and/or important data and other circumstances that might affect the security of transferred data.

The public consultation period extends until November 28th, 2021, after which the CAC will review the public comments and recommendations.

New Android malware targetting with fake COVID-19 information

29. October 2021

Last month, TechRepublic reported a new and devious SMS malware called TangleBot that attempts to take control of mobile devices by sending notifications about COVID-19. Currently, it targets Android users in the USA and Canada and can lead to a variety of harmful activities, according to security firm Cloudmark.

TangleBot tries to deceive users into downloading the malware through fake messages about COVID-19, such as “New regulations about COVID-19 in your region. Read here…” or “You have received the appointment for the 3rd dose. For more information, visit…”.

The link contains a notice that the Adobe Flash Player on the affected device needs to be updated but leads to the installation of the malicious software instead. As a result, TangleBot gets permission to access and control a wide range of functions and content. It is assumed that for this reason, the malware was named TangleBot.

TangleBot has the ability to make and block phone calls as well as send, obtain and process text messages. It is used to message other devices in order to spread faster among others. The malware is also designed to spy on users through accessing the camera, screen or microphone and setting up additional methods to observe activity on the device. Of particular concern is the possibility to place overlay screens on the device covering legitimate apps, such as banking or financial apps, in an attempt to steal account credentials. Furthermore, the personal data stolen by the attacker usually moves to the dark web for sale, which poses a risk even if the victim manages to remove the malware.

Hank Schless, senior manager for security solutions at security firm Lookout, pointed out the dangers of cybercriminals exploiting the pandemic:

Social engineering that uses the pandemic as a lure continues to be a major issue globally. It’s advantageous for attackers to leverage socially uncertain situations in order to make their phishing campaigns more effective. People are more likely to let their guard down and interact with something online that promises information they need.

According to Schless, the risks exist not only for private individuals, but also for companies:

Mobile devices offer countless channels for attackers to deliver socially engineered phishing campaigns with the goal of swiping corporate login credentials or installing advanced malware that can exfiltrate sensitive data from the device. For organizations that allow employees to use personal devices for work in a BYOD model, the risk is even higher considering the number of personal apps people use. Attackers can deliver campaigns through SMS, social media, third-party messaging apps, gaming and even dating apps.

Additionally, Cloudmark advised that users should be vigilant in this regard and provided several tips to protect against SMS malware:

  • Look out for suspicious text messages,
  • Guard your mobile number,
  • Access any linked website directly,
  • Report SMS phishing and spam messages,
  • Be cautious when installing apps to your device,
  • Avoid responding to unsolicited texts,
  • Install apps only from legitimate app stores.

To keep ahead of the latest cybersecurity threats, companies should also take some precautions. These include especially the implementation of security across mobile devices, protection of cloud services and raising awareness among own employees.

Processing of COVID-19 immunization data of employees in non-EEA countries

27. October 2021

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, if an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data.

The following discusses whether employers in various non-EEA countries are permitted to process COVID-19-related information about their employees.

Brazil: According to the Labor Code (CLT), employers in Brazil have the right to require their employees to be vaccinated. This is because the employer is responsible for the health and safety of its employees in the workplace and therefore has the right to take reasonable measures to ensure health and safety in the workplace. Since employers can require their employees to be vaccinated, they can also require proof of vaccination. Because LGPD considers this information to be sensitive personal data, special care must be taken in processing it.

Hong-Kong: An employer may require its employees to disclose their immunization status. Under the Occupational Safety and Health Ordinance (OSHO), employers are required to take all reasonably practicable steps to ensure the safety and health of all their employees in the workplace. The vaccine may be considered as part of COVID-19 risk assessments as a possible additional measure to mitigate the risks associated with contracting the virus in the workplace. The requirement for vaccination must be lawful and reasonable. Employers may decide, following such a risk assessment, that a vaccinated workforce is necessary and appropriate to mitigate risk. If the employer does so, it must comply with the Personal Data Privacy Ordinance (PDPO). Among other things, the PDPO requires that the collection of data must be necessary for the purpose for which it is collected and must not be kept longer than is necessary for that purpose. Under the PDPO, before collecting data, the employer must inform the employee whether the collection is mandatory or voluntary for the employee and, if mandatory, what the consequences are for the employee if he or she does not provide the data.

UK: An employer may inquire about an employee’s vaccination status or conduct tests on employees if it is proportionate and necessary for the employer to comply with its legal obligation to ensure health and safety at work. The employer must be able to demonstrate that the processing of this information is necessary for compliance with its health and safety obligations under employment law, Art. 9 (2) (b) UK GDPR. He must also conduct a data protection impact assessment to evaluate the necessity of the data collection and balance that necessity against the employee’s right to privacy. A policy for the collection of such data and its retention is also required. The information must be retained only as long as it is needed. There must also be no risk of unlawful discrimination, e.g. the reason for refusing vaccination could be protected from discrimination by the Equality Act 2010.

USA: The Equal Employment Opportunity Commission (EEOC) published a document in which it suggests that an employer may implement a vaccination policy as a condition of physically returning to the workplace. Before implementing a vaccination requirement, an employer should consider whether there are any relevant state laws or regulations that might change anything about the requirements for such a provision. If an employer asks an unvaccinated employee questions about why he or she has not been vaccinated or does not want to be vaccinated, such questions may elicit information about a disability and therefore would fall under the standard for disability-related questions. Because immunization records are personally identifiable information about an employee, the information must be recorded, handled, and stored as confidential medical information. If an employer self-administers the vaccine to its employees or contracts a third party to do so, the employer must demonstrate that the screening questions are “job-related and consistent with business necessity.”

Processing of COVID-19 immunization data of employees in EEA countries

As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered, test result) and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

The following discusses whether employers in various European Economic Area (EEA) countries are permitted to process COVID-19-related information about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority also explicitly denies the employer’s right to ask.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully verify whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a justified reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for elsewhere in the Act. The employer may request from occupational health care statistical data on the vaccination protection of its employees.

France: Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities frequented by more than 50 people, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. There are several workplaces where vaccination has been mandatory for workers since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane). The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency. Also, visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information, but the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19 related information is generally only permitted for employers in certain sectors. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services, ) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees. Other employers are generally not permitted to inquire about the vaccination status of employees. If allowed to process their employee’s vaccination status, employers should not copy the certificates but only check whether an employee is vaccinated. Although there has been an ongoing discussion in the federal government for several weeks about introducing a legal basis that would allow all employers to administer vaccination information. From November 2021, employers must check whether an employee who has been sanctioned with a quarantine due to a COVID-19 infection was or could have been vaccinated prior to the infection. According to Section 56 (1) sentence 4 IfSG, there is no entitlement to continued payment of remuneration for the period of quarantine if the employee could have avoided the quarantine, e.g. by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to pay in advance, the employer is also obliged to check whether the factual requirements for the granting of benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying compensation and, on this basis, to decide whether compensation can be considered in the individual case. The data protection basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection law, and if there is no reason to assume that the data subjects’ interest in the exclusion of the processing, which is worthy of protection, outweighs this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and therefore legally effective, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September.

Netherlands: Currently, there is no specific legislation that allows employers to process employee immunization data. Only the occupational health service and company doctors are allowed to process immunization data, for example when employees are absent or reintegrated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document the results of such tests or force

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

EDPB adopts new Guidelines on restrictions of data subject rights under Article 23 GDPR

25. October 2021

During its plenary session of October 2021, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on restrictions of data subject rights under Art. 23 of the General Data Protection Regulation (GDPR) following public consultation.

The Guidelines “provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR,” the EDPB stated in their press release.

Further, the Guidelines aim to analyze how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) GDPR, as well as the obligations and rights which may be restricted.

These Guidelines hope to recall the conditions surrounding the use of the restrictions by the Member States in light of the Charter of Fundamental Rights of the European Union, and to guide Member States if they wish to implement restrictions under national law.

Pages: 1 2 3 4 5 6 7 8 9 10 ... 59 60 61 Next
1 2 3 61