Category: Data Protection
2. June 2021
The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.
The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.
Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.
The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.
Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:
I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.
If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.
31. May 2021
The EU Digital Covid certificate (Digital Green Certificate) is scheduled to come into use on July 1, 2021. The certificate is intended to make it possible to move freely within the EU once again. Within the member states, the certificate is also expected to allow access to public events and gastronomy. The certificate will complement and not replace the national passport, such as the yellow vaccination passport in Germany. However, it is up to each country to require additional health documents.
At the national level, software will be developed to meet the requirements of such a certificate. In parallel, a European gateway will be developed. This gateway will then be installed in a data center in Luxembourg. Countries such as Norway, Switzerland and Lichtenstein will also connect to the platform.
The certificate will document vaccination status, who has already recovered from a Covid-19 infection and it will also be able to record negative PCR tests. At the vaccination centers or doctors’ offices, personal data such as name, date of birth and vaccination date of the person concerned will be digitally recorded and signed with the digital signature key of the issuing body (hospital, test centre, etc.). The issued certificate contains a QR code with a digital signature to protect against falsification. During border control, the data stored and encrypted in the certificate should not be transmitted, but only the validity of the crypto keys is checked. To do this, the checking apps contact the EU gateway server in Luxembourg and query there whether the key stored in the QR code is reported as valid there. If this is the case, the checking app displays green as well as the name and date of birth of the traveler, who must therefore also present an identification document such as a passport. The participating EU countries, represented by the designated national authorities or official bodies are considered as joint controllers of the processing in the gateway and must therefore provide users with adequate information about the processing of their personal data in the European federation gateway in accordance with Article 13 of the GDPR.
Data protectionists criticize that the digital certificate and the collected data could be used by member states to create movement profiles of those affected. Central storage would also increase the risk of a hacker attack.
28. May 2021
The Polish Personal Data Protection Office (UODO) has received a notification of a data breach involving the disclosure of personal data of uniformed services officers. The case is currently being analyzed and supplemented with additional materials and information that shall clarify all its circumstances.
The data controller also notified other authorities about the incident. Among these are the police, the Governmental Computer Security Incident Response Team (CSIRT NASK) and the National Public Prosecutor’s Office. The controller informed UODO that the individuals whose data was subject to the breach would be notified individually through the officers’ home units. Nevertheless, many aspects are still unclear. Therefore, in the course of the investigation, UODO sent a letter to the data controller asking for explanations related to the data breach. Any further action will depend on the information provided by the data controller.
As a result of this situation, UODO emphasises that there is a risk associated with the possibility of unauthorized use of the officers’ personal data, which may involve tangible harm to them. Such activity may include (identity) fraud and invasion of privacy.
In this respect, UODO reminds what actions should be taken to minimize the negative consequences of such a breach. First of all, one should be very careful when providing data via the Internet. Furthermore, it is important to carefully analyse all content included e.g. in SMS messages or e-mails in order to avoid phishing attacks in particular, the aim of which is to obtain additional personal data. In this connection, materials were provided by UODO with further tips on how to reduce the risk of identity theft.
27. May 2021
Last month, on April 2nd, the Belarusian House of Representatives adopted in the second reading the draft law “On the Protection of Personal Data”. The law was passed on May 7th. It is the first Belarusian legal act specifically intended to lay down issues of data protection.
The law is aimed at the legal regulation of social relations arising from the processing of personal data of individuals as well as ensuring the protection of such data and the rights and freedoms of individuals in the processing of their personal data. It implies that
Processing of personal data must be commensurate with the stated purposes of its processing and ensure at all stages a fair balance between the interests of all persons concerned.
The provisions concern in detail, inter alia:
- definition of the categories of personal data as well as principles and conditions of their processing, with and without the use of automated means
- determination of the process for cross-border transfer of personal data; in particular, it is prohibited if a foreign country does not provide an adequate level of protection of personal data subjects rights
- determination of the data subject rights and obligations of public authorities, legal entities and natural persons within the processing of personal data, with regard to particularly the appointment of a Data Protection Officer and data breach notifications
- establishment of additional safeguards against arbitrary and uncontrolled collection, storage, use, dissemination, provision and other processing of personal data
- procedure for the establishment of an authority empowered with the protection of data subject rights and its competence; the foundation of the mentioned authority shall be assigned to the Council of Ministers of the Republic of Belarus together with the Operations and Analysis Center under the President of the Republic of Belarus within three months after the official publication of the corresponding law
- liability for violation of the provisions.
The purpose of adopting this law is to ensure an adequate level of protection of personal data and to support the development of business, trade and economic relations of the Republic of Belarus with other countries.
The main provisions of the law shall enter into force six months after its official publication.
25. May 2021
In a blog post published on May 6th, 2021, by Suzanne Frey, VP, Product, Android Security and Privacy, Google announced a new policy that will require developers to provide more privacy and security information about their apps. These details will be made available to users in a new “safety section” in the Google Play Store starting in 2022. The announcement comes a few months after Apple began displaying similar privacy information in their App Store.
The new “safety section” will require Android app developers to explain what kind of data is collected by their apps. For example, whether the app collects personal information, such as name, username or email and whether it collects information directly from the phone, such as approximate or exact location, contacts, media (photos, videos, audio files). Developers must also disclose how the app uses the data. For example, to improve app functionality and personalization. The section will also include information about security features, such as encryption and compliance with Google’s policy for apps aimed at children and families.
The new policy won’t be in effect for a few months in order to give developers enough time to implement the changes. Developers can begin declaring the new information in the fourth quarter of 2021. Users will be able to see the information on Google Play starting in the first quarter of 2022, and all new and existing apps will have to declare the information starting in the second quarter of 2022.
The changes seem designed to allow app developers to better explain to customers whether they can trust an app with their data, rather than working to make apps more data-efficient.
7. May 2021
On May 7th, 2021, Brad Smith, Microsoft’s President and Chief Legal Officer, announced in a blogpost that Microsoft will enable its EU commercial and public sector customers to store all their data in the EU. Microsoft calls this policy “EU Data Boundary” and it will apply across all of Microsoft’s core business cloud services, such as Azure, Microsoft 365 and Dynamics 365. Microsoft is the first big cloud provider to take such a step. The transition is intended to be done by the end of 2022.
This move can be seen as a reaction to the Court of Justice of the European Union’s (CJEU) “Shrems II” ruling in June 2020 (please see our blogpost), in which the CJEU ruled that the “EU-US-Privacy Shield” does not provide sufficient protection and therefore invalidating the agreement. The “Privacy Shield” was a framework for regulating the transatlantic exchange of personal data for commercial purposes between the EU and the USA.
However, the CJEU has clarified that server location and standard contractual clauses alone are not sufficient to meet the requirements of the General Data Protection Regulation (GDPR). This is because under U.S. law such as the “CLOUD Act”, U.S. law enforcement agencies have the power to compel U.S.-based technology companies to hand over requested data stored on servers, regardless of whether the data is stored in the U.S. or on foreign soil. So even with Microsoft’s proposed changes, U.S. authorities would still be able to access EU citizens’ personal data stored in the EU.
Microsoft believes it has found a way around the U.S. intelligence agencies: The U.S. intelligence agencies’ right of access could be technically worked around if customers effectively protected their data in the cloud themselves. To do this, customers would have to encrypt the data with a cryptographic key. In such a case, it would not be Microsoft that would manage the keys, but the customer themselves, and it would not be possible for Microsoft to hand over the keys to the US intelligence agencies. Microsoft also states that they are going above and beyond with their “Defending your Data” (please see our blogpost) measures to protect their customers’ data.
These measures by Microsoft are a step in the direction of a GDPR-compliant use of cloud applications, but whether they are sufficient to meet the high requirements of the GDPR may be doubted given the far-reaching powers of the US intelligence agencies. The reference to the possibility that users can encrypt their data themselves and keep the keys should help to comply with EU data protection standards, but must also be implemented in practice. Microsoft will have to educate its customers accordingly.
The GDPR-compliant transfer of personal data of EU citizens to the US remains uncertain territory, although further positive signals can be observed. For example, the new U.S. administration under President Joe Biden recently showed itself open to concluding a new comprehensive data protection agreement with the EU.
29. April 2021
On April 27, 2021, the Portuguese Data Protection Authority “Comissão Nacional de Proteção de Dados” (CNPD) ordered the National Institute of Statistics (INE) to suspend any international data transfers of personal data to the U.S., as well as other countries without an adequate level of protection, within 12 hours.
The INE collects different kinds of data from Portuguese residents from 2021 Census surveys and transfers it to Cloudfare, Inc. (Cloudfare), a service provider in the U.S. that assists the surveys’ operation. EU Standard Contractual Clauses (SCCs) are in place with the U.S. service provider to legitimize the data transfers.
Due to receiving a lot of complaints, the CNPD started an investigation into the INE’s data transfers to third countries outside of the EU. In the course of the investigation, the CNDP concluded that Cloudfare is directly subject to U.S. surveillance laws, such as FISA 702, for national security purposes. These kinds of U.S. surveillance laws impose a legal obligation on companies like Cloudfare to give unrestricted access to personal data of its customers and users to U.S. public authorities without informing the data subjects.
In its decision to suspend any international data transfers of the INE, the CNPD referred to the Schrems II ruling of the Court of Justice of the European Union. Accordingly, the CNPD is if the opinion that personal data transferred to the U.S. by the INE was not afforded a level of data protection essentially equivalent to that guaranteed under EU law, as further safeguards have to be put in place to guarantee requirements that are essentially equivalent to those required under EU law by the principle of proportionality. Due to the lack of further safeguards, the surveillance by the U.S. authorities are not limited to what is strictly necessary, and therefore the SCCs alone do not offer adequate protection.
The CNPD also highlighted that, according to the Schrems II ruling, data protection authorities are obliged to suspend or prohibit data transfers, even when those transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the recipient country. As Cloudfare is also receiving a fair amount of sensitive data n relation to its services for the INE, it influenced the CNDP’s decision to suspend the transfers.
26. April 2021
On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.
The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.
The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.
Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”
20. April 2021
On April 9th, 2021, the European Parliamentary Research Service (EPRS) published a report on data transfers in the private sector between the EU and the U.K. following Brexit.
The report reviews and assesses trade dealings, adequacy challenges and transfer instruments under the General Data Protection Regulation (GDPR). The report is intended to help take regulatory and business decisions, and in the Press Release the European Parliament stated that “a clear understanding of the state of play and future prospects for EU-UK transfers of personal data is indispensable”.
The report provides in-depth analysis of an adequacy decision for the UK as a viable long-term solution for data flows between the U.K. and the EU, also considering possible mechanisms for data transfer in the potential absence of an adequacy decision, such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanism.
In this analysis the EPRS also sheds light on adequacy concerns such as U.K. surveillance laws and practices, shortcomings of the implementation of the GDPR, weak enforcement of data protection laws, and wavering commitment to EU data protection standards.
As part of its conclusion, the EPRS stated that the European Data Protection Board’s (‘EDPB’) opinion on the draft decision, which has just been published (please see our blogpost here), will likely scrutinise the Commission’s approach and provide recommendations on next steps.
9. April 2021
On May 28th, 2019, the Personal Data Protection Act (“PDPA”) became law in Thailand. It is the country’s very first legislation governing data protection. Originally, a one-year grace period was determined for implementation of the requirements so that companies could prepare for the prospective liabilities in order to become compliant with the PDPA. However, on May 21st, 2020, a Royal Decree extended the implementation of the PDPA’s key provisions for another year, until June 1st, 2021 (we reported). Currently, a further postponement of the PDPA’s enforcement date is being considered.
According to new Digital Economy and Society (“DES”) Minister, consideration may be given to deferring or amending the PDPA, if the public has negative views about it. The aim is to support small and medium-sized businesses affected by the legislation since most of them are still unprepared for the new obligations and have not adjusted their internal processes yet. In addition, there is an unfortunate lack of willingness among companies concerned, as deputy permanent secretary at the DES Ministry stated. These shortcomings are reflected by the fact that some associations, including the travel and automotive industries, have already requested the deferral of the PDPA’s enforcement.
Contrary to what was initially planned, the appointment of members to the Personal Data Protection Committee is also expected to be delayed further. The Committee plays a decisive role in the approval of subsidiary legislation. The drafts for this concern consent procedures, complaint reception and expert panels.
According to the current status, the PDPA needs further adjustments and necessary regulations still need to be drafted, as many issues have been raised for consultation with regard to the PDPA since it came into effect. The main priorities on which the government intends to focus are as follows:
- Supporting people’s access to innovation and technology,
- Creating an ecosystem conducive to a digital economy,
- Gearing up for digital infrastructure development, particularly 5G and smart city projects,
- Legal development and enforcement to create a trusted digital ecosystem, especially for the PDPA and issues related to electronic transactions and cybersecurity,
- Protecting the public from abuse on social media and the internet.
The DES Ministry expects that full enforcement of the PDPA will likely be delayed until the end of this year.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 12 13 Next 
