Category: EU Commission

Greek Parliament passes bill to adopt GDPR into National Law

29. August 2019

On Monday, August 26th, the Greek Parliament passed a bill that will incorporate the European Union’s General Data Protection Regulation (GDPR) into national law. Originally, the adaptation of the EU regulation was supposed to take place until May 06, 2018. Greece failed to comply with the deadline.

The, now, fast-paced implementation of the regulation may have come as a result of the referral of Greece and Spain by the European Commission (EC) to the European Court of Justice on July 25th. Since they had failed to adopt the GDPR into national law up until then, Greece could have faced a fine of €5,287.50 for every day passed since May 06, in addition to a stiff fine of €1.3 million. In its statement, the EC declared that “the lack of transposition by Spain and Greece creates a different level of protection of peoples’ rights and freedoms, and hampers data exchanges between Greece and Spain on one side and other Member States, who transposed the Directive, on the other side”.

The EU countries are allowed to adopt certain derogations, exeptions and specifications under the GDPR. Greece has done so, in the approved bill, with adjusted provisions in regards to the age of consent, the process of appointing a Data Protection Officer, sensitive data processing, data repurposing, data deletion, certifications and criminal sanctions.

The legislation was approved by New Democracy, the main opposition SYRIZA, the center-left Movement for Change and leftist MeRA25, with an overwhelming majority. The GDPR has already been in effect since May 25th, 2018, with its main aim being to offer more control to individuals over their personal data that they provide to companies and services.

 

Category: EU · EU Commission · GDPR · General
Tags: , , ,

Hearing on the legal challenge of SCC and US-EU Privacy Shield before CJEU

17. July 2019

On Tuesday last week, the European Court of Justice (CJEU) held the hearing on case 311/18, commonly known as “Schrems II”, following a complaint to the Irish Data Protection Commission (DPC) by Maximilian Schrems about the transfer of his personal data from Facebook Ireland to Facebook in the U.S. The case deals with two consecutive questions. The initial question refers to whether U.S. law, the Foreign Intelligence Service Act (FISA), that consists a legal ground for national security agencies to access the personal data of citizens of the European Union (EU) violates EU data protection laws. If confirmed, this would raise the second question namely whether current legal data transfer mechanisms could be invalid (we already reported on the backgrounds).

If both, the US-EU Privacy Shield and the EU Standard Contractual Clauses (SCCs) as currently primeraly used transfer mechanisms, were ruled invalid, businesses would probably have to deal with a complex and diffucult scenario. As Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum said, the hearing would have had a particularly higher impact than the first Schrems/EU-US Safe Harbor case, because this time it could affect not only data transfers from the EU to the U.S., but from the EU to all countries around the world where international data transfers are based on the SCCs.

This is what also Facebook lawyer, Paul Gallagher, argued. He told the CJEU that if SCCs were hold invalid, “the effect on trade would be immense.” He added that not all U.S. companies would be covered by FISA – that would allow them to provide the law enforcement agencies with EU personal data. In particular, Facebook could not be hold responsible for unduly handing personal data over to national security agencies, as there was no evidence of that.

Eileen Barrington, lawyer of the US government assured, of course, by referring to a “hypothetical scenario” in which the US would tap data streams from a cable in the Atlantic, it was not about “undirected” mass surveillance. But about “targeted” collection of data – a lesson that would have been learned from the Snowden revelations according to which the US wanted to regain the trust of Europeans. Only suspicious material would be filtered out using particular selectors. She also had a message for the European feeling of security: “It has been proven that there is an essential benefit to the signal intelligence of the USA – for the security of American as well as EU citizens”.

The crucial factor for the outcome of the proceedings is likely to be how valid the CJEU considers the availability of legal remedies to EU data subjects. Throughout the hearing, there were serious doubts about this. The monitoring of non-US citizens data is essentially based on a presidential directive and an executive order, i.e. government orders and not on formal laws. However, EU citizens will be none the wiser, as particularly, referring to many critisists’ conlusion, they do not know whether they will be actually surveilled or not. It remains the issue regarding the independence of the ombudsperson which the US has committed itself to establish in the Privacy Shield Agreement. Of course, he or she may be independent in terms of the intelligence agencies, but most likely not of the government.

However, Henrik Saugmandsgaard Øe, the Advocate General responsible for the case, intends to present his proposal, which is not binding on the Judges, on December 12th. The court’s decision is then expected in early 2020. Referring to CJEU judge and judge-rapporteur in the case, Thomas von Danwitz, the digital services and networking would be considerably compromised, anyways, if the CJEU would declare the current content of the SCC ineffective.

 

 

The EU Commission fined Google 1.49 billion euros regarding antitrust case

21. March 2019

On Wednesday Google was fined 1.49 billion euros by the European Commission in connection with hindering competitors in the online advertising business.

The accusation is that Google has illegally made use of its market dominance.The company inflicted a number of exclusivity clauses in contracts with third-party websites which prevented the company’s competitors from positioning their search adverts on these websites. This concerns a small area in Google’s “advertising machinery”. But still, as a result, other advertisers and website owners “had less choice and likely faced higher prices that would be passed on to consumers,” claimed the EU’s competition commissioner, Margrethe Vestager.

In the last two years, this represents the third time that Europe’s antitrust regulators, lead by Danish competition commissioner Margarethe Vestagers, fined the tech company. Google has appealed against the two previous fines. The first fine (2.42 billions euros) was for manipulating online shopping results and directing visitors to its comparison-shopping service at the expense of its contestants. The second one amounting to 4.34 billion euros concerned mobilephone producers that were forced to use Google’s Android operating system to install the company’s search and browser apps.

Category: EU · EU Commission · European Union · General
Tags:

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

GDPR in numbers

6. February 2019

The European Commission lately posted an infographics about the impact of the General Data Protection Regulation (GDPR) since its entering into force on May 25, 2018. The graphic looks at complying, enforcement and awareness of the GDPR. It illustrates inter alia that:

  • In total 95.180 complaints to Data Protection Authorities came from individuals who believe their rights under GDPR have been violated. Most of the complaints were related to CCTV, telemarketing or promotional e-mails.
  • Until January, the number of notifications of data breaches has increased up to 41.502. The data controllers have to notify data breaches within 72 hours to their national supervisory authority.
  • Data Protection Authorities have initiated 225 investigations in cross border cases.
  • In Europe, 23 countries have adopted their national data protection law since the GDPR came into force. Bulgaria, Greece, Slovenia, Portugal and Czech Republic are still in progress doing so.
  • So far, three fines have been issued under GDPR. In Germany, a social network operator was fined € 20.000 for not securing its users data. In France, Google was fined € 50 million for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization (we reported) and in Austria, a sports betting café was fined € 5.280 for unlawful video surveillance.

Data Protection Day

28. January 2019

On the occassion of this year’s Data Protection Day, which was launched in 2006 by the Council of Europe, the Commission has issued the following statement :

“This year Data Protection Day comes eight months after the entry into application of the General Data Protection Regulation on 25 May 2018. We are proud to have the strongest and most modern data protection rules in the world, which are becoming a global standard.”

On January 28th in 2006, the Council of Europe’s data protection convention, known as “Convention 108”, was opened to signature. Data Protection Day is now celebrated globally and is called Privacy Day outside of Europe.

More than 50 countries around the world have already signed up to the convention, which sets out key principles in the area of personal data protection.

The convention has been ratified by the 47 Council of Europe member states and Mauritius, Senegal, Uruguay and Tunisia. Other countries such as Argentina, Burkina Faso, Cabo Verde, Mexico and Morocco have been invited to accede. Many more participate as Observers States in the work of the Committee of the Convention (Australia, Canada, Chile, Ghana, Indonesia, Israel, Japan, Korea, New-Zealand, United States of America).

Governments, parliaments, national data protection bodies and other actors carry out activities on this day to raise awareness about the rights to personal data protection and privacy. These may include campaigns targeting the general public, educational projects for teachers and students, open doors at data protection agencies and conferences.

 

European Commission adopts adequacy decision on Japan

The European Commission adopted an adequacy decision for Japan on the 23rd of January 2019, enabling data flows to take place freely and safely. The exchange of personal data is based on strong safeguards that Japan has put in place in advance of the adequacy decision to ensure that the transfer of data complies with EU standards.

The additional safeguards include:

– A set of rules (Supplementary Rules), which will cover the differences between the two data protection systems. This should strengthen the protection of sensitive data, the exercise of personal rights and the conditions under which EU data can be further transferred to another third country. These additional rules are binding in particular on Japanese companies importing data from the EU. They can also be enforced by the independent Japanese data protection authority (PPC) as well as by courts.

– Also, safeguards have been established concerning access by Japanese authorities for law enforcement and national security purposes. In this regard, the Japanese Government has given assurances to the Commission and has ensured that the use of personal data is limited to what is necessary and proportionate and is subject to independent supervision and redress.

– A complaint handling mechanism to investigate and resolve complaints from Europeans regarding Japanese authorities’ access to their data. This new mechanism will be managed and monitored by Japan’s independent data protection authority.

The adequacy decision has been in force since 23rd of January 2019. After two years, the functioning of the framework will be reviewed for the first time. The subsequent reviews will take place at least every four years.

The adequacy decision also complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019. European companies will benefit from free data flows as well as privileged access to the 127 million Japanese consumers.

 

Political parties will be sanctioned for data breaches

22. January 2019

On Wednesday, 16th January 2019, EU Parliament and member state negotiators agreed that parties or political foundations can be sanctioned for data protection breaches during election campaigns. This regulation is intended to prevent any influence on the forthcoming European elections in May. It was decided that in such cases affected institutions would have to pay up to five percent of their annual budget in future.

One of the reasons for the new regulation was the data scandal surrounding Facebook and Cambridge Analytica. During the US election campaign, Facebook gained unauthorized access to the data of millions of its users. With this data, Cambridge Analytica is said to have tried to prevent potential Clinton supporters from voting and to mobilise Trump voters by means of advertising and contributions (we reported).

In future, data protection violations that are deliberately accepted in order to influence the outcome of European elections will be severely sanctioned. National supervisory authorities are to decide whether a party has violated the regulation. The Authority for European Political Parties and European Political Foundations must then review the decision and, if necessary, impose the appropriate sanction. Moreover, those found to be in breach could not apply for funds from the general budget of the European Union in the year in which the fine is imposed.

The text adopted on Wednesday still has to be formally adopted by Parliament and the Council of Member States.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future

23. November 2018

Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union as of 30th March 2019. The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.

After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.

With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU.  In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.

In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.

Pages: 1 2 3 4 Next
1 2 3 4