Category: EU

EDPB releases new official register of Art. 60 GDPR decisions

29. June 2020

On 25 June 2020, the European Data Protection Board (“EDPB”) released a new register of final decisions by national European Data Protection Authorities (Supervisory Authorities) cooperating with one another pursuant to Art. 60 GDPR. The register provides access to the decisions themselves, summaries of the decisions in English, and information on the identity of the cooperating Lead Supervisory Authority and Concerned Supervisory Authorities.

The GDPR postulates that Supervisory Authorities have to cooperate in potential cases of GDPR violations that include cross-border data processing activities. During this cooperation, the Lead Supervisory Authority will be in charge of preparing the draft decision and involving the Concerned Supervisory Authorities, and will act as the sole interlocutor of the Controller or Processor (“One-Stop-Shop”-Principle), Art. 56 and Art. 60 GDPR.

To date, the new EDPB register contains 110 final decisions. The EDPB states in its announcement that ‘the register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice.’

Contact Tracing Apps: U.K. Update and EDPB Interoperability Statement

23. June 2020

In another update about contact tracing apps, we are going to talk about the new path of contact tracing in the United Kingdom (UK), as well as the European Data Protection Board’s (EDPB) statement in regards to the cross-border interoperability of the contact tracing apps being deployed in the European Union.

UK Contact Tracing App Update

Since starting the field tests on the NHS COVID-19 App on the Isle of Wight, the UK government has decided to change their approach towards the contact tracing model. It has been decided to abandon the centralized app model in favour of the decentralized Google/Apple alternative.

The change was brought on by technical issues and privacy challenges which surfaced during the trial period on the Isle of Wight, and in the end were direct consequences of the centralized model and important enough to motivate the change of approach.

The technical problems included issues with the background Bluetooth access, as well as operation problems in the light of cross-border interoperability. Further, the data protection risks of mission creep and a lack of transparency only urged on the of the app.

The new model is widely used throughout the European Union, and provides more data protection as well as better technical support. The only deficit in comparison with the centralized model is the lesser access to data by epidemiologists, which seems to be a trade off that the UK government is willing to take for the increase in data protection and technical compatibility.

EDPB statement on cross-border interoperability

On June 17th, 2020, the EDPB has released a statement with regards to the cross-border interoperability of contact tracing apps. The statement builds on the EDPB Guideline from 04/2020 with regards to data protection aspects of contact tracing apps, emphasising the importance of the issues presented.

The statement stems from an agreement between EU-Member states and the European Commission formed in May 2020 with regards to the basic guidelines for cross-border interoperability of contact tracing apps, as well as the newly settled technical specs for the achievement of such an interoperability.

The EDPB states key aspects that have to be kept in mind during the entirety of the project, namely transparency, legal basis, controllership, data subject’s rights, as well as data retention and minimisation rules.

Further, the statement emphasises that the sharing of data about individuals which have been diagnosed or tested positively should only be triggered by a voluntary action of the users themselves. In the end, the goal of interoperability should not be used as an argument to extend the collection of personal data further than necessary.

Overall, this type of sharing of personal data can pose an increased data protection risk to the personal data of the users, which is why it needs to be made sure that the principles set down by the GDPR are being upheld, and made sure that there is no less intrusive method to be used in the matter.

Thailand postpones Enforcement of new Personal Data Protection Act

22. June 2020

In response to the European General Data Protection Regulation (“GDPR”) becoming applicable in 2018, Thailand adopted its first-ever Personal Data Protection Act (“PDPA”) into law on 28 May 2019. As it is fashioned after the GDPR, the PDPA is built around principles that vastly align with the GDPR, especially in the areas of data protection principles, legal bases, and data subject rights. Originally, it was determined that the PDPA would start its applicability one year after its adoption, on 27 May 2020.

Now, the Thai Government has approved of a draft decree by the Ministry of Digital Economy and Society (“MDES”) to postpone the enforcement of most sections of the PDPA to 31 May 2021. The MDES explained that the reasons for delay are the current Corona pandemic and its strain on businesses, as well as many businesses not being prepared for PDPA compliance. Notably, Brasil also postponed the enforcement of its new Data Protecion Law (“LGPD”) for similar reasons (we reported).

The only sections of the PDPA that will be enforced as originally planned include the appointment of the Personal Data Protection Committee members and the establishment of the Office of the Personal Data Protection Committee. Whilst the delay allows companys more time to become PDPA compliant, the lack of enforcement regarding data subject rights in the meantime are a big concern of critics, especially in light of the recent adoption of Thailand’s controversial new cybersecurity law.

EDPB shares concerns over UK-US data deal in light of future UK adequacy decision

18. June 2020

On June 17th, 2020, the European Data Protection Board (EDPB) has written an open letter to the Members of the European Parliament over its concerns regarding the Agreement between the United Kingdom (UK) and the USA on Access to Electronic Data for the Purpose of Countering Serious Crime in relation to a future UK adequacy decision after the country’s exit out of the European Union.

In its letter, the EDPB states that it is concerned with the applicability of the safeguards in the Brexit withdrawal agreement with the EU once the UK leaves the Union at the beginning of 2021. The Agreement between the UK and the US allows for easy data access in the case of the prosecution of serious crimes, and facilitates an access request to be made to UK authorities and businesses under the US Cloud Act, for which it is unsure if the safeguards agreed upon between the EU and the UK apply.

The EDPB also stresses that, in the light of a potential data sharing agreement between the EU and the US, it is mandatory that the European safeguards in such an agreement “must prevail over US domestic laws” in order to be “fully compatible with European laws”.

Furthermore, the letter also states that “it is also essential that the safeguards include a mandatory prior judicial authorisation as an essential guarantee for access to metadata and content data”. In its preliminary assessment, the EDPB could not distinguish such a provision in the UK-US Agreement.

While right now the EDPB can only make a preliminary assessment of the situation based on the current elements at its disposal, it states clearly that the Agreement between the UK and the US will have to be considered in any relevant adequacy decision in the future. This is especially important as there is a “requirement to ensure continuity of protection in cases of onwards transfers from the UK to another third country”.

In any case, the EDPB intends to release its own opinion on the matter if the European Commission should release a draft of the adequacy decision for the UK.

Hungary Update: EDPB publishes Statement on Art. 23 GDPR

17. June 2020

Since March 2020, Hungary has been in a “state of emergency” following the COVID-19 pandemic. The country’s COVID-19 related emergency laws and state of emergency received worldwide criticism from constitutional experts, politicians and civil rights groups, because it allows the Prime Minister to rule by decree during the state of emergency and does not provide a predefined end date. During the state of emergency, Prime Minister Victor Orbán made extensive use of his newly gained powers by passing more than a hundred decrees, including Decree No. 179/2020, which suspended the GDPR data subject rights in Art. 15-22 GDPR with respect to personal data processing for the purpose of preventing, understanding, detecting the coronavirus disease and impeding its further spread (we reported).

In response to this suspension of GDPR rights, the European Data Protection Board (“EDPB”) has recently published a Statement on restrictions on data subject rights pursuant to Art. 23 GDPR, which is the provision that Hungary’s measure was based on. This article allows the member states to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State such as public health.

In its Statement, the EDPB points out that any restriction must respect the essence of the right that is being restricted. If the essence of the right is compromised, the restriction must be considered unlawful. Since the data subject’s right of access and the right to rectification are fundamental rights according to Art. 8 para. 2 of the Charter of Fundamental Rights of the European Union, any restriction of those rights must be carefully weighed up by the member states, in order respect the essence of the rights. The EDPB considers that restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights, without any clear limitation in time, equate to a de facto blanket suspension and denial of those rights and are not be compatible with the essence of the fundamental rights and freedoms.

The EDPB also recalls that the restrictions under Art. 23 GDPR must be necessary and proportionate. It argues that restrictions that are imposed for a duration not precisely limited in time or which apply retroactively or are subject to undefined conditions, are not foreseeable to data subjects and thus disproportionate.

Furthermore, the EDPB takes the view that in order to safeguard important objectives of general public interest such as public health (Art. 23 para. 1 lit. e GDPR), there must be a clearly established and demonstrated link between the foreseen restrictions and the objective pursued. The mere existence of a pandemic or any other emergency situation alone does not justify a restriction of data subject rights, especially if it is not clearly established, how the restrictions can help dealing with the emergency.

Following the international public backlash, the Parliament of Hungary passed legislation on 16 June 2020 to revoke the emergency laws as soons as the current state of emergency will be terminated by the Government. Hungary’s Government announced in May that it intends to lift the state of emergency on 20 June 2020. After that, the restrictions on the GDPR rights shall be lifted as well, so that data subject may exercise their Art. 15-22 GDPR rights again.

Germany’s Constitutional Court curbs Federal Intelligence Service’s competence

16. June 2020

In a court ruling from May 19th 2020 with regards to the German Federal Intelligence Service (BND) and their manner of operation, the German Constitutional Court has proclaimed that the BND is bound by fundamental rights in cases of surveillance of foreigners, even outside of Germany’ federal territory.

 Background

The case, which was brought to the court in the manner of a constitutional complaint by a collective of foreign journalists, found its origin initially through the disclosures made by Edward Snowden back in 2013, where some of the BND’s practices in relation to strategic foreign surveillance came to light. In 2016, German legislators passed a new law with the purpose to regulate surveillance done by the BND. However, that new law mainly restricted surveillance of German citizens, as well as foreigner living in Germany. It has been criticized that the new law did nothing to restrict and regulate the BND’s actions abroad by not having to abide by any legal provisions. The constitutional complaint brought to the German Constitutional Court deals with strategic surveillance from foreign reporters and journalists with regards to their highly confidential data necessary to perform their work through the BND, which risks to be exchanged with their own country’s intelligence agencies and in the process put them at risk of federal measures taken against them.

The key points

Territorial Scope. One of the biggest points of the court ruling has been the definition of the territorial scope of the fundamental rights at risk in this case. Since the complainants are journalists from outside the German territory, the Constitutional Court had to specify if the constitutional rights that would shield them from surveillance by the BND would find application in the matter. In this instance, the court has ruled that the fundamental rights are not limited to the German territory, but rather apply wherever the German state authority is acting. This is derived from Art. 1 III of the German Constitution (GG), which binds the German state authority to conformity with the Constitution. In such, as the fundamental rights from Art. 10 I, Art. 5 I GG are not simply applicable to Germans, the Constitutional Court has extended the range of application to foreigners in foreign countries, and given them international importance.

Current legislation is unconstitutional. In effect, the Constitutional Court has further analysed the new intelligence law from 2016, and ruled it unconstitutional in the current state. The main reason is that, due to the fact that the legislators assumed that the fundamental rights did not apply, they did not conform with the requirements set out in the Constitution for such law. In such, the new law violates the privacy of telecommunications and its requirements from Art. 10 I GG, and in addition does not meet the key requirements deriving from other fundamental rights, such as Art. 19 I GG. However, the Constitutional Court has stated that the law can be amended to follow fundamental rights and comply with the constitution. The court declared several points which are necessary to implement in the amended law, some of which we will present further below.

Independent oversight. The Constitutional Court stated that in order to ensure conformity with the Constitution and regulate the BND in a way that would ensure the protection of fundamental rights of the people under surveillance, it would be necessary to establish a new, independent oversight regime that would act to judge and regulate strategic surveillance. Its main purposes would be the legal oversight of the BND and protection of the surveillance subjects, as well as the control of the surveillance process, from the analysing of data to the transfer of information between agencies, etc.

Legislative suggestions. In the ruling of the case, the Constitutional Court also made a few suggestions in regards to potential statutory regulation in order to regulate the BND and its area of action better than it was in the past. Part of those suggestions were the necessity of defining the purpose of surveillance measures with precision and clarity, in order to ensure transparency, as well as the necessity for the legislator to set out essential framework for the analysis of the collected data, like a cease in analysis as soon as it becomes clear that the surveillance has touched the core of private life. The court also suggested that special requirements have to apply to the protection of professional groups with communications of increased confidentiality, and that the surveillance in these cases must be tied to qualified thresholds. The court also mentioned the storage and deletion of surveillance data, stating that the traffic data obtained should not be stored for longer than six months, while a systematic deletion policy needs to be established. In the terms of the transfer of information to other (foreign) intelligence agencies, the Constitutional Court made it clear that such transfers will need an official statutory basis in order to be lawful.

The court has given the German government until the end of 2021 to amend the law and make statutory changes to comply with the ruling and the decision of the international scope of the fundamental rights. While this may seem like a big set back for the BND, it is a chance to show that intelligence agencies can work on a high constitutional standard while also being successful in their purpose.

Series on COVID-19 Contact Tracing Apps Part 2: The EDPB Guideline on the Use of Contact Tracing Tools

25. May 2020

Today we are continuing our miniseries on contact tracing apps and data protection with Part 2 of the series: The EDPB Guideline on the Use of Contact Tracing Tools. As mentioned in Part 1 of our miniseries, many Member States of the European Union have started to discuss using modern technologies to combat the spread of the Coronavirus. Now, the European Data Protection Board (“EDPB”) has issued a new guideline on the use of contact tracing tools in order to give European policy makers guidance on Data Protection concerns before implementing these tools.

The Legal Basis for Processing

In its guideline, the EDPB proposes that the most relevant legal basis for the processing of personal data using contact tracing apps will probably be the necessity for the performance of a task in the public interest, i.e. Art. 6 para. 1 lit. e) GDPR. In this context, Art. 6 para. 3 GDPR clarifies that the basis for the processing referred to in Art. 6 para. 1 lit. e) GDPR shall be laid down by Union or Members State law.

Another possible legal basis for processing could be consent pursuant to Art. 6 para. 1 lit. a) GDPR. However, the controller will have to ensure that the strict requirements for consent to be valid are met.

If the contact tracing application is specifically processing sensitive data, like health data, processing could be based on Art. 9 para. 2 lit. i) GDPR for reasons of public interest in the area of public health or on Art. 9 para. 2 lit. h) GDPR for health care purposes. Otherwise, processing may also be based on explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.

Compliance with General Data Protection Principles

The guideline is a prime example of the EDPB upholding that any data processing technology must comply with the general data protection principles which are stipulated in Art. 5 GDPR. Contact tracing technology will not be an exeption to this general rule. Thus, the guideline contains recommendations on what national governments and health agencies will need to be aware of in order to observe the data protection principles.

Principle of Lawfulness, fairness and transparency, Art. 5 para. 1 lit. a) GDPR: First and foremost, the EDPB points out that the contact tracing technology must ensure compliance with GDPR and Directive 2002/58/EC (the “ePrivacy Directive”). Also, the application’s algorithms must be auditable and should be regularly reviewed by independent experts. The application’s source code should be made publicly available.

Principle of Purpose limitation, Art. 5 para. 1 lit. b) GDPR: The national authorities’ purposes of processing personal data must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis.

Principles of Data minimisation and Data Protection by Design and by Default, Art. 5 para. 1 lit. c) and Art. 25 GDPR:

  • Data processed should be reduced to the strict minimum. The application should not collect unrelated or unnecessary information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.;
  • Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;
  • Appropriate measures should be put in place to prevent re-identification;
  • The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.

Principle of Accuracy, Art. 5 para. 1 lit. d) GDPR: The EDPB advises that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. Moreover, the applications should include the ability to correct data and subsequent analysis results.

Principle of Storage limitation, Art. 5 para. 1 lit. e) GDPR: With regards to data retention mandates, personal data should be kept only for the duration of the COVID-19 crisis. The EDPB also recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.

Principle of Integrity and confidentiality, Art. 5 para. 1 lit. f) GDPR: Contact tracing apps should incorporate appropriate technical and organisational measures to ensure the security of processing. The EDPB places special emphasis on state-of-the-art cryptographic techniques which should be implemented to secure the data stored in servers and applications.

Principle of Accountability, Art. 5 para. 2 GDPR: To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB suggests that national health authorities could be the controllers. Because contact tracing technology involves different actors in order to work effectively, their roles and responsibilities must be clearly established from the outset and be explained to the users.

Functional Requirements and Implementation

The EDPB also makes mention of the fact that the implementations for contact tracing apps may follow a centralised or a decentralised approach. Generally, both systems use Bluetooth signals to log when smartphone owners are close to each other.  If one owner was confirmed to have contracted COVID-19, an alert can be sent to other owners they may have infected. Under the centralised version, the anonymised data gathered by the app will be uploaded to a remote server where matches are made with other contacts. Under the decentralised version, the data is kept on the mobile device of the user, giving users more control over their data. The EDPB does not give a recommendation for using either approach. Instead, national authorities may consider both concepts and carefully weigh up the respective effects on privacy and the possible impacts on individuals rights.

Before implementing contact tracing apps, the EDPB also suggests that a Data Protection Impact Assessment (DPIA) must be carried out as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). Furthermore, they strongly recommend the publication of DPIAs to ensure transparency.

Lastly, the EDPB proposes that the use of contact tracing applications should be voluntary and reiterates that it should not rely on tracing individual movements but rather on proximity information regarding users.

Outlook

The EDPB acknowledges that the systematic and large scale monitoring of contacts between natural persons is a grave intrusion into their privacy. Therefore, Data Protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures. It further underlines that public authorities should not have to choose between an efficient response to the current pandemic and the protection of fundamental rights, but that both can be achieved at the same time.

In the third part of the series regarding COVID-19 contact tracing apps, we will take a closer look into the privacy issues that countries are facing when implementing contact tracing technologies.

Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.

Dutch DPA administers record €725 000 fine for GDPR violation

6. May 2020

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.

As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.

According to the Dutch DPA, none of the two exceptions apply.

In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.

The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.

As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.

CNIL announces focus for Control Procedures in 2020

16. March 2020

The french Commission Nationale de l’Informatique et des Libertés (CNIL) has announced their focus in regards to the Control Procedures they intend to take in 2020.

Out of 300 Control Procedures done in one year, in 2020 at least 50 of those are going to be focused on three prioritized themes: health data security, geolocation and cookies compliance. The CNIL decided on prioritizing these areas because of the high relevance all of them have on the daily life of the french citizens.

Especially in regards to health data because of the sensitive nature of the data collected, as well as geological data, due to the never ending new solutions to transportation or enhancements to daily life, it is important to keep an eye on the scope of the data processing and the private sphere which is affected.

Regarding cookies and other tracers, CNIL continues to underline the importance in regards to profiled advertisement. On top of the planned Control Procedures, the CNIL intends to publish a recommendation in the spring of 2020 with regards to cookies. It will keep an eye on the implementation of the recommendation, and give companies a 6 months period to adjust and implement them.

The CNIL also stated that in addition they will continue to work together with other national Data Protection Authorities, in order to ensure the regulation of transnational data processing.

Pages: 1 2 3 4 5 6 7 8 9 10 ... 14 15 16 Next
1 2 3 16