Category: EU
2. November 2016
The Article 29 Working Party published a statement on the EU-U.S. Umbrella agreement at the end of October.
On one side, the statement shows signs of support for the EU-U.S. Umbrella Agreement. However on the other side, it delivers recommendations in order to make sure that the agreement is compliant with European data protection law.
In general, the Article 29 Working Party supports the creaction of a general data protection framework in order for international data transfers to be compliant with national, European and international data protection laws. Therefore, the Article 29 Working Party elaborates that the respective agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework”.
However, it is also mentioned that clarification is needed in terms of definitions, for example how to define personal data and data processing, due to the fact that European and U.S law have different opinions on what is meant by these terms.
25. October 2016
After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.
First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.
The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.
Due to this conflict another meeting has to be scheduled to which the Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.
10. October 2016
After Hamburg’s Data Protection Commissioner strongly recommended that Facebook should stop processing German data gained from WhatsApp, after the U.K. Information Commissioner, the ICO, also started to investigate the agreement betweent WhatsApp and Facebook and after Italy’s data protection authority, the Garante, has started to look into this issue, now Spain’s data protection authority, the AEPD, raises concerns.
Therefore, Spain’s data protection authority advises users to read the terms and conditions especially before accepting them. Furthermore, it offers guidance on changing the respective settings.
6. October 2016
Last month, the CIPL held its second workshop in Paris as part of its two-year GDPR implementation project.
During this workshop almost 120 business delegates as well as 12 data protection authorities, four European Member State governments both the European Commission and the European Data Protection Supervisor, a non-DPA regulator and several academics and on top of all of the named above the IAPP participated in order to develop best practices and to build a bridge between authorities and economy.
This time, the workshop mainly focused both on the role of the data protection officers and on the privacy impact assessment, also called PIA.
In this context it was also announced that the Article 29 Working Party is going to release its first guidelines concerning the GDPR either before the end of the year or at the beginning of 2017. These guidelines will include advise on data portability and the role of the DPO. Furthermore, the Article 29 Working Party will also release guidance on risk, PIAs and certifications later on.
5. October 2016
The Cloud Infrastructure Services Providers in Europe, CISPE, published a Data Protection Code of Conduct for Cloud Infrastructure Service Providers.
CISPE is a relatively new accosiation including more than 20 cloud infrastructure providers that operate within Europe.
The CISPE Code of Conduct focuses on transparency and compliance with EU data protection laws. Therefore, the CISPE Code of Conduct has been designed in such a way that it will be compliant with the GDPR coming into force in May 2018. The CISPE Code of Conduct has been built on internationally recognised state-of-the-art of security measures increasing the data security for cloud customers.
In the press release, Axelle Lemaire, French Minister for Digital Affairs and Innovation, commented that “The CISPE Code of Conduct show that the European cloud computing industry is capable to provide secure and compliant services for all personal and technical data in Europe and improve trust in digital services.”
27. September 2016
Heise online released an article last week talking about a new possibility for Dropbox users, namely to select a German server location.
As already announced, EU citizens are now able to save their data on a server located in Germany. However, this new storage possibility is only available for business use so far. The requirement is that more than 250 employees use Dropbox. Therefore, the new server location is not applicable for private use.
However, Dropbox did not build the new server location on its own. In fact, the infrastucture is provided by Amazon though AWS.
16. September 2016
The European Court of Justice decided that free Wifi providers are not liable for illegal downloads.
The decision is based on a case between Sony and a German shop owner. Sony sued the German shop owner due to the fact that an internet user unlawfully offered music downloads by using the shop’s free Wifi. Although the case originated in Munich, the judges referred the issue to the European Court of Justice.
The European Court of Justice then found that free Wifi is provided by companies in order to attract potential customers. Therefore, they cannot be held liable for illegal acts committed by others using this respective internet network.
Furthermore, Sony can not claim compensation or seek reimbursement for its court costs.
Nevertheless, the European Court of Justice ruled that Sony could demand internet connections to be password protected, so that a user is required to identify himself before accessing the Wifi.
14. September 2016
The German Minister of Interior just released a Draft Act concerning the adaptipon of the General Data Protection Regulation (GDPR), which will come into force in 2018.
However, netzpolitik.org published an article dealing with the critics about the respective draft, which have a crushing impact. Especially, both the Minister of Justice and the Federal Data Protection Officer released statements raising concerns. They worry that due to the Draft Act the data protection level will decrease in Germany so that in the end it will be less than before the GDPR.
1. September 2016
The concern due to WhatsApp sharing user information with Facebook is rising, especially in Europe.
As the Wall Street Journal reported, European privacy regulators are investigating WhatsApp’s plan to share the information of their users with its parent company Facebook.
The Article 29 Working Party representing the 28 national data protection authorities released a statement at the beginning of this week saying that its members were following “with great vigilance” the upcoming changes to the privacy policy of WhatsApp due to the fact that the new privacy policy allows WhatsApp to share data with Facebook, whereas the privacy policy only gives existing WhatsApp users the right to opt out of part of the data sharing. Therefore, the Article 29 Working Party concluded “What’s at stake is individual control of one’s data when they are combined by internet giants”.
Furthermore,
- the ICO also issued a statement last week raising concerns due to the “lack of control”,
- at the beginning of this week the consumer privacy advocates in the U.S. filed a complaint with the Federal Trade Commission due to the fact that WhatsApp promised that “nothing would change” when Facebook acquired WhatsAPP two years ago and on top of that
- the Electronic Privacy Information Center and the Center for Digital Democracy turned to the Federal Trade Commission in order to get the confirmation that the upcoming changes to the privacy policy can be seen as “marketing practices” that are “unfair and deceptive trade practices”.
31. August 2016
On its blog Google Analytics announced on the 29th of August that they have self-certified to the EU-U.S. Privacy Shield.
The statement describes the EU-U.S. Privacy Shield as a new framework for transfers of personal data from Europe to the United States, which can be seen as a significant milestone for the protection of Europeans’ personal data, legal certainty of transatlantic businesses, and trust in the digital economy.
Therefore, Google has now committed that they comply with the Privacy Shield’s principles and furthermore that they will safeguard the transfers of personal data, whereas no action is required from their customers.
