Category: EU

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

German DPA fines three companies for illegal data transfer to the U.S.

7. June 2016

The Data Protection Authority of Hamburg just announced in a press statement that it checked the data transfers of 35 international organizations that are based in Hamburg.

After the judgment declaring the former Safe Harbor Framework by the European Commission invalid  in October 2015 by the European Court of Justice, the DPA contacted organizations in Hamburg operating also in the U.S. and reviewed the transfer of personal data to the U.S. in order to determine whether other instruments are used than the Safe Harbor Framework. According to the mentioned press statement, the review has revelied that the majority of the companies had changed the legal basis of their transfers of data by implementing standard contractual clauses (SCC).

However, according to a report by Spiegel Online, there were three companies that did not change their legal basis for data transfer. Therefore, the three companies were fined:

Adobe (8.000 Euros), Punica (9.000 Euros) and Unilever (11.000 Euros)

As all three companies have changed the legal basis for data transfering during the proceeding, the DPA imposed a fine that was significantly smaller than the maximum of 300.000 Euros.

 

 

Further developments regarding EU-U.S. data transfers: the “Umbrella-Agreement” has been signed

6. June 2016

On the 2nd June, the so called “Umbrella-Agreement” was signed between the EU and the U.S. This agreement aims at creating a cooperation framework between the EU and the U.S. regarding criminal law enforcement and the prevention of serious crime and terrorism.

Personal data covered under this agreement includes data exchanged between police and criminal Authorities of the EU Member States and the US Authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences as well as terrorist acts. The data transfers will be carried out according to the existing legal frameworks and enough safeguards will be provided.

The agreement provides EU citizens an equal treatment with U.S. citizens before American courts regarding judicial redress and a full respect for fundamental rights.

However, this agreement does not provide a legal basis for data transfers but it is a complement to the existing and future frameworks between law enforcement authorities.

European Data Protection Supervisor issues opinion on EU-U.S. Privacy Shield

1. June 2016

The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued this week his opinion on the EU-U.S. Privacy Shield. The EDPS is an independent EU institution created in 2004 that assesses EU institutions on policies and legislation related to privacy and data protection and cooperates with authorities in these matters.

The EDPS emphasized on the following key aspects related to the EU-U.S. Privacy Shield:

  • The current draft is not solid enough and improvements should be made in order to withstand scrutiny before the ECJ.
  • The Privacy Shield should offer a long-term solution regarding international data transfers to the U.S.
  • The protection provided by the Privacy Shield should ensure the rights to redress, transparency, data privacy and oversight.
  • It should also prevent from indiscriminate surveillance by American authorities.
  • The draft should comply with the GDPR, including international data transfers.
  • International companies should be aware of and comply with their obligations on privacy and data protection issues.

To sum up, the Privacy Shield should offer an equivalent data protection level to that existing in the EU.

Category: EU · General
Tags: ,

Renegotiation of the Privacy Shield

The European Parliament approved a resolution concerning the European Commission reopening negotiations with US authorities on the EU-US Privacy Shield last week. Furthermore, the resolution intends to implement the recommendations of the Article 29 Working Party on the draft Privacy Shield adequacy decision.

The resolution that was approved by the majority of members of the European Parliament says that the executive still needs to improve the data transfer deal allowing US authorities to collect EU citizens’ data.

Although the Parliament’s opinion is not binding, it builds up pressure on the Commission in order to increase the level of data protection in the much discussed agreement.

After the Safe Harbour agreement was declared invalid last October due to the fact that it did not protect European citizens’ data once they were sent to the USA, the executive is now behind schedule as EU Justice Commissioner Vera Jourova and Digital Commissioner Günther Oettinger initially stated that the new agreement should go into effect by the end of June. However, in order for that to happen a group of diplomats from European member states have to sign their approval first. Nevertheless, although the diplomats were expected to vote on the Privacy Shield last week, they delayed their final decision as they scheduled new meetings up until the end of June.

Generally, the Commission has already finished the negotiations concerning the Privacy Shield with US authorities, though clarification on some points is needed. Commission spokesman Christian Wigand described the clarifications as realistic changes and not a drastic renegotiation of the agreement.

However, the Parliament’s resolution intends to take criticism from national privacy protectors of the European member states “fully” into account.

Category: EU · Safe Harbor · USA
Tags:

Update EU-U.S. Privacy Shield: Article 31 needs more time to consider the implications of the proposal

23. May 2016

On the 19th May, the Article 31 Committee, made up of representatives of the EU Member States, met in order to discuss the implications of the proposed draft of the EU-U.S. Privacy Shield. The Article 31 was created in order to reach decisions that require the approval of the EU Member States according to the Data Protection Directive 95/46/EC. This is the case, for example of the adoption of adequacy decisions, such as Safe Harbor in the past or the EU-U.S. Privacy Shield currently.

Article 31 concluded that it needed more time to reach a decision about the proposal. Moreover, a source of the Commission affirmed that further meetings in May and early June will take place. Also, the recommendations of the Article 29 WP are being taken into consideration before reaching a decision.

The decision of the Article 31 is expected by the end of June. The EU-U.S. Privacy Shield can be only adopted if a qualified majority of 16 Member States representing 65 percent of the EU population votes for the adoption of the Privacy Shield.

Until a decision is reached, Standard Contractual Clauses and Binding Corporate Rules can still be used to carry out international data transfers on a legal basis.

EU Directive on Cyber Security to be expected in August 2016

19. May 2016

The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.

The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.

The five main goals of the NIS Directive are:

  • To achieve cyber resilience
  • To reduce cybercrime significantly
  • To develop a cyber defense policy at EU level by creating authorities at national level
  • To promote the development of technological resources
  • To implement a solid international cyberspace policy

After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.

European Court of Justice´s General Advocate: Dynamic IP Addresses are personal data

18. May 2016

Background

In 2014, Mr. Breyer filed a suit against the Federal Republic of Germany regarding the storing of IP Addresses. Several German public bodies operate internet websites that are publicly accessible. In order to avoid and be able to prosecute criminal attacks, the access to these websites is protocolled, including names, retrieved data/website, words searched in the search fields, date and time of retrieval, data transmitted and the IP Address of the device in question.

Mr. Breyer requested that neither the Federal Republic of Germany nor third parties store the IP Address of users that accesses these websites, as there was no consent for this processing and the storage was not based on the recovery due to a disruption of the service.

Prejudicial question from the German Federal Supreme Court (Bundesgerichtshof)

The suit from Mr. Breyer was dismissed in the First Instance. However, the appeal succeed partly and the Federal Republic of Germany was sentenced not to store IP Addresses for a longer period of time than that of the access in question. Though, this was subject to the condition that Mr. Breyer provided his personal data when he accessed the website. Both parties appealed to the German Federal Supreme Court, who submitted the following questions to the ECJ:

Question 1: Must the Data Protection Directive 95/46/EC be interpreted as meaning that an Internet Protocol address (IP Address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?

Question 2: Does the Data Protection Directive 95/46/EC preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?

Position of the ECJ General Advocate

The ECJ General Advocate answers the above questions as follows:

To question 1: A dynamic IP Address, through which a user has retrieved a website from a telemedia service provider, constitutes for the latter a personal data to the extent that the service provider has enough additional information, which connected with the IP-Address makes possible to identify the user. Dynamic IP-Addresses contain information regarding the time and date in which a website was accessed from a device. This data can provide information about behavioural patterns that can affect the right to privacy of individuals. Additionally it can also provide additional information about a user if it is connected to other personal data.

To question 2: The finality to guarantee the operability of the telemedium should be basically seen as a legitimate interest that justifies the processing of an IP Address. This legitimation can be only alleged if it has primacy over the fundamental rights of the data subject. A national legal disposition that does not allow such legitimate interest, is not consistent with the Data Protection Directive 45/95/EC.

What to expect regarding IP addresses with the GDPR?

The problematic of the IP Addresses may be solved with the GDPR, as the Recital 30 enumerates, among others, also IP addresses as examples of personal data. As such, they can lead to identify an individual if combined with other information, therefore they fall under the scope of the GDPR and they are to be handled as personal data.

 

 

Serious data breach in HIV clinic in London

11. May 2016

A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.

After the GDPR, the ePrivacy Directive as next step on the EU Agenda

26. April 2016

The EU Parliament approved some weeks ago the new General Data Protection Regulation (GDPR). As a next step, the EU Commission has launched a public consultation on the evaluation and review of the ePrivacy Directive, as part of the Digital Single Market Strategy proposed by the EU Commission in May 2015. The consultation started on the 12th April and will be open until the 5th July 2016.

The current ePrivacy Directive was initially adopted for the telecoms sector. However, most of the EU Member States have also extended its application to other sectors. This Directive is also known as “cookie law”, but it also regulates the confidentiality of communications, the obligation to notify data breaches, the scope and definition of unsolicited communications, etc.

The “update” of the ePrivacy Directive is necessary in order to achieve a higher harmonization at all levels, including the field of electronic communications, and to complement the GDPR. The head of unit for policy and consultation at the EU Data Protection Supervisor, Sophie Louveaux, unofficially stated that the modification of the ePrivacy Directive is a priority regarding privacy issues and that a “full coherence” between the GDPR and the ePrivacy Directive should be achieved.

The legislative proposal for a new ePrivacy Directive is expected by the end of 2016.

Pages: Prev 1 2 3 ... 13 14 15 16 17 18 19 20 21 22 23 Next
1 18 19 20 21 22 23