Category: EU
19. May 2016
The EU Council adopted this week the Network and Information Security Directive (NIS Directive) at first reading. The NIS Directive is part of the EU cyber security strategy, which main objective is to prevent and respond to disruptions and cyber-attacks in telecommunications systems located in the EU.
The Directive aims at achieving a minimum level of IT security and implementing an effective risk management culture for digital technologies. Furthermore, it also aims at dealing with IT security breaches by imposing the obligation to report significant incidents without delay, especially for business or organizations whose main activity is subject to a higher risk, such as cloud providers or social networks.
The five main goals of the NIS Directive are:
- To achieve cyber resilience
- To reduce cybercrime significantly
- To develop a cyber defense policy at EU level by creating authorities at national level
- To promote the development of technological resources
- To implement a solid international cyberspace policy
After the EU Council has adopted the NIS Directive at first reading, the draft must be approved by the EU Parliament at second reading. If the EU Parliament approves the Directive, it might enter into force in August 2016.
18. May 2016
Background
In 2014, Mr. Breyer filed a suit against the Federal Republic of Germany regarding the storing of IP Addresses. Several German public bodies operate internet websites that are publicly accessible. In order to avoid and be able to prosecute criminal attacks, the access to these websites is protocolled, including names, retrieved data/website, words searched in the search fields, date and time of retrieval, data transmitted and the IP Address of the device in question.
Mr. Breyer requested that neither the Federal Republic of Germany nor third parties store the IP Address of users that accesses these websites, as there was no consent for this processing and the storage was not based on the recovery due to a disruption of the service.
Prejudicial question from the German Federal Supreme Court (Bundesgerichtshof)
The suit from Mr. Breyer was dismissed in the First Instance. However, the appeal succeed partly and the Federal Republic of Germany was sentenced not to store IP Addresses for a longer period of time than that of the access in question. Though, this was subject to the condition that Mr. Breyer provided his personal data when he accessed the website. Both parties appealed to the German Federal Supreme Court, who submitted the following questions to the ECJ:
– Question 1: Must the Data Protection Directive 95/46/EC be interpreted as meaning that an Internet Protocol address (IP Address) which a service provider stores when his website is accessed already constitutes personal data for the service provider if a third party (an access provider) has the additional knowledge required in order to identify the data subject?
– Question 2: Does the Data Protection Directive 95/46/EC preclude a provision in national law under which a service provider may collect and use a user’s personal data without his consent only to the extent necessary in order to facilitate, and charge for, the specific use of the telemedium by the user concerned, and under which the purpose of ensuring the general operability of the telemedium cannot justify use of the data beyond the end of the particular use of the telemedium?
Position of the ECJ General Advocate
The ECJ General Advocate answers the above questions as follows:
– To question 1: A dynamic IP Address, through which a user has retrieved a website from a telemedia service provider, constitutes for the latter a personal data to the extent that the service provider has enough additional information, which connected with the IP-Address makes possible to identify the user. Dynamic IP-Addresses contain information regarding the time and date in which a website was accessed from a device. This data can provide information about behavioural patterns that can affect the right to privacy of individuals. Additionally it can also provide additional information about a user if it is connected to other personal data.
– To question 2: The finality to guarantee the operability of the telemedium should be basically seen as a legitimate interest that justifies the processing of an IP Address. This legitimation can be only alleged if it has primacy over the fundamental rights of the data subject. A national legal disposition that does not allow such legitimate interest, is not consistent with the Data Protection Directive 45/95/EC.
What to expect regarding IP addresses with the GDPR?
The problematic of the IP Addresses may be solved with the GDPR, as the Recital 30 enumerates, among others, also IP addresses as examples of personal data. As such, they can lead to identify an individual if combined with other information, therefore they fall under the scope of the GDPR and they are to be handled as personal data.
11. May 2016
A clinic in London has been fined 180.000 GBP due to a “serious data breach”. The clinic offered a service to HIV-patients in order to receive newsletters and test results as well as make appointments via email. It sent an email newsletter to 781 of its patients with all patient emailaddresses in the “To” field and not in the “Bcc” field. 730 of the emailaddresses included the full names of the patients. The newsletter was used to inform the patients about sexual health services and general treatment details. The Information Commissioner´s Office (ICO) said, “the breach caused a great deal of upset to the people affected”. Information about the health or sexual life of a person is considered to be sensitive personal data and should be protected specifically. Chelsea and Westminster Hospital NHS Foundation Trust, which runs the clinic, has been fined 180.000 GBP. The responsible ICO investigation trust discovered, that a similar error had happened already in March 2010. Although some remedial measures were taken at that time, no specific training had taken place since then.
26. April 2016
The EU Parliament approved some weeks ago the new General Data Protection Regulation (GDPR). As a next step, the EU Commission has launched a public consultation on the evaluation and review of the ePrivacy Directive, as part of the Digital Single Market Strategy proposed by the EU Commission in May 2015. The consultation started on the 12th April and will be open until the 5th July 2016.
The current ePrivacy Directive was initially adopted for the telecoms sector. However, most of the EU Member States have also extended its application to other sectors. This Directive is also known as “cookie law”, but it also regulates the confidentiality of communications, the obligation to notify data breaches, the scope and definition of unsolicited communications, etc.
The “update” of the ePrivacy Directive is necessary in order to achieve a higher harmonization at all levels, including the field of electronic communications, and to complement the GDPR. The head of unit for policy and consultation at the EU Data Protection Supervisor, Sophie Louveaux, unofficially stated that the modification of the ePrivacy Directive is a priority regarding privacy issues and that a “full coherence” between the GDPR and the ePrivacy Directive should be achieved.
The legislative proposal for a new ePrivacy Directive is expected by the end of 2016.
22. April 2016
Due to the fact that security specialists and the EU member states have pushed for European rules on Passenger Name Record (PNR) for years, the latest acts of terror in Europe just increased these requestes. These demands have been met by EU Parliament as it approved the bill concerning a more systematic collection, use and retention of data on international airline passengers on 14 April 2016.
However, a first attempt on implementing rules on the use of PNR was rejected in 2013 due to concerns about the necessity and scope of the proposal and its compliance with fundamental rights. The civil liberties committee then discussed a new draft text on PNR on 26 February 2015 and on 15 July 2015 this text was adopted. Safeguards were included ensuring the lawfulness of any use of the data, so that the data should only be used in order to fight terrorism and serious international crime. After negotianting EU Parliament and the Council reached a provisional deal on 4 December 2015. During a plenary session on 14 April 2016 the text was then approved by 461 votes to 179, with nine absentions.
20. April 2016
Article 37 of the GDPR states that data controllers and processors of personal information are required to appoint a data protection officer in cace:
(a) The processing is carried out by a public authority or body (except courts); or
(b) The controller’s or processor’s “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data.”
A data protection officer is able to be appointed by a group, public authorities or individual legal entity. Article 39 of the GDPR requires that a data protection officer is “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”. Compliance, trainings on how to process data according to the law and the communication with the national authorities are part of the task area of a data protection officer.
Therefore, due to the GDPR organizations worldwide have to prepare for a number of new requirements in terms of data collection and processing. One particular requirement is that certain organizations will now have to appoint a data protection officer according to Arcticle 37 of the GDPR, as mentioned above. Research indicates the number of data protection officers required to be appointed under the GDPR will be about 28,000. This is an estimate based on official statistics regarding both public and private sector data controllers in the EU and taking further assumptions into account such assuming that US companies obliged to comply with the GDPR would also require a data protection officer, and of those companies who self-certified under Safe Harbor are likely included in that number.
The New York Times reports that crisicism is raised among European data protection regulators and politicians on Google’s secretive process for deciding whose “right to be forgotten” cases end with a stricken link and whose do not. The lack of the company’s transparency is not the only concern regarding how a private organization has autonomy in these cases instead of the government. Furthermore, Google has ruled on double the amount of national authorities’ privacy judgments. “If Europe really wanted to regain control over personal data, giving Google this type of power is an odd outcome,” concluded Oxford University’s Luciano Floridi.
The criticism is also raised as a result of a general growing discontent from both European regulators and politicians due to the fact that national data protection agencies sometimes lack the financial, technical and human resources to handle the substantial increase of “right to be forgotten” requests, according to regulatory officials and legal experts.
15. April 2016
The European Union will have a new data protection regulation. After four years of ups and downs, the European Parliament came to an agreement on thursday in a plenary vote of support for the GDPR and the companion Data Protection Directive for policing and the judiciary.
The German MEP Jan Philipp Albrecht commented that “the General Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality,” and added that, “the regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty, and fairer competition.”
In order to give businesses and organizations time to adjust their compliance and data protection issues, the new GDPR will officially become effective in two years. The GDPR includes provisions such as the impositions of a clear and affirmative consent for processing personal data and a clear privacy notice. Further, there will be obligations concerning the breach of notification and the implementation of potential fines up to 4 percent of a company’s global annual turnover.
European Commission First Vice-President Frans Timmermans, Vice-President of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova welcomed the new regulation as it will “help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” They went on commenting the Data Protection Directive for police and the judiciary, saying that it “ensures a high level of data protection while improving cooperation in the fight against terrorism and other serious crime across Europe.”
Therefore, in order to build public awareness of the reforms “the EU will launch public awareness-raising campaigns about the new data protection rules” Albrecht and Jourova, along with MEP Marju Lauristin commented and added that “the European Commission will work closely with member states, the national data protection authorities, and stakeholders to ensure the rules will be applied uniformly across the EU.”
14. April 2016
The Article 29 WP, represented by the DPAs from the EU Member States, issued yesterday its opinion on the proposed draft of the EU-U.S. Privacy Shield.
Background
Under the Safe Harbor framework, personal data transfers from the EU to the U.S. have been carried out since the year 2000. In October 6th, 2015, the ECJ declared this framework invalid, as it considered that it did not ensure enough safeguards regarding the protection of personal data from EU citizens. In February 2016, the EU Commission and several American Authorities drafted the new framework that shall replace the Safe Harbor Agreement. The draft has been now analyzed by the EU DPAs, who remark the necessity to clear and define some concepts.
Critical aspects of the EU-U.S. Privacy Shield identified by the Article 29 WP
The Article 29 WP does not believe that, in general terms, the current draft of the Privacy Shield ensures a level of data protection equivalent to that in the EU. The most relevant aspects of the published document could be summarized as follows:
- Data retention periods are not defined in any of the principles of the framework. This means that companies could keep personal data even if they do not renew their Privacy Shield membership. This contravenes the principle of data retention limitation according to EU data protection legislation.
- The scope and definition of the purpose limitation concept is described under the notice, the choice and the data integrity and purpose limitation principles. However, in each of these principles is the purpose limitation principle differently defined, what leads to an inconsistent definition of this concept.
- Also the concept of onward transfers has been critically analyzed by the Article 29 WP. Under this principle, Privacy Shield members may legitimately carry out data transfers to third parties. This involves the risk that the recipient of the data does not ensure the same level of data protection as stipulated according to the EU data protection legislation.
- The redress mechanism available for EU data subjects may be too complex for the data subjects themselves. The Article WP29 recommends that the local DPAs represent the data subjects or act as intermediaries so that they can exercise their rights in Europe.
- Finally, the Privacy Shield includes certain guarantees regarding the surveillance activities by U.S. authorities. However, the massive collection of personal data from EU citizens is not fully excluded. Regarding this, the institution of the Ombudsman has been created. According to the Article 29 WP, its functions and legitimation are not sufficiently defined.
The Working Party has requested the EU Commission to clarify these aspects and adopt the corresponding solutions, so that the Privacy Shield ensures an equivalent level of data protection to that in the EU. Particularly, it has recommended to introduce a glossary of terms in the “Privacy Shield FAQ” and a review of the Privacy Shield draft after the GDPR becomes effective, in order to ensure that the Privacy Shield reflects the level of protection reached by the GDPR.
What next?
Since the opinion of the Article 29 WP is not binding, the EU Commission could proceed further with the approval of the EU-U.S. Privacy Shield. However, it will consult a Committee of representatives of the EU Member States before issuing its final decision. Until a final decision is reached, the mechanisms to carry out international data transfers are limited to Binding Corporate Rules and Standard Contractual Clauses.
12. April 2016
After the details of the draft of the new adequacy decision to carry out international data transfers between the EU and the U.S. have been released (“EU-U.S. Privacy Shield”), the Article 29 WP is expected to express its opinion on the proposed text within this week.
On the 6th and 7th April the German DPAs meet to discuss current privacy topics, among others about the EU-U.S. Privacy Shield. A link to the resolution related to this topic was uploaded in the webpages of each federal DPA. The link to the resolution was deleted afterwards. However, a permanent link to the resolution (in German) can be found under https://www.delegedata.de/wp-content/uploads/2016/04/Beschluss_Mandat_Privacy_Shield.pdf.
The resolution of the German DPAs seems to refer to the current draft of the Article 29WP on the EU-U.S. Privacy Shield:
“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”
This paragraph suggests that the European DPAs may not release a positive opinion on the EU-U.S. Privacy Shield.
Although the opinion of the Article 29 WP is not binding for the EU Commission, the Article 29 WP may initiate legal actions through the local DPAs against the adequacy decision if it is approved, as stated in paragraph 4 of the above mentioned resolution.
