Category: EU

EDPB creates “Cookie Banner Taskforce”

5. October 2021

On September 27, 2021, the European Data Protection Board (EDPB) announced that it has established a “Cookie Banner” taskforce in order to coordinate the complaints and corresponding responses filed with several EU data protection authorities (DPA) by the non-governmental organization None of Your Business (NOYB) in relation to website cookie banners.

In May 2021 NOYB sent over 500 draft and formal complaints to companies residing in the EU regarding the use of their cookie banners. The complaints seem to focus on the absence of a “reject all” button on most of the websites as well as the way cookie banners use deceptive design in order to get data subjects to consent to the use of non-essential cookies. Another regular complaint is the difficulty for refusing cookies, as opposed to the simple way of consenting to them.

The EDPB stated that “this taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the DPAs”. The taskforce is meant to exchange views on legal analysis and possible infringements, provide support to activities on the national levels and streamline communication.

The EU Whistleblowing Directive – An Overview

29. September 2021

The EU Whistleblower Directive was published in December 2019 and introduces minimum standards for the protection of individuals reporting breaches of EU law governing different areas of public interest, which are specified in the annex to the EU Whistleblower Directive. These include inter alia privacy and personal data protection as well as security of network information systems. The Directive aims to protect individuals who have become aware of such breaches in a work-related context, irrespective of their status from an employment law prospective. Employees, civil servants, self-employed service providers, freelance workers as well as volunteers and trainees and even shareholders will now be protected under the Whistleblower Directive.

Status of implementation in the EU Member states

EU member states are obliged to adapt the Whistleblower Directive into national law until December 17th, 2021. So far, the implementation is in process for at least 21 Member States.

Legislative proposals have been drafted in the following member states, and are up for discussion in their respective parliaments:

  • Belgium,
  • the Czech Republic,
  • Denmark,
  • France,
  • Romania,
  • the Netherlands.

First legislative steps have been taken in the following member states, where drafts are currently being planned or prepared:

  • Bulgaria,
  • Croatia,
  • Estonia,
  • Finland,
  • Greece,
  • Ireland,
  • Latvia,
  • Lithuania,
  • Poland,
  • Portugal.

Slovakia and Slovenia have enacted laws in first reaction to the Directive, however new laws for a full implementation are underway. In Germany, there is currently no comprehensive law that implements the Whistleblower Directive. At the time of this writing, a number of proposals are in development. The concrete implementation of the Directive in Germany has remained controversial between the governing parties. A draft bill of the Whistleblower Protection Act (Hinweisgeberschutzgesetz) submitted by the Federal Ministry of Justice was rejected within the government at the end of April 2021 because it provided for stricter regulations than the EU Directive.  A new draft is yet to be passed on to the next stage.

Naturally, operating channels and procedures for internal reporting of EU law breaches will inevitably involve the processing of personal data, and the EU legislators were clearly aware of the consequences, as the Whistleblower Directive generally states that any processing of personal data pursuant to the Whistleblower Directive must be carried out in accordance with EU data protection law and the General Data Protection Regulation (GDPR) in particular.

What this means for companies in the EU

In order for companies to understand how to comply with the EU Whistleblower Directive, it is important for businesses to keep the following data protection elements in mind:

  • Handle reports and the personal data of the reporter/whistleblower according to the principles of Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability;
  • Have a legal basis for the processing of personal data and whistleblower reports (in this case Art. 6 para. 1 lit. c GDPR plus if applicable national data protection law in conjunction with the EU Whistleblower Directive);
  • Purpose limitation and data minimization for reports through Privacy by Design and Default (configuration of the reporting tool in a way that allows only data relevant to the report to be collected, irrelevant data should be deleted without undue delay);
  • Limit access to the reports by responsible employees only based on a strict and detailed authorization concept (Need-to-Know basis);
  • Ensure that the identity of the reporter/whistleblower remains confidential;
  • Inform all (potential) reporters/whistleblowers about the data processing activity in relation to the report and the following investigation process according to Art. 13 GDPR and the protection of their identity (preferably implemented in the reporting tools, so that the reporter/whistleblower is properly informed);
  • Documentation of the processing activity in a Record of Processing Activities according to Art. 30 GDPR;
  • Enter into GDPR compliant Data Processing Agreements with relevant service providers, if applicable;
  • Have applicable and GDPR compliant Technical and Organizational Measures in place;
  • Have a Retention Schedule in place (recommended deletion of personal data within two months after completion of the investigation unless legal proceedings follow);
  • Keep reports local unless necessary to disclose to other group entities due to the reports affecting other locations.

To date, there is very little official guidance available from EU data protection regulators. Sooner or later, EU data protection regulators will have to either issue updated guidance before the transposition laws at EU Member State level kick in or will encourage industry stakeholders to draw up a code of conduct for whistleblower reporting.

On the business side, successful implementation can protect your business and promote a better workplace culture. The Directive establishes three options for the reporting of information by whistleblowers:

  • Internal reporting channel within the business which are mandatory according to the Directive for businesses with 50 or more employees,
  • External reporting Channels facilitated through relevant authorities on a national or EU-level,
  • Under certain circumstances, the whistleblower can decide to publicly report the information, e.g. via social media.

These channels can either be:

  • Written – online reporting platform, email or post,
  • Verbal – phone hotline with messaging system or in-person.

We recommend staying updated on the developments on the EU Whistleblower Directive and the status of implementation within the EU member states. In the meantime, if you have questions on how the EU Whistleblower Directive might impact your business in Germany and the EU, do not hesitate to contact us.

Luxembourg’s National Commission for Data Protection fines Amazon a record-breaking 746 million Euros for misuse of customer data

11. August 2021

On August 6, 2021, Amazon disclosed the ruling of the Luxembourg data protection authority Commission nationale pour la protection des donées (CNPD) in an SEC filing, which imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (GDPR) on July 16, 2021.

Based on press reports and Amazon’s public statements, the fine appears to relate to Amazon’s use of customer data for targeted advertising purposes.

The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that aims to represent the interests of thousands of Europeans to ensure their data is used according to data protection law in an attempt to avoid Big Tech companies manipulating their behavior for political or commercial purposes. The complaint also targets Apple, Facebook, Google and LinkedIn and was filed on behalf of more than 10,000 customers and alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.

Amazon stated that they „strongly disagree with the CNPD’s ruling“ and intend to appeal. „The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The amount of the fine is substantially higher than the proposed fine in a draft decision that was previously reported in the press. The French data protection authority (CNIL) said Luxembourg’s decision, which is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.“

The CNIL confirmed the CNPD fined Amazon, and other European member states agreed to the Luxembourg decision. Amazon will have six months to correct the issue.

EDPS and the EDPB call for a tightening of the EU draft legislation on the regulation of Artificial Intelligence (AI)

26. July 2021

In a joint statement, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) call for a general ban on the use of artificial intelligence for the automated recognition of human characteristics in publicly accessible spaces. This refers to surveillance technologies that recognise faces, human gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals. In addition to the AI-supported recognition of human characteristics in public spaces, the EDPS and EPDB also call for a ban of AI systems using biometrics to categorize individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights. With the exception of individual applications in the medical field, EDPS and the EDPB are also calling for a ban on AI for sentiment recognition.

In April, the EU Commission presented a first draft law on the regulation of AI applications. The draft explicitly excluded the area of international law enforcement cooperation. The EDPS and EDPB expressed “concern” about the exclusion of international law enforcement cooperation from the scope of the draft. The draft is based on a categorisation of different AI applications into different types of risk, which are to be regulated to different degrees depending on the level of risk to the fundamental rights. In principle, the EDPS and EDPB support this approach and the fact that the EU is addressing the issue in general. However, they call for this concept of fundamental rights risk to be adapted to the EU data protection framework.

Andrea Jelinek, EDPB Chair, and Wojciech Wiewiórowski, of the EDPS, are quoted:

Deploying remote biometric identification in publicly accessible spaces means the end of anonymity in those places. Applications such as live facial recognition interfere with fundamental rights and freedoms to such an extent that they may call into question the essence of these rights and freedoms.

The EDPS and EDPB explicitly support, that the draft provides for national data protection authorities to become competent supervisory authorities for the application of the new regulation and explicitly welcome, that the EDPS is intended to be the competent authority and the market surveillance authority for the supervision of the Union institutions, agencies and bodies. The idea that the Commission also gives itself a predominant role in the “European Artificial Intelligence Board” is questioned by the EU data protection authorities. “This contradicts the need for a European AI Board that is independent of political influence”. They call for the board to be given more autonomy, to ensure its independence.

Worldwide there is great resistance against the use of biometric surveillance systems in public spaces. A large global alliance of 175 civil society organisations, academics and activists is calling for a ban on biometric surveillance in public spaces. The concern is that the potential for abuse of these technologies is too great and the consequences too severe. For example, the BBC reports that China is testing a camera system on Uighurs in Xinjiang that uses AI and facial recognition to detect emotional states. This system is supposed to serve as a kind of modern lie detector and be used in criminal proceedings, for example.

European Commission Adopts UK Adequacy Decisions

5. July 2021

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.

This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.

The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.

The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.

In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“

The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.

The rising threat of Ransomware

28. June 2021

Ransomware attacks are on a steep rise as the global pandemic continues. According to the cybersecurity firm SonicWall, there were more than 304 million attempted ransomware attacks tracked by them in 2020, which was a 62 percent increase over 2019. During the first five months of 2021, the firm detected another 116 percent increase in ransomware attempts compared to the same period in 2020. Another cybersecurity firm called Cybereason found in a recent study interviewing nearly 1,300 security professionals from all around the world that more than half of organisations have been the victim of a ransomware attack, and that 80 percent of businesses that decided to pay a ransom fee suffered a second ransomware attack, often times by the same cybercriminals.

Ransomware is a type of malicious software, which encrypts files, databases, or applications on a computer or network and perpetually holds them hostage or even threatens to publish data until the owner pays the attacker the requested fee. Captivated data may include Personal Data, business data and intellectual property. While Phishing attacks are the most common gateway for ransomware, there are also highly targeted attacks on financially strong companies and institutions (“Big game hunting”).

Alluding to the industry term Software-as-a-Service (SaaS), a new unlawful industry sub-branch has emerged in recent years, which according to security experts lowered the entrance barriers to this industry immensely: Ransomware-as-a-Service (RaaS). With RaaS, a typical monthly subscription could cost around 50 US-Dollars and the purchaser receives the ransomware code and decryption key. Sophisticated RaaS offerings even include customer service and dashboards that allow hackers to track the status of infections and the status of ransomware payments. Thus, cybercriminals do not necessarily have to have the technical skills themselves to create corresponding malware.

Experts point to various factors that are contributing to the recent increase in Ransomeware attacks. One factor is a consequence of the pandemic: the worldwide trend to work from home. Many companies and institutions were abruptly forced to introduce remote working and let employees use their own private equipment. Furthermore, many companies were not prepared to face the rising threats with respect to their cybersecurity management. Another reported factor has been the latest increase in value of the cryptocurrency Bitcoin which is the preferred currency by criminals for ransom payments.

Successful Ransomware attacks can lead to personal data breaches pursuant to Art. 4 No. 12 GDPR and can also lead to the subsequent obligation to report the data breach to the supervisory authorities (Art. 33 GDPR) and to the data subjects (Art. 34 GDPR) for the affected company. Businesses are called to implement appropriate technical and organisational measures based on the risk-based approach, Art. 32 GDPR.

Earlier this month, the Danish Data Protection Authority provided companies with practical guidance on how to mitigate the risk of ransomware attacks. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems when faced with ransomware may include providing regular trainings for employees, having a high level of technical protection of systems and networks in place, patching programs in a timely manner, and storing backups in an environment other than the normal network.

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

EDPB adopts final Recommendation 01/2020 on Supplementary Measures for Data Transfers to Third Countries

22. June 2021

On June 21st, 2021 during its 50th plenary session, the European Data Protection Board (EDPB) adopted a final version of its recommendations on the supplementary measures for data transfers.

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has decided that, while the Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism, controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In the cases where the effectiveness of appropriate safeguards is reduced due to the legal situation in the third country, exporters may need to implement additional measures that fill the gaps.

To help exporters with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted this recommendation. They highlight steps to follow, potential information sources as well as non-exhaustive examples of supplementary measures that are meant to help exporters make the right decisions for data transfers to third countries.

The recommendations advise exporters to follow the following steps in order to have a good overview of data transfers and potential supplementary measures necessary:

1. Know the data transfers that take place in your organization – being aware of where data flows is essential to identify potentially necessary supplementary measures;

2. Verify the transfer tool that each transfer relies on and its validity as well as application to the transfer;

3. Assess if a law or a practice in the third country impinges on the effectiveness of the transfer tool;

4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard;

5. Take formal procedural steps that may be required by the adoption of your supplementary measure, depending on the transfer tool you are relying on;

6. Re-evaluate the level of protection of the data you transfer at appropriate intervals and monitor any potential changes that may affect the transfer.

The EDPB Chair, Andrea Jelinek, stated that “the effects of Schrems II cannot be underestimated”, and that the “EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance”.

The recommendations clearly highlight the importance of exporters to understand and keep an eye on their data transfers to third countries. In Germany, the Supervisory Authorities have already started (in German) to send out questionnaires to controllers regarding their data transfers to third countries and the tools used to safeguard the transfers. Controllers in the EU should be very aware of the subject of data transfers in their companies, and prepare accordingly.

Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers

21. June 2021

On May 20th, 2021, the Belgian Data Protection Authority (Belgian DPA) announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (EU Cloud CoC). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation in May 2018.

The EU Cloud CoC represents a sufficient guarantee pursuant to Article 28 (1) and 28 (5) of the GDPR, as well as Recital 81 of the GDPR, which makes the adherence to the code by cloud service providers a valid way to secure potential data transfers.

In particular, the EU Cloud CoC aims to establish good data protection practices for cloud service providers, giving data subjects more security in terms of the handling of their personal data by cloud service providers. In addition, the Belgian DPA accredited SCOPE Europe as the monitoring body for the code of conduct, which will ensure that code members comply with the requirements set out by the code.

It further offers cloud service providers with practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.

In the press release, the Chairman of the Belgian DPA stated that „the approval of the EU Cloud CoC was achieved through narrow collaboration within the European Data Protection Board and is an important step towards a harmonised interpretation and application of the GDPR in a crucial sector for the digital economy“.

New SCCs published by the EU Commission for international data transfers

10. June 2021

On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.

The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.

What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:

Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller

The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.

The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.

However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.

Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 21 22 23 Next
1 2 3 4 5 23