Category: EU

European Commission: €110 million fine for Facebook

23. May 2017

According to an European Commission Press release from the 18 May 2017, Facebook was fined €110 million by the Commission for providing misleading information about the takeover of WhatsApp.

Facebook acquired WhatsApp in 2014. Back then Facebook informed the European Commission that it would not be able to establish reliable automated matching between the users of Facebook and WhatsApp. Two years later, in August 2016, Facebook announced an update to its terms of service and privacy policy. The update included the possibility to link phone numbers of WhatsApp users with their respective Facebook accounts.

According to the Press release and contrary to the statement given by Facebook during the merger process 2014, the Commission has found that the possibility of automated linking of Facebook and WhatsApp users already existed in 2014.

Commissioner Margrethe Vestager, who is in charge of the competition policy, said: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information.”

It is the first time that the European Commission has imposed a fine on a company for the provision of misleading information since the Merger Regulation came into force in 2004.

Existing concerns on Windows data protection laws infractions

22. February 2017

There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.

Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.

Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.

As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.

At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).

According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.

“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”

Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.

Category: Article 29 WP · EU · Personal Data · UK
Tags:

European Commission proposes new ePrivacy Regulation

10. February 2017

On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).

If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.

What’s new?

Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.

By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.

Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.

Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.

Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.

In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.

The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.

ePrivacy Regulation and GDPR

Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation.  This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.

What’s next?

After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.

Trump’s Executive Order Impact on the Privacy Shield

8. February 2017

Background

The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.

Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.

In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”

The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.

Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.

Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.

Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).

On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.

The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).

Conclusion

Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.

Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.

European Commission releases proposal to complete data protection framework

13. January 2017

On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.

The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.

The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.

In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.

The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.

Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.

Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.

Article 29 Working Party released Guidelines on Data Protection Officers, Data Portability & One-Stop Shop

19. December 2016

The European Article 29 Working Party just published Guidelines after their December plenary meeting.

These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.

When do you have to appoint a DPO?

Article 37 (1) of the GDPR states that a DPO has to be appointed

a) where the processing is carried out by a public authority or body

b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale

or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.

How does the Article 29 Working Party define these requirements?

“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.

Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.

 

“Large scale” refers to the number of data subjects and not the company’s size.

The Working Party 29 defines the following identification aspects for a “large scale”:

  • The number of data subjects affected.
  • The volume of data and/or the range of different data items being processed.
  • The duration, or permanence, of the data processing activity.
  • The geographical extent of the processing activity.

However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.

 

The latest news concerning the dispute in terms of the “right-to-be-forgotten”

13. December 2016

Peter Fleischer, a global privacy counsel, raised the question: „Should the balance between the right to free expression and the right to privacy be struck by each country?“

In basic terms, the right-to-be-forgotten is a right of every European citizen to demand the erasure of certain links from the internet. However, this can also be seen as cencorship and rewriting history, which is why there is a neverending debate upon this topic.

The French Data Protection Authority, CNIL, has demanded an ultimate right-to-be-forgotten, which would mean that French data could be demanded to be removed, for example from Google search, from all over the world.

The problem which might occur is that also non-democratic countries have to follow this rule in theory. One might argue that the internet can be seen as as an independent source of infromation that is now being endangered.

Google disagrees with the idea that the right-to-be-forgotten should also be applied upon the countries outside the Europe.

Google’s only confirmation is that it is acting in accordance with the local laws as well as within the standards set by the European Court. What is more, Google makes a promise to remove the respective links from all European Google versions simultaneously.

Nevertheless, it has also beeen pointed out that one still could have found a link on the non-European version of Google.

As a feedback Google has delisted links as well on Google.com, Google.co.kr and Google.com.mx.

The viability of the EU-U.S. Privacy Shield under Trump is questioned

8. December 2016

What happened?

As Bloomberg Law Privacy & Data Security just reported, officials of the European Union stated that they will watch carefully for any signs of U.S. President-elect Donald Trump turning around the EU-U.S. Privacy Shield agreement.

Vera Jourova, EU Justice Commissioner, can be quoted that the European Union would “closely monitor the respect of protection standards and the correct implementation” of the EU-U.S. Privacy Shield “under the new U.S. leadership”.

Why are the concerns raised?

The questions are asked is due to the fact that under the EU-U.S. Privacy Shield data transfers are based on respect for European privacy rights in case European personal data is transferred to the USA for commercial purposes. However, as Trump made comments that can be interpreted so that such privacy rights might be disregarded, during the U.S. presidential campaig, concerns are raised.

Adina-Ioana Valean, Member of the European Parliament, gave a speech at the European Data Protection and Privacy Conference in Brussels and explained that “a lot of things were said” during the U.S. presidential campaign. Therefore, she concluded that “we should sit and wait for the next move and then we can judge”.

 

 

Use of encryption App increases after US election

6. December 2016

BuzzFeed News reported, that after electing Donald Trump the App called Signal has been faced with a 400 percent rise in daily downloads.

This App is a secure communications tool and therefore well-known in terms of technology, journalism and politics. When using this App people are able to text and speak with one another by encrypting end-to-end, so that only the sender and the intended recipient can read or hear the respective message.

The founder of the App called Signal, Moxie Marlinspike, released a statement saying that “There has never been a single event that has resulted in this kind of sustained, day-over-day increase.” Marlinspike explained that “Trump is about to be put in control of the most pervasive, largest, and least accountable surveillance infrastructure in the world (…) People are maybe a bit uncomfortable with him.”

 

ICO: confirmation about new guidelines in terms of the GDPR

30. November 2016

Elizabeth Denham, UK Information Commissioner, participated at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers during which she gave a keynote speech. In her statement Denham explained that the UK prepares for the upcoming GDPR. She confirmed the government’s position that the GDPR will be implemented in the UK as well – Brexit aside.

Denham’s statement includes that the first regulatory guidance on the GDPR can be expected to be published by the Article 29 Working Party at the end of this year. It is believed that this guidance will probably make a number of key aspects of the GDPR of discussion.

Another point of her speech included the fact that the Article 29 Working Party is about to release a concept of risk under the GDPR and carrying out Data Privacy Impact Assessments at the beginning of 2017.

Furthermore, it was mentioned that the Article 29 Working Party aims to publish guidance in terms of certifications under the GDPR.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 12 Next
1 4 5 6 7 8 12