Category: European Data Protection

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

The EEA EFTA States incorporate the General Data Protection Regulation (GDPR) soon

9. July 2018

On 20th of July 2018 the European Data Law will come into effect also in the three EFTA States (Iceland, Norway and Liechtenstein). This has been the result of the incorporation Agreement by the EEA Joint Committee in Brussels on July 6th 2018.

Before the GDPR becomes applicable throughout all three states, each of the states shall notify the agreement by a parliamentary process.

As usual for the EEA Joint Agreements, the EFTA States are obligated to implement the EU Regulation and they are affected by the Jurisdiction of the European Court of Justice (ECJ). The supervisory authority of the EFTA States also participates in the activities of the European Data Protection Board, without having the right to vote and to stand for election as chair or deputy chairs of the board.

Switzerland is not part of this agreement and has its own legal basis for data protection.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Under the new GDPR: Complaints against Google, Instagram, WhatsApp and Facebook

1. June 2018

On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.

The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).

The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.

The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.

European Commission: more protection for whistleblowers

24. April 2018

The European Commission intends to grand more protection for Whistleblowers from retribution when they expose fraud, data breaches and other misdeeds, as Reuters reports. In order to reach this goal, the European Commission proposed new rules last Monday. However, also safeguards against malicious or abusive reports has been considered. The Vice President Francs Timmermans said, “There should be no punishment for doing the right thing”.

Before it can become law, the proposal has to be approved by the EU member states and the European Parliament. Such law would require companies to implement internal channels for whistleblowers while also protecting them from reprisals like sackings, demotion and litigation. Down to the present day, only 10 EU member states grant full protection to whistleblowers.

Application of the GDPR outside the EU

10. April 2018

When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?

In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.

If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).

Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).

WP29 Guidelines on the notion of consent according to the GDPR – Part 2

3. April 2018

Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.

The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.

In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.

Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.

Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.

However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.

In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.

Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.

The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.

How is a company transferring data with a non-European company able to ensure the data-protection standard according to the General Data Protection Regulation (GDPR)?

21. March 2018

A trading deal between two companies often includes a high number of coincidentally transferred personal data. From the 25th May 2018 on the new GDPR regulates the data flow in the European Economic Area (EEA) that consists of all the members of the European Union, Iceland, Liechtenstein and Norway. The future status of Great Britain will be primarily the status of a third country.

Otherwise, business relationships to companies from non-EU or EEA States (like the USA, China, …) cannot guarantee the data protection standard of the GDPR automatically. Especially since the overruling of the “safe-harbour” agreement of the EU with the USA by the European Court of Justice (ECJ), every company that transfers data over the Atlantic is obligated to fulfil the data protection by itself. The European Commission (EC) recommends in its communication from the 10th January 2017 the use of so-called standard contractual clauses (SCC) or binding corporate rules (BCR), when an EU-based company transfers personal data to a non-EU based company or non-EU based entity of its corporate group.

This has a wide impact to the daily trade deals that are made all over Europe with third country companies. The EU recommends the data protection going hand in hand with the trading deals, to ensure the relatively high data protection level, which is based on Article 8 of the Charter of Fundamental Rights of the European Union. Especially until the ePrivacy-Regulation of the EU is not in force, every company has to ensure the standard of the GDPR by implementing a privacy policy, in which transfers of data to a third country has to be mentioned.

In conclusion, a company that trades with third country companies needs to enter a special data protection contract with the trading partner and needs to inform its clients by its privacy policy.

The European Data Protection Board – A new authority under the EU General Data Protection Regulation (GDPR)

27. February 2018

Through the new General Data Protection Regulation (GDPR) there will be established a new EU Data Protection Authority, the so-called European Data Protection Board (the “Board”). The Board replaces the Article 29 Working Party starting May 25th 2018, when the GDPR enters into force. The board has its own legal personality.

Pursuant to Art. 68 (3) GDPR the Board is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It works independent and on its own initiative by issuing its opinion pursuant to Art. 64 GDPR or adopting a binding decision pursuant to Art. 65 GDPR, especially in the written cases of Art. 65 (1) GDPR. The Board hence has the authority to adopt one of the most powerful legal acts of the union from Art. 288 of the Treaty of the European Union (TFEU).

While harmonizing the data protection in the EU, the Boards main task is to maintain the consistent application of the GDPR by the national supervisory authority through the Consistency mechanism pursuant to Art. 63 GDPR. Within this Consistency mechanism, the Board comments the so-called Binding Corporate Rules (BCR), which are necessarily given by national data protection authorities for international data transfer of a company group.

The Board also has the final say if the national data protection authorities cannot reach an agreement concerning the implementation of the GDPR.

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8