Category: European Data Protection

Apple, Google and Co. endorse a more GDPR-like U.S. federal privacy law

6. November 2018

At the 4oth International Conference of Data Protection and Privacy Commissioners (ICDPPC) Apple CEO Tim Cook and other prominent representatives of leading tech companies, all expressed their endorsement of a more GDPR-like privacy legislation around the globe and particularly the US. The ICDPPC takes place in Brussels once a year and apart from independent data protection authorities as accredited members, the attendees include representatives of states without independent data protection supervisory bodies, international organisations, non-governmental organisations as well as representatives from science and industry.

On this platform, Cook strongly supported the idea of introducing similar data protection standards to those of the GDPR in the US and encouraged his fellow tech companies to do so as well. The Apple CEO warned of a danger of a “data industrial complex”, where information about individuals is being weaponized against humanity “with military efficiency”. Cook pointed out that scraps of personal data are “carefully assembled, synthesized, traded and sold” creating an “enduring digital profile which lets companies know individuals better than they may know themselves”, since businesses would use these information to make billions and billions of dollars. As this would end up in surveillance while those stockpiles of data only serve to enrich companies, he ensures Apple’s “full support of a comprehensive federal privacy law in the United States”.

Without mentioning them, the Apple CEO refers in particular to the data giants Google and Facebook by emphasizing their responsibility of creating adequate data protection standards. Both of them have been in the focus of a global discussion on whether they provide their users with adequate privacy settings. However, Facebook’s CPO Erin Egan replied, unequivocally, “yes”, when she was asked whether she would support a GDPR-like data protection law in the U.S. as well as Google General Counsel Kent Walker said, “we’ve been on record for some time calling for comprehensive privacy legislation in the past years” when he was asked about Google’s position on a U.S. federal privacy bill. Walker also pointed to Google’s recent release of principles it supports as part of a federal bill.

Last but not least, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill eventually stated that Microsoft has extended many of the GDPR’s protection measures to their entire customer base and has been a supporter of a U.S. federal privacy bill since 2005. In particular, Brill endorsed a “strong, robust, and horizontally effective baseline privacy legislation.” She further ensured that at Microsoft people are using their voice as strongly as they could to encourage that to take place.

Bearing in mind the data scandals around – in particular – Google and Facebook, and the rather low data protection standards in the U.S., it seems that at least four representatives of the top seven tech companies in the world endorse a new U.S. federal privacy bill and will encourage in supporting an adequate privacy standard around the globe. Regarding the actual stance of the Trump administration, FTC Commissioner and recent Trump appointee Noah Phillips, gave an indication about how this subject will be treated. According to his personal opinion, such a regulation should be done “only if necessary and then very carefully.” Being asked whether the U.S. has the right laws in place to regulate technology appropriately, or whether there were any gaps, he replied, “that is a big question we are debating right now in the United States.”

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

The EEA EFTA States incorporate the General Data Protection Regulation (GDPR) soon

9. July 2018

On 20th of July 2018 the European Data Law will come into effect also in the three EFTA States (Iceland, Norway and Liechtenstein). This has been the result of the incorporation Agreement by the EEA Joint Committee in Brussels on July 6th 2018.

Before the GDPR becomes applicable throughout all three states, each of the states shall notify the agreement by a parliamentary process.

As usual for the EEA Joint Agreements, the EFTA States are obligated to implement the EU Regulation and they are affected by the Jurisdiction of the European Court of Justice (ECJ). The supervisory authority of the EFTA States also participates in the activities of the European Data Protection Board, without having the right to vote and to stand for election as chair or deputy chairs of the board.

Switzerland is not part of this agreement and has its own legal basis for data protection.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Under the new GDPR: Complaints against Google, Instagram, WhatsApp and Facebook

1. June 2018

On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.

The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).

The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.

The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.

European Commission: more protection for whistleblowers

24. April 2018

The European Commission intends to grand more protection for Whistleblowers from retribution when they expose fraud, data breaches and other misdeeds, as Reuters reports. In order to reach this goal, the European Commission proposed new rules last Monday. However, also safeguards against malicious or abusive reports has been considered. The Vice President Francs Timmermans said, “There should be no punishment for doing the right thing”.

Before it can become law, the proposal has to be approved by the EU member states and the European Parliament. Such law would require companies to implement internal channels for whistleblowers while also protecting them from reprisals like sackings, demotion and litigation. Down to the present day, only 10 EU member states grant full protection to whistleblowers.

Application of the GDPR outside the EU

10. April 2018

When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?

In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.

If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).

Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).

Pages: 1 2 3 4 5 6 7 8 Next
1 2 3 8