Category: European Data Protection

EDPB adopts first decision under Art. 65 GDPR

20. November 2020

During its 41st plenary session, the European Data Protection Board (EDPB) adopted by a two-thirds majority of its members its first dispute resolution decision under Art. 65 GDPR regarding Twitter International Company. The binding decision aims to resolve a dispute arisen from a draft decision by the Irish supervisory authority (being the lead supervisory authority in that case) and subsequent relevant and reasoned objections raised by several authorities concerned.

The Irish supervisory authority prepared a draft decision following an own-initiative investigation into Twitter International Company, after the company had notified the Irish supervisory authority of a personal data breach on January 8th, 2019. According to Art. 60 (3) GDPR, the Irish supervisory authority submitted its draft decision to the other authorities concerned in May 2020, which had the opportunity to express their objections within a period of four weeks afterwards. They referred to, inter alia, violations of the GDPR identified by the lead supervisory authority, the role of Twitter International Company as the (sole) data controller, and the quantification of the proposed fine.

Due to the fact that the lead supervisory authority rejected the objections and/or considered them not to be “relevant and reasoned”, it submitted the matter to the EDPB pursuant to Art. 60 (4) GDPR, thus initiating the dispute resolution procedure.

Thereupon, the completeness of the file was evaluated, that led to the institution of legal proceedings stated in Art. 65 GDPR on September 8th, 2020. In accordance with Art. 65 (3) GDPR and in conjunction with Art. 11.4 of the EDPB Rules of Procedure, the default time period of one month was extended by a further month on account of the complexity of the subject-matter.

On November 9th, 2020, the EDPB adopted its binding decision and will shortly notify it to the Irish supervisory authority, which, on the other hand, will issue a final decision. It will be addressed to the data controller without undue delay and at the latest by one month after the EDPB has notified its decision. In compliance with the requirements of Art. 65 (6) GDPR, the lead supervisory authority shall inform the EDPB of the date when its final decision is notified respectively to the controller. After that, the EDPB decision will be published on its website.

European Commission issues draft on Standard Contractual Clauses

18. November 2020

A day after the European Data Protection Board (EDPB) issued its recommendations on supplementary measures, on November 12th the European Commission issued a draft on implementing (new) Standard Contractual Clauses (SCC) for data transfers to non-EU countries (third countries). The draft is open for feedback until December 10th, 2020, and includes a 12-month transition period during which companies are to implement the new SCC. These SCC are supposed to assist controllers and processors in transferring personal data from an EU-country to a third-country implementing measures that guarantee GDPR-standards and regarding the Court of Justice of the European Union’s (CJEU) “Schrems II” ruling.

The Annex includes modular clauses suitable for four different scenarios of data transfer. These scenarios are: (1) Controller-to-controller-transfer; (2) Controller-to-processor-transfer; (3) Processor-processor-transfer; (4) Processor-to-controller-transfer. Newly implemented in these SCC are the latter two scenarios. Since the clauses in the Annex are modular, they can be mixed and matched into a contract fitting the situation at hand. Furthermore, more than two parties can adhere to the SCC and the modular approach even allows for additional parties to accede later on.

The Potential of government access to personal data is especially addressed since this was a main issue following the “Schrems II” ruling. Potential concerns are met by implementing clauses that address, how the data importer must react when laws of the third country impinge his ability to comply with the contract (especially the SCC) and how he must react in case of government interference.  Said measures include notifying the data exporter and the data subject of any government interference, such as- legally binding requests of access to personal data; and if possible sharing further information on these requests (on a regular basis), documenting them and challenging them legally. Termination clauses are added, in case the data importer cannot comply anymore, e.g. because of changes in the third country’s law.

Further clauses regard matters such as data security, transparency, accuracy and onwards transfer of personal data. Issues that have all been tackled in the older SCC but are update now.

EDPB issues guidance on data transfers following Schrems II

17. November 2020

Following the recent judgment C-311/18 (Schrems II) by the Court of Justice of the European Union (CJEU), on November 11th the European Data Protection Board (EDPB) published “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data”. These measures are to be considered when assessing the transfer of personal data to countries outside of the European Economic Area (EEA)(so-called third countries). These recommendations are subject to public consultation until the end of November. Complementing these recommendations, the EDPB published “Recommendations on the European Essential Guarantees for surveillance measures”. Added together both recommendations are guidelines to assess sufficient measures to meet standards of the General Data Protection Regulation (GDPR), even if data is transferred to a country lacking protection comparable to that of the GDPR.

The EDPB highlights a six steps plan to follow when checking whether a data transfer to a third country meets the standards set forth by the GDPR.

The first step is to map all transfers of personal data undertaken. Especially transfers into a third country. The transferred data must be adequate, relevant and limited to what is necessary in relation to the purpose. A major factor to consider is the storage of data in clouds. Furthermore, onwards transfer made by processors should be included. In a second step, the transfer tool used needs to be verified and matched to those is listed in Chapter V GDPR. The next step is assessing if anything in the law or practice of the third country can impinge on the effectiveness of the safeguards of the transfer tool. The before mentioned Recommendations on European Essential Guarantees are supposed to help to evaluate a third countries laws, regarding the access of data by public authorities for the purpose of surveillance.

If the conclusion is, that the third countries legislation impinges on the effectiveness of the Article 46 GDPR tool the next step is, identifying supplementary measures that are necessary to bring the level of protection of the data transfer up to EU Standards (or at least equivalence) and adopting these. Recommendations for such measures are listed in annex 2 of the EDPB Schrems II Recommendations. They may be of contractual, technical, or organizational nature. In Annex 2 the EDPB mentions seven technical cases they found and evaluates them. Five were deemed to be scenarios for which effective measures could be found. These are

1. Data storage in a third country, that does not require access to the data in the clear.
2. Transfer of pseudonymized data.
3. Encrypted data merely transiting third countries.
4. Transfer of data to by law specially protected recipients.
5. Split or multi-party processing.

Maybe even more relevant are the two scenarios the EDPB found no effective measures for and therefore deemed to not be compliant with GDPR standards.:

6. Transfer of data in the clear (to cloud services or other processors)
7. Remote access (from third countries) to data in the clear, for business purposes. Such as HR.

These two scenarios are frequently used in practice. Still, the EDPB recommends not to execute these transfers anymore.
Examples of contractual measures are the obligation to implement necessary technical measures, measures regarding transparency (requested) access by government authorities and measures to be taken against such requests. Accompanying this the European Commission published a draft regarding standard contractual clauses for transferring personal data to non-EU countries. Organizational measures such as internal policies and responsibilities regarding government interventions.

The last two steps are undertaking the formal procedural steps to adapt supplementary measures required and re-evaluating the former steps in appropriate intervals.

Even though these recommendations are not (yet) binding, companies should take a further look at these recommendations and check if their data transfers comply.

 

 

Poland: Addresses of judges, politicians and pro-life activists published on Twitter

12. November 2020

In recent days, social networks in Poland have teemed with posts containing private addresses and telephone numbers of judges of the Constitutional Tribunal, politicians and activists openly supporting the abortion sentence. In conjunction with the publication of the above on Twitter, the President of the Personal Data Protection Office (UODO) took immediate steps to protect the personal data and privacy of these persons.

Background to this was the judgement of the Constitutional Tribunal repealing the provisions allowing abortion in cases of, for example, serious genetic defects or severe impairment of the human fetus. This provoked resistance from a part of Polish society and led to a street revolution of “liberal” men and women. Unfortunately, the agitation turned into invectives, destruction of property, public disorder and personal arguments. As a result, personal data of people supporting the prohibition of abortion have been shared thousands of times on all social media too. For this reason, numerous protesters appeared at the indicated houses, covered the walls of the surrounding buildings with vulgar inscriptions, and the addressees began to receive packages, e.g. with a set of hangers.

On October 29th, 2020 the President of the UODO responded to the case:

Publishing private addresses and contact details of pro-life activists, politicians and judges by users of the Twitter social network is an action leading to the disclosure of a wide sphere of privacy, and thus posing threats to health and life, such as possible acts of violence and aggression directed against these people and their family members.

The announcement stated that the President of the UODO requested an immediate procedure by the Irish supervisory authority, which is responsible for the processing of personal data via Twitter. Pointing out the enormous scale of threats, he indicated the need to verify the response time to reported irregularities and the possibility of introducing automated solutions to prevent the rapid furtherance of such content by other portal users. He also notified the law enforcement authorities that Twitter users had committed a crime consisting in the processing of personal data without a legal basis. The lawfulness had neither been guaranteed by consent according to Art. 6 (1) lit. a GDPR nor legitimate interests pursuant to Art. 6 (1) lit. f GDPR or any other legal basis. Thus, the processing has to be seen as illegitimate as also stated by the President of the UODO. The law enforcement authorities will be obliged to examine and document both the scope of personal data disclosed in a way that violates the principles of personal data protection and to determine the group of entities responsible for unlawful data processing. The President of the UODO also applied to the Minister of Justice – Public Prosecutor General for placing this case under special supervision due to the escalation of conflict and aggression, which pose a high risk of violating the life interests of both people whose data is published on social media and their family members.

In conclusion, the President of the UODO added:

The intensification of actions of all competent authorities in this matter is necessary due to the unprecedented nature of the violations and the alarming announcements of disclosing the data of more people, as well as the deepening wave of aggression.

The CCPA is not enough: Californians will vote on the CPRA

28. October 2020

On 3 November 2020, the day of the US Presidential Election, Californian citizens will also be able to vote on the California Privacy Rights Act of 2020 (“CPRA”) in a state ballot. The CPRA shall expand Califonian consumers’ privacy rights given by the California Consumer Privacy Act of 2018 (“CCPA”) which only came into effect on 2 January 2020.

The NGO “Californians for Consumer Privacy”, led by privacy activist Alastair Mactaggart, initiated the upcoming state ballot on the CPRA. Mactaggart’s NGO already qualified for a state ballot on the adoption of the CCPA by collecting over 629,000 signatures of California citizens in 2018. However, the NGO dropped the proposal in 2018 after California state legislators persuaded the intitiators that they will pass the CCPA through the legislative process. But because several significant amendments to the original proposal were passed during the legislative process, the NGO created the new CPRA initiative in 2020. This time, the group submitted more than 900,000 signatures. The CPRA is supposed to expand on the provisions of the CCPA. In case the CPRA is approved by California voters on November 3rd, it could not be easily amended and would require further direct voter action. Most provisions of the CPRA would become effective on 1 January 2023 and would only apply to information collected from 1 January 2022.

Some of the key provisions of the newly proposed CPRA seem to draw inspiration from the provisions of the European General Data Protection Regulations (“GDPR”) and include the establishment of an enforcement agency (the “California Privacy Protections Agency”), explicitly protecting “Sensitive Personal Information” of consumers and granting the right to rectify inaccurate personal information. The CPRA would furthermore require businesses to abide to information obligations comparable to those required by Art. 12-14 GDPR.

As the day of the state ballot is fast approaching, recent polls suggest that the CPRA will likely pass and complement the already existing CCPA, forming the US’ strictest privacy rules to date.

EDPB addresses Privacy by Design and Default in 40th Plenary Session

26. October 2020

Following public consultation, the Europan Data Protection Board (EDPB) adopted a final version of the Guidelines on Data Protection by Design & Default during its 40th plenary session on October 20th, 2020.

The Guidelines’ focal point is the obligation of Data Protection by Design and by Default as set forth in Article 25 GDPR. At its core is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default, which means that controllers are obliged to implement appropriate technical and organisational measures as well as the necessary safeguards, designed to establish data protection principles in practice and to protect the rights and freedoms of data subjects while processing their personal data.

The Guidelines further contain guidance on how to effectively implement the data protection principles in Article 5 GDPR, listing key design and default points, as well as giving examples through practical cases. They also provide recommendations for controllers on how to achieve Privacy by Design and Default.

However, this is not the only decision made by the EDPB during the plenary. The EDPB decided to set up a Coordinated Enforcement Framework (CEF), which provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The objective is to coordinate joint activities, which may range from joint awareness raising and information gathering to enforcement sweeps and joint investigations.

The EDPB hopes that this raises awareness, as well as give data subjects more confidence to excercise their rights under the GDPR.

Decision to fine the Norwegian Public Roads Administration

23. October 2020

The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.

The penalized entity is the controller of a system processing personal data obtained from the area of ​​toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.

The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.

Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.

Appeal against record fine for GDPR violation in Poland dismissed

22. October 2020

On 10th September 2019 the Polish Data Protection Commissioner imposed a record fine in the amount of more than PLN 2,8 million or the equivalent of € 660.000 on the company Morele.net for violating the implementation of appropriate technical and organisational measures as well as the lack of verifiability of the prior consents to data processing. The Krakow-based company runs various online shops and stores customer data on a central database. According to the Personal Data Protection Office (UODO), there has been 2,2 million customers affected.

Starting point were especially two incidents at the end of 2018, when unauthorised persons got access to the customer database of the company and the contained personal data. The company notified the data breach to the UODO, which accused it particularly of violation of the confidentiality principle (Articles 5 (1) lit. f, 24 (1), 25 (1), 32 (1) lit. b, d, (2) GDPR) by failing to use sufficient technical and organisational measures to safeguard the data of its customers, such as a two-factor authentication. As claimed by the UODO, the selection of the authentication mechanism should always be preceded by an adequate risk analysis with a corresponding determination of protection requirements. The company did not adequately comply with this. However, it should have been sufficiently aware of the phishing risks as the Computer Emergency Response Team (CERT Polska) had already pointed it out.

In addition, the UODO accused the company of violation of the lawfulness, fairness, transparency and accountability principles (Articles 5 (1) lit. a, (2), 6 (1), 7 (1) GDPR) by not being able to prove that (where necessary) the personal data from installment applications had been processed on the basis of consents of data subjects. Furthermore, after a risk analysis, the company deleted the corresponding data from the database in December 2018, but according to the UODO, the deletion was not sufficiently documented.

When assessing the fine, there were many aspects which played a decisive role. Most of all, the extent of the violation (2,2 million customers) and the fact that the company processes personal data professionally in the course of its business activities and therefore has to apply a higher level of security. However, mitigating circumstances were also taken into account, such as the good cooperation with the supervisory authority, no previous ascertainable violations of the GDPR and no identifiable financial advantages for the company.

On 3rd September 2020, the Provincial Administrative Court (WSA) in Warsaw issued a judgment on Morele.net’s appeal against the decision. The WSA dismissed the appeal and considered that the decision on the fine imposed on the company was justified. Furthermore, the WSA stated that the UODO had correctly assessed the facts in the case concerned and considered that the fine imposed was high but within the limits of the law and justified by circumstances. It is expected that the company will lodge a complaint with the Supreme Administrative Court of Poland.

Swiss Data Protection Commissioner: “Swiss-U.S. Privacy Shield not providing adequate level of Data Protection”

28. September 2020

Following the recent ruling by the Court of Justice of the European Union (“CJEU”) the Swiss Data Protection Commissioner (“EDÖB”) published a statement concerning the level of Data Protection of Data Transfers under the Swiss-U.S. Privacy Shield. The “Schrems II” decision by the CJEU is not legally binding in the Switzerland because Switzerland is neither a EU nor a EEA country. But as the EDÖB and the Joint European Data Protection Authorities work closely together, the decision has first implications for Swiss data exporters.

In accordance with Swiss Data Protection law (Art. 7 VDSG), the Swiss Data Protection Commissioner maintains a publicly accessible list of countries assessing the level of Data Protection guaranteed by these countries. This list shall serve Swiss data exporters as a guidance for their data exporting activities and acts as a rebuttable presumption. EU and EEA countries have continuously been listed in the first column of the list because they are regarded to provide an adequate level of Data Protection. The U.S. has been listed in the second column as a country providing “adequate protection under certain conditions”, which meant a certification of U.S. data importers under the Swiss-U.S. Privacy Shield.

Subsequent to the CJEU ruling, the EDÖB decided to list the U.S. in the third column as a country providing “inadequate protection”, thereby also acting on his past annual reviews of the Swiss-U.S. Privacy Shield. In his reviews, the EDÖB already criticised that data subjects in Switzerland lack access to the courts in the U.S. on account of Data Protection violations and that the Ombudsman-mechanism is ineffective in this regard.

Lastly, the EDÖB pointed out that the Swiss-U.S. Privacy Shield remains in effect since there has not been a decision by Swiss courts comparable to the CJEU decision and that his assessment has the status of a recommendation. However, the EDÖB advises Swiss data exporters to always make a risk assessment when transferring Personal Data to countries with “inadequate protection” and possibly to apply technical measures (e.g. BYOK encryption) in order to protect the data from access by foreign intelligence services.

EU looking to increase Enforcement Powers over Tech Giants

24. September 2020

In an interview with The Financial Times on Sunday, EU-Commissioner Thierry Breton stated that the European Union is considering plans to increase its enforcement powers regarding tech giants.

This empowerment is supposed to include punitive measures such as forcing tech firms to break off and sell their EU operations if the dominance on the market becomes too large. It is further considered to enable the EU to be able to boot tech companies from the EU single market entirely. Breton stated these measures would of course only be used in extreme circumstances, but did not elaborate on what would qualify as extreme.

“There is a feeling from end-users of these platforms that they are too big to care,” Thierry Breton told The Financial Times. In the interview, he compared tech giants’ market power to the big banks before the financial crisis. “We need better supervision for these big platforms, as we had again in the banking system,” he stated.

In addition, the European Union is considering a rating system, in which companies would be given scores in different categories such as tax compliance, taking action against illegal content, etc. However, Breton said that it is not the intend to make companies liable for their users’ content.

Breton further said that the first drafts of the new law will be ready by the end of the year.

Once the final draft is in place, it will require approval both by the European Parliament as well as the European Council, before it can be enacted.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 Next
1 2 3 13