Category: European Data Protection

Transatlantic Data Transfers in light of the Two Year Anniversary of GDPR Application

7. July 2020

In the last two years since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, it has received an overall positive feedback and structured the data protection culture not only in the European Union, but has set an example for international privacy standards.

However, especially from the American side of the world, criticism has been constant. Different principles are a prerequisite for different opinions and priorities, and the effort to bring European data protection standards and American personal data business together has been a challenge on both sides.

One of the main criticisms coming from the US government is the increasing obstacles the GDPR poses in case of cybercrime investigations and law enforcement. Not only the restrictive implications of the GDPR are an issue, but also the divergent interpretations due to national adaptations of the GDPR are seen as a problem by government officials.

In the cases of cybercrime, the main issue for the US critics is the now less effective database of domain name owners, WHOIS. The online directory, which was created in the 1970s, is an important tool for law enforcement combatting cybercrime. Before the GDPR came into effect in 2018, the request for information on domain owners was straightforward. Now, due to the restrictions of the GDPR, this process has been made long and tedious.

But fighting cybercrime is not the only tension between the EU and the USA concerning data protection. In a judgement in the Schrems II case, expected for July 16, 2020, the European Court of Justice (ECJ) is expected to take a stance on transatlantic data transfers and the current Privacy Shield, which is the basis for the EU-US dataflows under adequate data protection standards. If the Privacy Shield is deemed insufficient protection, it will have a major effect on EU-US business transactions.

However, these are issues that the European Commission (EC) is very aware of. In their communication concerning the two-year review of the GDPR, the Commission stated that they are planning to balance out diverging and fragmented interpretations of the GDPR on national levels and find a common data protection culture within Europe.

In addition, the restrictions the GDPR poses to law enforcement are another point the European Commission knows it needs to fix. The plan for the future is a bilateral and multilateral framework that can allow for simple requests to share data for law enforcement purposes and avoid conflicts of law, while keeping data protection safeguards intact.

The upcoming judgement of the ECJ is seen with watchful eyes by the Commission, and will be incorporated in their upcoming adequacy decisions and re-evaluations, as well as their development of a modern international transfer toolbox, which includes a modernized version of the standard contractual clauses.

Overall, the two-year mark of the existence of the GDPR is seen more as a success, despite the clear areas for future improvement. One of the big challenges in transatlantic data transfers ahead is without a doubt the outcome of the judgement in the Schrems case in mid-July, the implications of which are, at this point in time, not yet able to be defined.

German State Data Protection Commissioner imposes 1.2 million € GDPR fine

1. July 2020

The German State Data Protection Commissioner of Baden-Württemberg (“LfDI Ba-Wü”)  imposed a GDPR fine of 1.240.000€ on the German statutory health insurance provider AOK Baden-Württemberg (“AOK”). The fine was a result of the health insurance’s lack of technical and organisational measures pursuant to Art. 32 GDPR. It is the highest fine the LfDI Ba-Wü has ever imposed.

Between 2015 and 2019 the AOK organised lotteries on various occasions and collected personal data of the participants, including their contact details and current health insurance affiliations. The AOK wanted to use the data of the lottery participants for advertising purposes, insofar as the participants gave their consent to this. To ensure the security of processing, the AOK implemented internal guidelines and data protection training of their staff as technical and organisatioal measures. However, these measures were not sufficient to comply with Art. 32 GDPR because AOK staff used the personal data of more than 500 lottery participants for advertising purposes without their prior consent.

Following the investigation of the LfDI Ba-Wü, the AOK immediately stopped all marketing activities in order to revise their internal policies and processes against the GDPR. The LfDI Ba-Wü explained that in determining the extent of the fine, it considered the following mitigating factors:

  • the cooperation of the AOK with the Data Protection Authority,
  • the fact that the AOK as a statutory health insurance provider is an important part of the German healthcare system, and
  • the burdens of the current Corona-Pandemic on the healthcare system.

Finally, the Commissioner pointed out that technical and organisational measures must be regularly adjusted to the actual conditions of each processing activity, in order to ensure an adequate level of data protection in the long term.

EDPB releases new official register of Art. 60 GDPR decisions

29. June 2020

On 25 June 2020, the European Data Protection Board (“EDPB”) released a new register of final decisions by national European Data Protection Authorities (Supervisory Authorities) cooperating with one another pursuant to Art. 60 GDPR. The register provides access to the decisions themselves, summaries of the decisions in English, and information on the identity of the cooperating Lead Supervisory Authority and Concerned Supervisory Authorities.

The GDPR postulates that Supervisory Authorities have to cooperate in potential cases of GDPR violations that include cross-border data processing activities. During this cooperation, the Lead Supervisory Authority will be in charge of preparing the draft decision and involving the Concerned Supervisory Authorities, and will act as the sole interlocutor of the Controller or Processor (“One-Stop-Shop”-Principle), Art. 56 and Art. 60 GDPR.

To date, the new EDPB register contains 110 final decisions. The EDPB states in its announcement that ‘the register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice.’

Contact Tracing Apps: U.K. Update and EDPB Interoperability Statement

23. June 2020

In another update about contact tracing apps, we are going to talk about the new path of contact tracing in the United Kingdom (UK), as well as the European Data Protection Board’s (EDPB) statement in regards to the cross-border interoperability of the contact tracing apps being deployed in the European Union.

UK Contact Tracing App Update

Since starting the field tests on the NHS COVID-19 App on the Isle of Wight, the UK government has decided to change their approach towards the contact tracing model. It has been decided to abandon the centralized app model in favour of the decentralized Google/Apple alternative.

The change was brought on by technical issues and privacy challenges which surfaced during the trial period on the Isle of Wight, and in the end were direct consequences of the centralized model and important enough to motivate the change of approach.

The technical problems included issues with the background Bluetooth access, as well as operation problems in the light of cross-border interoperability. Further, the data protection risks of mission creep and a lack of transparency only urged on the of the app.

The new model is widely used throughout the European Union, and provides more data protection as well as better technical support. The only deficit in comparison with the centralized model is the lesser access to data by epidemiologists, which seems to be a trade off that the UK government is willing to take for the increase in data protection and technical compatibility.

EDPB statement on cross-border interoperability

On June 17th, 2020, the EDPB has released a statement with regards to the cross-border interoperability of contact tracing apps. The statement builds on the EDPB Guideline from 04/2020 with regards to data protection aspects of contact tracing apps, emphasising the importance of the issues presented.

The statement stems from an agreement between EU-Member states and the European Commission formed in May 2020 with regards to the basic guidelines for cross-border interoperability of contact tracing apps, as well as the newly settled technical specs for the achievement of such an interoperability.

The EDPB states key aspects that have to be kept in mind during the entirety of the project, namely transparency, legal basis, controllership, data subject’s rights, as well as data retention and minimisation rules.

Further, the statement emphasises that the sharing of data about individuals which have been diagnosed or tested positively should only be triggered by a voluntary action of the users themselves. In the end, the goal of interoperability should not be used as an argument to extend the collection of personal data further than necessary.

Overall, this type of sharing of personal data can pose an increased data protection risk to the personal data of the users, which is why it needs to be made sure that the principles set down by the GDPR are being upheld, and made sure that there is no less intrusive method to be used in the matter.

Hungary Update: EDPB publishes Statement on Art. 23 GDPR

17. June 2020

Since March 2020, Hungary has been in a “state of emergency” following the COVID-19 pandemic. The country’s COVID-19 related emergency laws and state of emergency received worldwide criticism from constitutional experts, politicians and civil rights groups, because it allows the Prime Minister to rule by decree during the state of emergency and does not provide a predefined end date. During the state of emergency, Prime Minister Victor Orbán made extensive use of his newly gained powers by passing more than a hundred decrees, including Decree No. 179/2020, which suspended the GDPR data subject rights in Art. 15-22 GDPR with respect to personal data processing for the purpose of preventing, understanding, detecting the coronavirus disease and impeding its further spread (we reported).

In response to this suspension of GDPR rights, the European Data Protection Board (“EDPB”) has recently published a Statement on restrictions on data subject rights pursuant to Art. 23 GDPR, which is the provision that Hungary’s measure was based on. This article allows the member states to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State such as public health.

In its Statement, the EDPB points out that any restriction must respect the essence of the right that is being restricted. If the essence of the right is compromised, the restriction must be considered unlawful. Since the data subject’s right of access and the right to rectification are fundamental rights according to Art. 8 para. 2 of the Charter of Fundamental Rights of the European Union, any restriction of those rights must be carefully weighed up by the member states, in order respect the essence of the rights. The EDPB considers that restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights, without any clear limitation in time, equate to a de facto blanket suspension and denial of those rights and are not be compatible with the essence of the fundamental rights and freedoms.

The EDPB also recalls that the restrictions under Art. 23 GDPR must be necessary and proportionate. It argues that restrictions that are imposed for a duration not precisely limited in time or which apply retroactively or are subject to undefined conditions, are not foreseeable to data subjects and thus disproportionate.

Furthermore, the EDPB takes the view that in order to safeguard important objectives of general public interest such as public health (Art. 23 para. 1 lit. e GDPR), there must be a clearly established and demonstrated link between the foreseen restrictions and the objective pursued. The mere existence of a pandemic or any other emergency situation alone does not justify a restriction of data subject rights, especially if it is not clearly established, how the restrictions can help dealing with the emergency.

Following the international public backlash, the Parliament of Hungary passed legislation on 16 June 2020 to revoke the emergency laws as soons as the current state of emergency will be terminated by the Government. Hungary’s Government announced in May that it intends to lift the state of emergency on 20 June 2020. After that, the restrictions on the GDPR rights shall be lifted as well, so that data subject may exercise their Art. 15-22 GDPR rights again.

Series on COVID-19 Contact Tracing Apps Part 2: The EDPB Guideline on the Use of Contact Tracing Tools

25. May 2020

Today we are continuing our miniseries on contact tracing apps and data protection with Part 2 of the series: The EDPB Guideline on the Use of Contact Tracing Tools. As mentioned in Part 1 of our miniseries, many Member States of the European Union have started to discuss using modern technologies to combat the spread of the Coronavirus. Now, the European Data Protection Board (“EDPB”) has issued a new guideline on the use of contact tracing tools in order to give European policy makers guidance on Data Protection concerns before implementing these tools.

The Legal Basis for Processing

In its guideline, the EDPB proposes that the most relevant legal basis for the processing of personal data using contact tracing apps will probably be the necessity for the performance of a task in the public interest, i.e. Art. 6 para. 1 lit. e) GDPR. In this context, Art. 6 para. 3 GDPR clarifies that the basis for the processing referred to in Art. 6 para. 1 lit. e) GDPR shall be laid down by Union or Members State law.

Another possible legal basis for processing could be consent pursuant to Art. 6 para. 1 lit. a) GDPR. However, the controller will have to ensure that the strict requirements for consent to be valid are met.

If the contact tracing application is specifically processing sensitive data, like health data, processing could be based on Art. 9 para. 2 lit. i) GDPR for reasons of public interest in the area of public health or on Art. 9 para. 2 lit. h) GDPR for health care purposes. Otherwise, processing may also be based on explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.

Compliance with General Data Protection Principles

The guideline is a prime example of the EDPB upholding that any data processing technology must comply with the general data protection principles which are stipulated in Art. 5 GDPR. Contact tracing technology will not be an exeption to this general rule. Thus, the guideline contains recommendations on what national governments and health agencies will need to be aware of in order to observe the data protection principles.

Principle of Lawfulness, fairness and transparency, Art. 5 para. 1 lit. a) GDPR: First and foremost, the EDPB points out that the contact tracing technology must ensure compliance with GDPR and Directive 2002/58/EC (the “ePrivacy Directive”). Also, the application’s algorithms must be auditable and should be regularly reviewed by independent experts. The application’s source code should be made publicly available.

Principle of Purpose limitation, Art. 5 para. 1 lit. b) GDPR: The national authorities’ purposes of processing personal data must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis.

Principles of Data minimisation and Data Protection by Design and by Default, Art. 5 para. 1 lit. c) and Art. 25 GDPR:

  • Data processed should be reduced to the strict minimum. The application should not collect unrelated or unnecessary information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.;
  • Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;
  • Appropriate measures should be put in place to prevent re-identification;
  • The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.

Principle of Accuracy, Art. 5 para. 1 lit. d) GDPR: The EDPB advises that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. Moreover, the applications should include the ability to correct data and subsequent analysis results.

Principle of Storage limitation, Art. 5 para. 1 lit. e) GDPR: With regards to data retention mandates, personal data should be kept only for the duration of the COVID-19 crisis. The EDPB also recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.

Principle of Integrity and confidentiality, Art. 5 para. 1 lit. f) GDPR: Contact tracing apps should incorporate appropriate technical and organisational measures to ensure the security of processing. The EDPB places special emphasis on state-of-the-art cryptographic techniques which should be implemented to secure the data stored in servers and applications.

Principle of Accountability, Art. 5 para. 2 GDPR: To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB suggests that national health authorities could be the controllers. Because contact tracing technology involves different actors in order to work effectively, their roles and responsibilities must be clearly established from the outset and be explained to the users.

Functional Requirements and Implementation

The EDPB also makes mention of the fact that the implementations for contact tracing apps may follow a centralised or a decentralised approach. Generally, both systems use Bluetooth signals to log when smartphone owners are close to each other.  If one owner was confirmed to have contracted COVID-19, an alert can be sent to other owners they may have infected. Under the centralised version, the anonymised data gathered by the app will be uploaded to a remote server where matches are made with other contacts. Under the decentralised version, the data is kept on the mobile device of the user, giving users more control over their data. The EDPB does not give a recommendation for using either approach. Instead, national authorities may consider both concepts and carefully weigh up the respective effects on privacy and the possible impacts on individuals rights.

Before implementing contact tracing apps, the EDPB also suggests that a Data Protection Impact Assessment (DPIA) must be carried out as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). Furthermore, they strongly recommend the publication of DPIAs to ensure transparency.

Lastly, the EDPB proposes that the use of contact tracing applications should be voluntary and reiterates that it should not rely on tracing individual movements but rather on proximity information regarding users.

Outlook

The EDPB acknowledges that the systematic and large scale monitoring of contacts between natural persons is a grave intrusion into their privacy. Therefore, Data Protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures. It further underlines that public authorities should not have to choose between an efficient response to the current pandemic and the protection of fundamental rights, but that both can be achieved at the same time.

In the third part of the series regarding COVID-19 contact tracing apps, we will take a closer look into the privacy issues that countries are facing when implementing contact tracing technologies.

Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.

EDPB ratifies new Guideline on Health Data Processing during COVID-19

27. April 2020

The European Data Protection Board (EDPB) adopted a new Guideline on the processing of health data for scienon the most urgent matters and issues in relation to the processing of health data. Those matters include the tific purposes in the context of the COVID-19 pandemic on April 21, 2020. It aims at providing clarity on the most urgent matters and issues in relation to the processing of health data. Those matters include the legal basis for processing, the implementation of adequate safeguards as well as data subjects’ rights.

The Guideline states that the GDPR contains several provisions for the processing of health data in relation to scientific research. The first one would be the consent in Art. 6 (II) a GDPR in combination with Art. 9 (II) a GDPR. The EDPB emphasizes the necessity of the consent having to meet all the necessary conditions in order to be valid, notably consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement.

Further, the EDPB clarifies that Art. 6 (I) e or f GDPR in combination with the enacted derogations under Art. 9 (II) (i) or (j) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. National legislators can implement their own derogations, setting ground for national legal bases in regulation with the GDPR.

The EDPB also addresses the case of further processing of health data for scientific purposes, which means the case when health data has not been collected for the primary purpose of scientific research. In these cases, the Guideline states that the scientific research is not incompatible with the original purpose of the processing, as long as the principles of Art. 5 GDPR are being upheld.

In regards to international transfers, the Guidelines make specific emphasis on the transfer to countries with no adequacy decision by the European Commission. In such cases, it is possible for the exporter of the data to rely on the derogations of Art. 49 (I) a, explicit consent, and d, transfer necessary for important public interest, GDPR. However, these derogations do not entitle continuous or repeated transfers, and are only supposed to be used as temporary measures. The EDPB states that this is a sanitary crisis like none before, and therefore the transfer to other countries in cases of scientific research form an international emergency in which the public interest may take first priority. But the Guideline makes clear that in case of repeated transfer, safeguards according to Art. 46 GDPR have to be taken.

The Guideline further emphasizes that situations like the current pandemic outbreak do not restrict data subjects to exercise their rights. However, Art. 82 (II) GDPR gives national lawmakers the possibility to restrict data subject rights, though these restrictions should apply only as is strictly necessary.

Over all, the EDPB states that it has to be noted that any processing or transfer will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved in order to identify the appropriate measures in each case.

Greek Data Protection Authority releases Guidance on Cookies

16. March 2020

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

EDPB publishes GDPR Implementation Review

The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.

Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.

The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.

On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.

Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 Next
1 2 3 12