Category: European Data Protection

Political parties will be sanctioned for data breaches

22. January 2019

On Wednesday, 16th January 2019, EU Parliament and member state negotiators agreed that parties or political foundations can be sanctioned for data protection breaches during election campaigns. This regulation is intended to prevent any influence on the forthcoming European elections in May. It was decided that in such cases affected institutions would have to pay up to five percent of their annual budget in future.

One of the reasons for the new regulation was the data scandal surrounding Facebook and Cambridge Analytica. During the US election campaign, Facebook gained unauthorized access to the data of millions of its users. With this data, Cambridge Analytica is said to have tried to prevent potential Clinton supporters from voting and to mobilise Trump voters by means of advertising and contributions (we reported).

In future, data protection violations that are deliberately accepted in order to influence the outcome of European elections will be severely sanctioned. National supervisory authorities are to decide whether a party has violated the regulation. The Authority for European Political Parties and European Political Foundations must then review the decision and, if necessary, impose the appropriate sanction. Moreover, those found to be in breach could not apply for funds from the general budget of the European Union in the year in which the fine is imposed.

The text adopted on Wednesday still has to be formally adopted by Parliament and the Council of Member States.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Uber to pay another fine for 2016 data breach

27. December 2018

Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.

As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.

1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).

The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.

Great Britain and the Netherlands have also already imposed a fine totalling €1 million.

Google changes Privacy Policy due to GDPR

19. December 2018

As it is widely known these days, the General Data Protection Regulation (GDPR) came into force earlier this year to standardize data protection regulation in the EU. This has now lead to the fact that Google will update the company’s terms of service and privacy policy to be compliant with the GDPR.

The company started to notify the countries in the European Economic Area (EEA) and Switzerland in regard to some upcoming changes. They will come into effect on January 22, 2019.

The most important update, also legally, is the change of the data controller. The Google Ireland Limited will become the so called “data controller” who is responsible for the information of European and Swiss users . Therefore, Google Ireland Limited will be in charge to respond to request from users and to ensure compliance with the GDPR. At present, these services are provided by Google LLC, based in the U.S.

For website operators this means that they might also have to adapt their privacy policy accordingly. This is the case, for example, if Google Analytics is used.

Furthermore, there are no changes in regard to the current settings and services.

Guidelines for Binding Corporate Rules issued in Argentina

18. December 2018

The Argentine Authority of Access to Public Information (Agencia de Acceso a la Información Pública – AAIP) has recently issued its guidelines for Binding Corporate Rules (BCRs) on international data transfer. The Binding Corporate Rules are a mechanism for multinational corporations to legitimize international transfers of personal data within the group. This tool for creating a contractually binding “code of conduct” regarding international data transfers was evolved in the EU and has also been incorporated expressly in Article 47 GDPR. BCRs have been designed as a global solution to comply with the principles of data protection and thus create an adequate level of data protection (cf. Art. 44, 47 GDPR).

Like the GDPR, the Argentine Personal Data Protection Law No. 25, 326 does not permit the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of data protection. Such transfers would be allowed in accordance with Regulatory Decree No. 1558/2001 when the data subjects expressly gave their consent to the transfer; an appropriate international data transfer agreement is in place; or an adequate protection level arises from self-regulation systems.

According to Regulation 159/2018 published Dec. 7, 2018, the AAIP has now approved guidelines for such BCRs that legitimize international data transfer to countries or international organizations that have not been recognized as providing an adequate level of data protection.

These guidelines provide a framework of principles for a self-regulation mechanism reflecting the requirements and conditions imposed by the Argentine Personal Data Protection Law. The rules of the self-regulation system have to be legally binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries (e.g. data subjects, AAIP). Among other things, those BCRs must consider lawfulness conditions of processing, data subjects’ rights and specific protection concerning sensitive aspects. Furthermore, the subsequent cross-border data transfer to those entities providing a non-adequate level of data protection shall be restricted, data subjects shall be able to place a judicial or administrative complaint and under the BCRs must an appropriate staff data protection training has to take place with regard to data processing activities.

The AAIP shall eventually be entitled to engage in international data transfers originating from an Argentine entity as data exporter and – as third-party beneficiary – in those cases in which personal data of subjects in Argentina is affected.

However, the approval of the AAIP of BCRs that follow the requirements of Regulation No. 159/2018 is not required. In the case a group of companies would rely on BCRs that differ from those conditions though, the relevant documents need to be submitted to the AAIP for approval within the term of 30 calendar days from the date that the transfer took place.

As a valid mechanism to legitimize the international transfer of data within a group of companies, the use of BCRs is been reasonably expected to increase when it comes to in Argentina.

Data Protection Commission announces statutory inquiry into Facebook

17. December 2018

The Irish Data Protection Commission announced in a press release on  December 14, 2018 that it had initiated a statutory inquiry into Facebook.

Due to the frequent, especially in the recent past, data breaches of the American company and the total number of reported data breaches since the GDPR came into force on May 25, 2018, the Irish Data Protection Commission has initiated an investigation into compliance with the relevant provisions of the GDPR against Facebook.

In recent weeks, reports of renewed breaches of data protection by Facebook have continued.

Most recently, it became known that the Italian competition authority AGCM had imposed a fine of 10 million euros on Facebook because the company had passed on data to other platforms without the express consent of the users and that a bug in the programming interface for picture processing led to third-party apps having access to pictures of 6.8 million Facebook users, some of which had not even been published by the users.

LinkedIn processed 18 million non-user email addresses to target Facebook advertisings

28. November 2018

The business and employment-oriented service LinkedIn processed the email addresses of 18 million non-members and targeted them with advertising on Facebook without permission.

A non-LinkedIn user issued a complaint to the Data Protection Commission that their email address had been obtained and used by the organisation for the purposes of targeted advertising on Facebook. Within Ireland’s Data Protection Commission the concerns grew regarding LinkedIn’s processing of personal data of non-users. Therefore, the office conducted an audit of the multinational LinkedIn Ireland, home to the company’s EU headquarters, and stated that it used million of e-mail addresses of non-users.

Also involved is LinkedIn Corp in the US, which processes data on behalf of LinkedIn Ireland. They targeted – by means of 18 million addresses – the individuals in Facebook. According to the commissioner’s annual report LinkedIn in the US carried out the processing in the absence of instructions from LinkedIn in Ireland (the controller). Said annual report covers the period from January 1st to May 24th 2018. Then the old office of the Data Protection Commissioner ceased to exist due to the General Data Protection Regulation. The new Data Protection Commission came into existence on May 25th 2018.

Apple, Google and Co. endorse a more GDPR-like U.S. federal privacy law

6. November 2018

At the 4oth International Conference of Data Protection and Privacy Commissioners (ICDPPC) Apple CEO Tim Cook and other prominent representatives of leading tech companies, all expressed their endorsement of a more GDPR-like privacy legislation around the globe and particularly the US. The ICDPPC takes place in Brussels once a year and apart from independent data protection authorities as accredited members, the attendees include representatives of states without independent data protection supervisory bodies, international organisations, non-governmental organisations as well as representatives from science and industry.

On this platform, Cook strongly supported the idea of introducing similar data protection standards to those of the GDPR in the US and encouraged his fellow tech companies to do so as well. The Apple CEO warned of a danger of a “data industrial complex”, where information about individuals is being weaponized against humanity “with military efficiency”. Cook pointed out that scraps of personal data are “carefully assembled, synthesized, traded and sold” creating an “enduring digital profile which lets companies know individuals better than they may know themselves”, since businesses would use these information to make billions and billions of dollars. As this would end up in surveillance while those stockpiles of data only serve to enrich companies, he ensures Apple’s “full support of a comprehensive federal privacy law in the United States”.

Without mentioning them, the Apple CEO refers in particular to the data giants Google and Facebook by emphasizing their responsibility of creating adequate data protection standards. Both of them have been in the focus of a global discussion on whether they provide their users with adequate privacy settings. However, Facebook’s CPO Erin Egan replied, unequivocally, “yes”, when she was asked whether she would support a GDPR-like data protection law in the U.S. as well as Google General Counsel Kent Walker said, “we’ve been on record for some time calling for comprehensive privacy legislation in the past years” when he was asked about Google’s position on a U.S. federal privacy bill. Walker also pointed to Google’s recent release of principles it supports as part of a federal bill.

Last but not least, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill eventually stated that Microsoft has extended many of the GDPR’s protection measures to their entire customer base and has been a supporter of a U.S. federal privacy bill since 2005. In particular, Brill endorsed a “strong, robust, and horizontally effective baseline privacy legislation.” She further ensured that at Microsoft people are using their voice as strongly as they could to encourage that to take place.

Bearing in mind the data scandals around – in particular – Google and Facebook, and the rather low data protection standards in the U.S., it seems that at least four representatives of the top seven tech companies in the world endorse a new U.S. federal privacy bill and will encourage in supporting an adequate privacy standard around the globe. Regarding the actual stance of the Trump administration, FTC Commissioner and recent Trump appointee Noah Phillips, gave an indication about how this subject will be treated. According to his personal opinion, such a regulation should be done “only if necessary and then very carefully.” Being asked whether the U.S. has the right laws in place to regulate technology appropriately, or whether there were any gaps, he replied, “that is a big question we are debating right now in the United States.”

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Pages: Prev 1 2 3 ... 10 11 12 13 14 15 16 17 18 19 20 Next
1 10 11 12 13 14 20