Category: European Data Protection
30. August 2016
The ICO just published a statement relating to the fact that WhatsApp is about to share user information with Facebook.
Elizabeth Denham who was appointed Information Commissioner in July 2016, said that “The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it’ll give them a better service, others may be concerned by the lack of control.” She continued by saying “Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.” Denham concluded “We’ve been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”
During the IAPP Europe Data Protection Congress taking place on the 7-10 of November in Brussels Denham will contibute and also give a speech.
26. August 2016
Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.
However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.
Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.
WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.
The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.
However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.
Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”
WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”
25. August 2016
A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.
Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”
4. August 2016
Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.
The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.
Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.
Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.
13. July 2016
The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.
The main aspects of the final draft of the EU-U.S. Privacy Shield are:
- U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
- The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
- Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
- The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.
Next steps
The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.
Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.
Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.
What happens with the GDPR?
The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.
However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.
12. July 2016
On the 6th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and Commissioner Günther H. Oettinger announced the approval of the NIS Directive, this is the Directive on Security of Network and Information Systems.
NIS Directive is one of the main legislative proposals in the context of the Cybersecurity Strategy developed by the EU and focuses on the following aspects:
- The development of a national system to face cybersecurity attacks such as a Computer Security Incident Response (CSIRT) and a competent authority in cybersecurity issues.
- A strategic cooperation mechanism between Member States and a development of a CSIRT Network in order to share information about risks.
- To promote a culture of IT-security in all industry sectors, especially those identified as being “operators of essential services”. This also means to adopt adequate incident response plans. The Directive will apply also to digital service providers such as cloud computing, search engines and e-commerce businesses.
The Directive will enter into force in August 2016 and EU Member States will have 21 months to implement it into their national laws.
11. July 2016
On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.
The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.
The formal adoption of the Privacy Shield is expected this week.
Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.
4. July 2016
The EU Commission and American negotiators reached last week an agreement regarding the final draft of the EU-U.S. Privacy Shield. Now, the EU Commission has sent this draft to the Article 31 WP, who is expected to issue an opinion by tomorrow. If so, the EU-U.S. Privacy Shield will be implemented by the end of this week. Also, the final draft has been sent to the EU Parliament. The EU Parliament can issue an opinion, but cannot block its approval.
The Article 31 WP will meet today to review the text. Normally, the committee has two weeks to issue an opinion but the EU Commission expects an approval already this week.
28. June 2016
After several months of negotiations regarding the legitimating instruments to carry out international data transfers, EU and U.S. negotiators agreed last week on the final changes of the proposed EU-U.S. Privacy Shield.
The initial draft of the EU-U.S. Privacy Shield was criticized by several European Institutions such as the Article 29 WP, the EDPS, Article 31 WP and the UK Data Protection Authority (ICO) for not offering enough safeguards for EU citizens regarding the protection of their personal data upon data transfers to the U.S.
The main critic of the EU-U.S. Privacy Shield was focused on the independency of the ombudsman and on the massive surveillance activities from American Authorities. Additionally, a follow up control mechanism regarding compliance with the EU-U.S. Privacy Shield was required by European negotiators.
EU and U.S. negotiators have agreed to improve the above mentioned aspects in order to ensure more guarantees on the protection of EU citizens’ personal data:
- The White House committed in writing to collect EU personal data only under certain circumstances and for targeted purposes.
- Data retention periods have been defined concretely: organizations will be obliged to delete personal data that is no longer needed for the purposes for which it was originally collected.
- The proposal will include a specification that the ombudsman will be an independent institution.
As a next step, the Article 31 WP, made up of representatives of the EU Member States, will decide if the amended text complies with European Data Protection legislation. Both, the EU Commission and the U.S. Government hope that the EU-U.S. Privacy Shield enters into force by August 2016.
Implications for the UK
After UK citizens have voted to leave the EU, a two-year-negotiation between the EU and the UK Government will take place. During this time, UK organizations will have to comply with European legislation, also regarding international data transfers. When the UK ceases to be an EU Member State, it will be considered as being a third country in terms of international data transfers and will have to ensure enough safeguards regarding the protection of personal data.
6. June 2016
On the 2nd June, the so called “Umbrella-Agreement” was signed between the EU and the U.S. This agreement aims at creating a cooperation framework between the EU and the U.S. regarding criminal law enforcement and the prevention of serious crime and terrorism.
Personal data covered under this agreement includes data exchanged between police and criminal Authorities of the EU Member States and the US Authorities for the purpose of prevention, investigation, detection and prosecution of criminal offences as well as terrorist acts. The data transfers will be carried out according to the existing legal frameworks and enough safeguards will be provided.
The agreement provides EU citizens an equal treatment with U.S. citizens before American courts regarding judicial redress and a full respect for fundamental rights.
However, this agreement does not provide a legal basis for data transfers but it is a complement to the existing and future frameworks between law enforcement authorities.
