Category: European Data Protection

How to be prepared for the GPDR in 13 Steps

26. September 2016

Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.

The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:

  • Awareness: Instruct the relevant persons about the upcoming changes.
  • Internal Records: Document the stored data, where it came from and to whom it is transfered.
  • Privacy Notice: Review and update the Privacy Notice.
  • Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
  • Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
  • Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
  • Consent: Review how consent is collected and recorded.
  • Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
  • Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
  • Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
  • Data Protection Officer: Appoint and review the Data Protection Officer.
  • International: Check which Data Protection Authority will be responsible for you.
  • Existing Contracts: Review the current contracts.

Do Europeans care more about their data than Americans?

22. September 2016

Recode just published an interview with Margrethe Vestager, Europeans Commissioner for Competition, talking about her impression that Europeans care more about their data than Americans.

First, she elaborates that Europe has historically been more critical towards new technology practices such as data collection. In this context, Vestager said “I am an economist, so I know that there is no such thing as a free lunch” she went on “You pay with one currency or another — either cents, or you pay with your data, or you pay with the advertisements that you accept. And I think people are becoming more and more aware of the fact that their personal data do have a value.”

Vestager underlined her point of view that Europeans care more about their data than Americans by saying “What we see in Europe is that a huge proportion of citizens find that they are not in control” she added “They distrust the companies to protect their data, and I think that is very bad, because then there is a risk of withdrawing from all the benefits of our digital economy. And in order to build up trust I think it is very important that we enforce privacy rules, that we get privacy by design in new services, so that privacy is not just an add-on, that it is very basic.”

Therefore, according to Vestager the Europeans have a greater need to protect their data than Americans.

Trust in current mechanisms to carry out international data transfer decreases

1. September 2016

According to a survey conducted recently by the International Association of Privacy Professionals (IAPP), trust in current legal mechanisms to carry out data transfers to third countries, such as Standard Contractual Clauses and the EU-U.S. Privacy Shield, has decreased.

The results of this survey reveal that 80 percent of companies relies on the Standard Contractual Clauses approved by the EU Commission to carry out international data transfers, especially to the U.S.A. However, there is currently uncertainty regarding the validity of the Standard Contractual Clauses, which may be also invalidated by the ECJ, as already occurred with the former Safe Harbor framework.

Regarding the EU-U.S. Privacy Shield, which is operative since 1st August, the survey reveals that only 42 percent of U.S. companies plan to self-certify through this new framework, compared to the 73 percent that conducted self-certification with the Safe Harbor framework. The main reason for this may be related to the uncertainty regarding its validity. The Article 29 WP stated recently that the first annual review of the Privacy Shield will be decisive.

Finally, Binding Corporate Rules (BCR) are also used by companies to carry out intra-group data transfers. However, there are several reasons why not many companies implement them. One of these reasons relates to the high costs involved with the implementation. Moreover, the implementation process can last over one year. Also, BCR can be only used for international data transfers within the group, so that other mechanisms shall be used if data transfers outside the group take place.

ICO: Statement on WhatsApp sharing information with Facebook

30. August 2016

The ICO just published a statement relating to the fact that WhatsApp is about to share user information with Facebook.

Elizabeth Denham who was appointed Information Commissioner in July 2016, said that “The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it’ll give them a better service, others may be concerned by the lack of control.” She continued by saying “Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed.” Denham concluded “We’ve been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”

During the IAPP Europe Data Protection Congress taking place on the 7-10 of November in Brussels Denham will contibute and also give a speech.

WhatsApp will share user information with Facebook

26. August 2016

Jan Koum, one of WhatsApp’s founders, stated shortly after selling WhatsApp to Facebook in 2014 that the deal would not affect the digital privacy of his mobile messaging service with millions of users.

However, according to the New York Times WhatsApp is about to share user information with Facebook. This week, WhatsApp published a statement saying that it will start to disclose phone numbers and analytics data of its users to Facebook. By doing so, it will be the first time that WhatsApp will connect the data of its users to Facebook.

Furthermoere, due to the fact that WhatsApp begins to built a profitable business after its previous little emphasis on revenue, it is now changing its privacy policy to the extent that WhatsApp wants to allow businesses to contact customers directly through its platform.

WhatsApp commented on the new privacy policy “We want to explore ways for you to communicate with businesses that matter to you, too, while still giving you an experience without third-party banner ads and spam”.

The new privacy policy will allow Facebook to use a users’s phone number to improve other Facebook-operated services like making new Facebook friend suggestions or better-tailored advertising.

However, WhatsApp underlines that neither it nor Facebook will be able to read users’ encrypted messages and emphasizes that individual phone numbers will not be given to advertisers.

Koum explained that “Our values and our respect for your privacy continue to guide the decisions we make at WhatsApp” and went on “It’s why we’ve rolled out end-to-end encryption, which means no one can read your messages other than the people you talk to. Not us, not Facebook, nor anyone else” and concluded “Our focus is the same as it’s always been — giving you a fast, simple and reliable way to stay in touch with friends and loved ones around the world.”

WhatsApp’s new privacy policy raises concerns due to the lack of data protection. Therefore, the president of the Electronic Privacy Information Center, Marc Rotenberg commented that it is about to file a complaint next week with the Federal Trade Commission in order to prevent WhatsApp from sharing users’ data with Facebook. Rotenberg justified this approach as “Many users signed up for WhatsApp and not Facebook, precisely because WhatsApp offered, at the time, better privacy practices” he explained “If the F.T.C. does not bring an enforcement action, it means that even when users choose better privacy services, there is no guarantee their data will be protected.”

 

Request for European Commission to investigate “Pokemon Go”

25. August 2016

A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.

Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added  “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”

Survey results about the impact of the GDPR and the EU-U.S. Privacy Shield published

4. August 2016

Recently, the IAPP (International Association for Privacy Professionals) published the results of a survey carried out by Baker & McKenzie regarding the perspectives and expectations that Privacy Professionals have about the changing legislative scope in the field of Data Protection.

The participants were senior managers and individuals involved in the fields of data protection and data security that belonged to multi-national organizations, government agencies, regulatory bodies or policy and academic institutions.

Most of the respondents acknowledge that both, GDPR and Privacy Shield, imply that organizations have to implement an action-plan accordingly. This will imply higher costs and efforts. Furthermore, 70% of the respondents stated that the most difficult requirements of the GDPR to comply with are consent, data mapping and international data transfers. A 45% stated that their organization does not have adequate tools currently to be compliant and implementing the required tools may be involved with significant costs.

Moreover, the majority of the participants recommended organizations to self-certify as soon as possible, so that they would still have nine months to make contractors also comply with the principles. Also, they believe that the Privacy Shield should be complemented by other mechanisms to transfer personal data such as Binding Corporate Rules or Standard Contractual Clauses.

EU Commission announces formal adoption of the EU-U.S. Privacy Shield

13. July 2016

The EU Commission announced yesterday the formal adoption of the EU-U.S. Privacy Shield. Both, the EU Commission Vice-President, Andrus Ansip, and the EU Commissioner Vera Jourová highlighted the positive impact of the Privacy Shield not only for businesses, but especially for EU citizens, whose right to data protection will be enforced and several mechanisms will implemented in order to safeguard their rights.

The main aspects of the final draft of the EU-U.S. Privacy Shield are:

  • U.S. companies handling EU personal data will be subject to stricter obligations. For instance, the American Department of Commerce will review regularly that the participating companies comply in practice with the commitments of the Privacy Shield. In case of incompliance, the company will face not only fines, but will be also removed from the list.
  • The U.S. has ensured that bulk collection of EU citizens’ data will be carried out only if certain conditions are met and it will be as targeted and focused as possible. Also, a redress mechanism will be available for EU citizens to solve this kind of issues.
  • Individual rights will be effectively protected through the implementation of dispute resolution mechanisms, which will be affordable and accessible for EU citizens. In case that the dispute is not resolved, an arbitration mechanism will be also available. If the dispute refers to U.S. national security Authorities, an independent Ombudsperson will handle the issue.
  • The Privacy Shield will be subject to an annual review by the EU Commission and the U.S. Department of Commerce in order to monitor its functioning.

Next steps

The Privacy Shield constitutes an “adequacy decision”. This decision has been notified to the EU Member States by the EU Commission and will enter into force immediately. Additionally, it will also be published on the U.S. Official Journal.

Starting August 1st, the U.S. Department of Commerce will start processing membership requests. This means that companies that wish to certify and become members of the EU-U.S. Privacy Shield will have to review and if appropriate update their privacy programs.

Furthermore, the EU Commission will publish a guidance in order to inform EU citizens about the dispute resolution mechanisms available under the Privacy Shield.

What happens with the GDPR?

The GDPR lays down stricter requirements to carry out international data transfers than those of the Privacy Shield. As the GDPR will enter into force in two years, U.S. companies will have to be compliant also with the requirements of the GDPR.

However, this situation has been already addressed in two directions: on the one hand, the Privacy Shield will be subject to an annual review, as mentioned above; and on the other hand, the Privacy Shield states that its scope of application refers to data transfers and processing of personal data by U.S. companies as far as the processing does not fall under the scope of EU legislation.

NIS Directive has been adopted by the EU Commission

12. July 2016

On the 6th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and Commissioner Günther H. Oettinger announced the approval of the NIS Directive, this is the Directive on Security of Network and Information Systems.

NIS Directive is one of the main legislative proposals in the context of the Cybersecurity Strategy developed by the EU and focuses on the following aspects:

  • The development of a national system to face cybersecurity attacks such as a Computer Security Incident Response (CSIRT) and a competent authority in cybersecurity issues.
  • A strategic cooperation mechanism between Member States and a development of a CSIRT Network in order to share information about risks.
  • To promote a culture of IT-security in all industry sectors, especially those identified as being “operators of essential services”. This also means to adopt adequate incident response plans. The Directive will apply also to digital service providers such as cloud computing, search engines and e-commerce businesses.

The Directive will enter into force in August 2016 and EU Member States will have 21 months to implement it into their national laws.

The EU-U.S. Privacy Shield has been approved

11. July 2016

On the 8th July 2016, the Vice-President of the EU Commission, Andrus Ansip, and the Commissioner Vera Jourová announced in a joint statement that the EU Member States have approved the updated draft of the EU-U.S. Privacy Shield. However, Austria, Bulgaria, Croatia, and Slovenia abstained from voting.

The statement remarks that the Privacy Shield will ensure a high data protection level for EU citizens, because it imposes stronger obligations for U.S. companies. Specially regarding the bulk collection of personal data from EU citizens by American authorities.

The formal adoption of the Privacy Shield is expected this week.

Although the EU-U.S. Privacy Shield has been approved, the legality of the agreement could be challenged, as occurred with the former Safe Harbor Framework.

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 4 5 6 7 8 9