Category: European Union

EDPB: One year – 90.000 Data Breach Notifications

20. May 2019

Because of the GDPR’s first anniversary the EDPB published a new report that looks back on the first year GDPR.

Besides other findings of the report, the EDPB states that the national supervisory authorities received in total 281.088 complaints. 89.271 data breach notifications, 144.376 GDPR-related complaints and 47.441 other. Three month ago the number of received complaints were in total 206.326, 64.484 data breach notifications, 94.622 GDPR-related complaints from data subjects and 47.020 other. These number of complaints prove that the complaints have (on average) increased in the last three month.

At the time of the EDPB report 37% of the complaints are ongoing and 0,1% of the fined companies appealed against the decision of the supervisory authority. The other 62,9% were already closed. This proves that in contrast to the report after nine month, 2/3 of the complaints have been processed in the meantime. Three month ago only 52% were closed.

Referring to the EDPB report from three month ago, fines totalling € 55.955.871 were awarded for the detected violations by 11 authorities. With this high sum, however, it must be noted that € 50 million was imposed on Google alone. The current EDPB-report does not include a passage on fines.

All in all, the increase in queries and complaints, compared to the previous years, confirm the risen awareness on data protection. According to the Eurobarometer 67% of EU citizens have heard of the GDPR, 36% indicated that they are aware of the GDPR entails and 57% know about the existence of a public authority.

German Court’s Decision on the Right of Access

9. April 2019

Just recently, a German Labour Court (LAG Baden-Württemberg) has decided on the extent of Article 15 of the European General Data Protection Regulation (GDPR) with regard to the information that is supposed to be handed out to the data subject in case such a claim is made.

The decision literally reflects the wording of Art. 15 (1) GDPR which, amongst other things, requires information on

  • the purposes of data processing,
  • the categories of personal data concerned,
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
  • where the personal data are not collected from the data subject, any available information as to their source.

In contrast to the previous views of the local data protection authorities, which – in the context of information about recipients of personal data – deem sufficient that the data controller discloses recipient categories, the LAG Baden-Württemberg also obliged the data controller to provide the data subject with information about each individual recipient.

In addition, the LAG Baden-Württemberg ordered the data controller to make available to the data subject a copy of all his personal performance data. However, the court did not comment on the extent of copies that are to be made. It is therefore questionable whether, in addition to information from the systems used in the company, copies of all e-mails containing personal data of the person concerned must also be made available to the data subject.

Since the court has admitted the appeal to the Federal Labour Court (BAG) regarding this issue, it remains to be seen whether such an approach will still be valid after a Federal Labour Court decision.

The EU Commission fined Google 1.49 billion euros regarding antitrust case

21. March 2019

On Wednesday Google was fined 1.49 billion euros by the European Commission in connection with hindering competitors in the online advertising business.

The accusation is that Google has illegally made use of its market dominance.The company inflicted a number of exclusivity clauses in contracts with third-party websites which prevented the company’s competitors from positioning their search adverts on these websites. This concerns a small area in Google’s “advertising machinery”. But still, as a result, other advertisers and website owners “had less choice and likely faced higher prices that would be passed on to consumers,” claimed the EU’s competition commissioner, Margrethe Vestager.

In the last two years, this represents the third time that Europe’s antitrust regulators, lead by Danish competition commissioner Margarethe Vestagers, fined the tech company. Google has appealed against the two previous fines. The first fine (2.42 billions euros) was for manipulating online shopping results and directing visitors to its comparison-shopping service at the expense of its contestants. The second one amounting to 4.34 billion euros concerned mobilephone producers that were forced to use Google’s Android operating system to install the company’s search and browser apps.

Category: EU · EU Commission · European Union · General
Tags:

The European Data Protection Board presents Work Program for 2019/2020

14. February 2019

On February 12, 2019 the European Data Protection Board (EDPB) released on their website a document containing a two-year Work Program.

The EDPB acts as an independent European body and is established by the General Data Protection Regulation (GDPR). The board is formed of representatives of the national EU and EEA EFTA data protection supervisory authorities, and the European Data Protection Supervisor (EDPS).

The tasks of the EDPB are to issue guidelines on the interpretation of key ideas of the GDPR as well as the ruling by binding decisions on disputes regarding cross-border processing activities. Its objective is to ensure a consistent application of EU rules to avoid the same case potentially being dealt with differently across various jurisdictions. It promotes cooperation between EEA EFTA and the EU data protection supervisory authorities.

The EDPB work program is based on the needs identified by the members as priority for individuals, stakeholders, as well as the EU legislator- planned activities. It contains Guidelines, Consistency opinions, other types of activities, recurrent activities and possible topics.

Furthermore, the EDPB released an information note about data transfers if a no-deal Brexit occurs. As discussed earlier, in this case the UK will become a so-called “third country” for EU member countries beginning from March 30. According to the UK Government, the transfer of data from the UK to the EEA will remain unaffected, permitting personal data to flow freely in the future.

Brexit: Impact on data protection after “May’s deal” has been rejected

18. January 2019

Prime Minister Theresa May’s draft withdrawal agreement to regulate Brexit was rejected by a clear majority of parliamentarians on 15th January. The draft withdrawal agreement has been agreed in November 2018 by the United Kingdom (UK) and the European Union (EU) – we reported: Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future – containing a transition period of 21-months in order to facilitate business sectors in their planning. Because of the recent rejection of the withdrawal agreement by the British Parliament, the scenario of the UK disorderly leaving the EU has now become quite likely. Among various economic and EU law issues, Brexit has also a concrete impact on data protection.

In case of a Brexit without corresponding transitional rules, the UK would be regarded as a third country under the General Data Protection Regulation of the EU (GDPR) as of 29th March 2019. This was also confirmed by Prof. Dr. Dieter Kugelmann, the State Data Protection Officer of Rheinland-Pfalz: “The fact is that the United Kingdom will become a “third country” within the meaning of the GDPR after leaving the EU.” Thus, an adaquacy decision would be required to transfer personal data of EU citizens or from the EU to the UK in the absence of any other mechanisms ensuring an adequate level of data protection according to Art. 44 ff. GDPR.

Since many companies currently transfer customer or employee data to the UK as well as a lot of data centres of service providers are located there, the Brexit will cause a need for adaption in terms of data protection matters. After the Brexit these Companies must ensure that there is an adequate legal basis for the relevant data transfers to the UK. Furthermore, according to Art. 13, 14 GDPR, the data subjects must be informed regarding the transfer of personal data outside the EU/EEA. All privacy policies on websites, privacy notices to employees etc. therefore would have to be adjusted. In the event of a data subject’s request for information, Art. 15 GDPR stipulates that the data subject must be informed about the transfer of his/her personal data to a third country. When personal data are transferred to the UK deemed as a third country, companies would eventually have to adjust their records of processing activities pursuant to Art. 30 GDPR.

It is recommended that in particular those companies transferring a lot of personal data to the UK at least are aware of these potentially required adaptations in order to further ensure compliance with EU data protection laws. As the GDPR, principally does not privilege any group of companies, the aforementioned recommendation also apply to data flows within such groups.

Uber to pay another fine for 2016 data breach

27. December 2018

Uber’s major data breach of 2016 still has consequences as it has also been addressed by the French Data Protection Authority “CNIL”.

As reported in November 2017 and September 2018, the company had tried to hide that personal data of 50 million Uber customers had been stolen and chose to pay the hackers instead of disclosing the incident to the public.

1,4 million French customers were affected as well which is why the CNIL has now fined Uber 400K Euros (next to the settlement with the US authorities amounting to $148 Million).

The CNIL came to find out that the breach could have been avoided by implementing certain basic security measures such as stronger authentication.

Great Britain and the Netherlands have also already imposed a fine totalling €1 million.

Guidelines for Binding Corporate Rules issued in Argentina

18. December 2018

The Argentine Authority of Access to Public Information (Agencia de Acceso a la Información Pública – AAIP) has recently issued its guidelines for Binding Corporate Rules (BCRs) on international data transfer. The Binding Corporate Rules are a mechanism for multinational corporations to legitimize international transfers of personal data within the group. This tool for creating a contractually binding “code of conduct” regarding international data transfers was evolved in the EU and has also been incorporated expressly in Article 47 GDPR. BCRs have been designed as a global solution to comply with the principles of data protection and thus create an adequate level of data protection (cf. Art. 44, 47 GDPR).

Like the GDPR, the Argentine Personal Data Protection Law No. 25, 326 does not permit the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of data protection. Such transfers would be allowed in accordance with Regulatory Decree No. 1558/2001 when the data subjects expressly gave their consent to the transfer; an appropriate international data transfer agreement is in place; or an adequate protection level arises from self-regulation systems.

According to Regulation 159/2018 published Dec. 7, 2018, the AAIP has now approved guidelines for such BCRs that legitimize international data transfer to countries or international organizations that have not been recognized as providing an adequate level of data protection.

These guidelines provide a framework of principles for a self-regulation mechanism reflecting the requirements and conditions imposed by the Argentine Personal Data Protection Law. The rules of the self-regulation system have to be legally binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries (e.g. data subjects, AAIP). Among other things, those BCRs must consider lawfulness conditions of processing, data subjects’ rights and specific protection concerning sensitive aspects. Furthermore, the subsequent cross-border data transfer to those entities providing a non-adequate level of data protection shall be restricted, data subjects shall be able to place a judicial or administrative complaint and under the BCRs must an appropriate staff data protection training has to take place with regard to data processing activities.

The AAIP shall eventually be entitled to engage in international data transfers originating from an Argentine entity as data exporter and – as third-party beneficiary – in those cases in which personal data of subjects in Argentina is affected.

However, the approval of the AAIP of BCRs that follow the requirements of Regulation No. 159/2018 is not required. In the case a group of companies would rely on BCRs that differ from those conditions though, the relevant documents need to be submitted to the AAIP for approval within the term of 30 calendar days from the date that the transfer took place.

As a valid mechanism to legitimize the international transfer of data within a group of companies, the use of BCRs is been reasonably expected to increase when it comes to in Argentina.

Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future

23. November 2018

Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union as of 30th March 2019. The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.

After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.

With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU.  In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.

In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

Database operators in Sweden exempt from GDPR

24. August 2018

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Pages: 1 2 Next
1 2