Category: European Union

The EU Whistleblowing Directive – An Overview

29. September 2021

The EU Whistleblower Directive was published in December 2019 and introduces minimum standards for the protection of individuals reporting breaches of EU law governing different areas of public interest, which are specified in the annex to the EU Whistleblower Directive. These include inter alia privacy and personal data protection as well as security of network information systems. The Directive aims to protect individuals who have become aware of such breaches in a work-related context, irrespective of their status from an employment law prospective. Employees, civil servants, self-employed service providers, freelance workers as well as volunteers and trainees and even shareholders will now be protected under the Whistleblower Directive.

Status of implementation in the EU Member states

EU member states are obliged to adapt the Whistleblower Directive into national law until December 17th, 2021. So far, the implementation is in process for at least 21 Member States.

Legislative proposals have been drafted in the following member states, and are up for discussion in their respective parliaments:

  • Belgium,
  • the Czech Republic,
  • Denmark,
  • France,
  • Romania,
  • the Netherlands.

First legislative steps have been taken in the following member states, where drafts are currently being planned or prepared:

  • Bulgaria,
  • Croatia,
  • Estonia,
  • Finland,
  • Greece,
  • Ireland,
  • Latvia,
  • Lithuania,
  • Poland,
  • Portugal.

Slovakia and Slovenia have enacted laws in first reaction to the Directive, however new laws for a full implementation are underway. In Germany, there is currently no comprehensive law that implements the Whistleblower Directive. At the time of this writing, a number of proposals are in development. The concrete implementation of the Directive in Germany has remained controversial between the governing parties. A draft bill of the Whistleblower Protection Act (Hinweisgeberschutzgesetz) submitted by the Federal Ministry of Justice was rejected within the government at the end of April 2021 because it provided for stricter regulations than the EU Directive.  A new draft is yet to be passed on to the next stage.

Naturally, operating channels and procedures for internal reporting of EU law breaches will inevitably involve the processing of personal data, and the EU legislators were clearly aware of the consequences, as the Whistleblower Directive generally states that any processing of personal data pursuant to the Whistleblower Directive must be carried out in accordance with EU data protection law and the General Data Protection Regulation (GDPR) in particular.

What this means for companies in the EU

In order for companies to understand how to comply with the EU Whistleblower Directive, it is important for businesses to keep the following data protection elements in mind:

  • Handle reports and the personal data of the reporter/whistleblower according to the principles of Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability;
  • Have a legal basis for the processing of personal data and whistleblower reports (in this case Art. 6 para. 1 lit. c GDPR plus if applicable national data protection law in conjunction with the EU Whistleblower Directive);
  • Purpose limitation and data minimization for reports through Privacy by Design and Default (configuration of the reporting tool in a way that allows only data relevant to the report to be collected, irrelevant data should be deleted without undue delay);
  • Limit access to the reports by responsible employees only based on a strict and detailed authorization concept (Need-to-Know basis);
  • Ensure that the identity of the reporter/whistleblower remains confidential;
  • Inform all (potential) reporters/whistleblowers about the data processing activity in relation to the report and the following investigation process according to Art. 13 GDPR and the protection of their identity (preferably implemented in the reporting tools, so that the reporter/whistleblower is properly informed);
  • Documentation of the processing activity in a Record of Processing Activities according to Art. 30 GDPR;
  • Enter into GDPR compliant Data Processing Agreements with relevant service providers, if applicable;
  • Have applicable and GDPR compliant Technical and Organizational Measures in place;
  • Have a Retention Schedule in place (recommended deletion of personal data within two months after completion of the investigation unless legal proceedings follow);
  • Keep reports local unless necessary to disclose to other group entities due to the reports affecting other locations.

To date, there is very little official guidance available from EU data protection regulators. Sooner or later, EU data protection regulators will have to either issue updated guidance before the transposition laws at EU Member State level kick in or will encourage industry stakeholders to draw up a code of conduct for whistleblower reporting.

On the business side, successful implementation can protect your business and promote a better workplace culture. The Directive establishes three options for the reporting of information by whistleblowers:

  • Internal reporting channel within the business which are mandatory according to the Directive for businesses with 50 or more employees,
  • External reporting Channels facilitated through relevant authorities on a national or EU-level,
  • Under certain circumstances, the whistleblower can decide to publicly report the information, e.g. via social media.

These channels can either be:

  • Written – online reporting platform, email or post,
  • Verbal – phone hotline with messaging system or in-person.

We recommend staying updated on the developments on the EU Whistleblower Directive and the status of implementation within the EU member states. In the meantime, if you have questions on how the EU Whistleblower Directive might impact your business in Germany and the EU, do not hesitate to contact us.

New EU SCC must be used as of now

In June 2021, the European Commission published the long-awaited new Standard Contractual Clauses (SCC) for the transfers of personal data to so-called third countries under the General Data Protection Regulation (GDPR) (please see our blog post). These new SCC modules replace the three 10-year-old SCC sets that were adopted under the EU Data Protection Directive 95/46/EC and thus could not meet the requirements of the GDPR for data transfers to third countries, nor the significant Schrems II ruling of July 16th, 2020 (please see our blog post). The transfer of data to third countries has not only recently become problematic and a focus of supervisory authorities.

As of Monday, September 27th, 2021, these new SCC must be used for new contracts entered into after September 26th, 2021, and for new processing activities that begin after September 26th, if the contract or processing activity involves the transfer of personal data to so-called inadequate third countries. These are countries outside of the European Economic Area (EEA) not deemed to have an adequate level of data protection by an adequacy decision of the European Commission.

Contracts signed before September 27th, 2021, based on the old SCC will still be considered adequate until December 27th, 2022. For these contracts, the old SCCs already signed can be maintained in the meantime as long as the processing of personal data that is the subject of the contract in question does not change. The SCC used for these contracts must be updated to the new SCC, or other data transfer mechanisms in accordance with the GDPR, by December 27th, 2022. As of that date, all SCC used as safeguards for data transfers to inadequate third countries must be the new SCC.

CNIL fines Monsanto 400,000 € for GDPR violations

29. July 2021

France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of 400,000 € on the U.S.-based biotechnology corporation Monsanto Company for contravention of Article 14 GDPR regarding the information of data subjects about the collection of their personal data and Article 28 GDPR concerning contractual guarantees which lay down relations with a data processor.

In May 2019, several media outlets revealed that Monsanto was in possession of a file containing personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers). The investigations carried out by the CNIL disclosed that the information had been collected for lobbying purposes. The individuals named on this “watch list” were Monsanto’s opponents and critics from several European countries, meant to be “educated” or “monitored”. This strategy should have influenced the debate and public opinion on the renewal of the authorization of glyphosate in Europe, a controversial active substance contained in Monsanto’s best-known product for weed control. The reason for the still current scientific controversy is the causation of diseases by glyphosate, most notably cancer.

The file included, for each of the individuals, personal data such as organization, position, business address, business phone number, cell phone number, business email address, and in some cases Twitter accounts. In addition, each person was given a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues such as pesticides or genetically modified organisms.

It should be noted that the creation of contact files by stakeholders for lobbying purposes is not illegal per se. While it is not necessary to obtain the consent of the data subjects, the data have to be lawfully collected and the individuals have to be informed of the processing.

In imposing the penalty, the CNIL considered that Monsanto had failed to comply with the provisions of the GDPR by not informing the data subjects about the storage of their data, as required by Article 14 GDPR. In addition, none of the exceptions provided in Article 14 para. 5 GDPR were applicable in this case. The data protection authority stressed that the aforementioned obligation is a key measure under the GDPR insofar as it allows the data subjects to exercise their other rights, in particular the right to object.

Furthermore, Monsanto violated its obligations under Article 28 GDPR. As a controller, the company was required to establish a legal framework for the processing carried out on its behalf by its processor, in particular to provide data security guarantees. However, in the CNIL’s opinion, none of the contracts concluded between the two companies complied with the requirements of Article 28 para. 4 GDPR.

No obligation to disclose vaccination certificates at events in Poland

7. July 2021

According to recent announcements, the Polish Personal Data Protection Office (UODO) has indicated that vaccinated individuals participating in certain events cannot be required to disclose evidence of vaccination against COVID-19.

In Poland, one of the regulations governing the procedures related to the prevention of the spread of coronavirus is the Decree of the Council of Ministers of May 6th, 2021 on the establishment of certain restrictions, orders and prohibitions in connection with the occurrence of an epidemic state. Among other things, it sets limits on the number of people who can attend various events which are defined by Sec. 26 para. 14 point 2, para. 15 points 2, 3. The aforementioned provisions concern events and meetings for up to 25 people that take place outdoors or in the premises/building indicated as the host’s place of residence or stay as well as events and meetings for up to 50 people that take place outdoors or in the premises/separate food court of a salesroom. Pursuant to Sec. 26 para. 16, the stated number of people does not include those vaccinated against COVID-19.

In this context the question has arisen how the information about the vaccination can be obtained. As this detail is considered health data which constitutes a special category of personal data referred to in Art. 9 para. 1 GDPR, its processing is subject to stricter protection and permissible if at least one of the conditions specified in para. 2 is met. This is, according to Art. 9 para. 2 lit. i GDPR, especially the case if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

The provisions of the Decree do not regulate the opportunity of requiring the participants in the mentioned events to provide information on their vaccination against COVID-19. Hence, it is not specified who may verify the evidence of vaccination, under what conditions and in what manner. Moreover, “specific measures to safeguard” as referred to in Art. 9 para. 2 lit. i GDPR, cited above, are not provided as well. Therefore, the regulations of the Decree cannot be seen as a legal basis authorizing entities obliged to comply with this limit of persons to obtain such data. Consequently, the data subjects are not obliged to provide it.

Because of this, collection of vaccination information can only be seen as legitimate if the data subject consents to the data submission, as the requirement of Art. 9 para. 2 lit. a GDPR will be fulfilled. Notably, the conditions for obtaining consent set out in Art. 4 para. 11 and Art. 7 GDPR must be met. Thus, the consent must be voluntary, informed, specific, expressed in the form of an unambiguous manifestation of will and capable of being revoked at any time.

More passenger data collected

1. July 2021

The German Federal Criminal Police Office regularly records so-called PNR (Passenger Name Records) on flights. This includes, among other information, date of birth, names, e-mail addresses, possible frequent flyer numbers or the means of payment used. The aim of the screening is to help track and prevent terrorist offences and serious crime.

Last year, the quantity of these passenger data collected increased significantly. A total of 105 million data records were collected by the Federal Criminal Police Office (BKA) on passengers taking off or landing in Germany. Approximately 31 million passengers are affected by this, including those who have flown more than once. It is to be highlighted here that the number of passengers has fallen by 75 % compared to 2019 due to the corona pandemic.

In 2019, however, around 78 million passenger records of almost 24 million passengers were processed. Subsequently, 111,588 persons were checked with the police’s wanted persons database. The number of “technically positive” search hits was 1960, which corresponds to 0.082 per thousand.

In 2020, after a comparison with the police wanted persons database, 78,179 person transactions remained in the network. The number of positive search hits increased to 5347, which, nevertheless, still only corresponds to 0.2 per thousand. This number is again largely a matter of errors.

Various lawsuits against this dragnet investigation are already before the European Court of Justice. In particular, it is accused that the dragnet investigation is not proportionate. In particular, it affects uninvolved persons. The state should rather take a targeted approach in these cases and not a generalised one.

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

Amazon facing potential record GDPR fine

18. June 2021

Luxembourg’s National Commission for Data Protection, the CNPD, has proposed a $ 425 million (€ 348.7 million) fine against Amazon.com Inc. for alleged GDPR violations, the Wall Street Journal reports. It would be the highest penalty to date under EU data protection law, exceeding the current record penalty of € 50 million against Google LLC.

It is not yet clear to the public what exactly the allegations are since the statements are based on a confidential source. Amazon also declined to comment on the case. The charges are apparently related to Amazon’s data collection and usage practices, but do not involve the Amazon Web Services cloud computing business.

The CNPD is Amazon’s competent data protection authority as the international retail company has its regional headquarters in the Grand Duchy of Luxembourg. According to the Article 64 GDPR procedure, the CNPD submitted its draft decision to data protection authorities of the other EU member states, which will have to approve the sanction before it can be officially imposed. Based on comparable cases in the past, the process could take months and lead to substantive changes, including an increased or reduced fine.

Though the proposed amount would set a record, it is far below the maximum of 4 % of the total worldwide annual turnover of the preceding financial year allowed by Article 83 (5) GDPR. It amounts to only about 0.1 % of Amazon’s annual revenue. As some critics say, this illustrates a pattern of data protection authorities favoring big-tech companies and often reducing large initial proposals after a long deliberation period. Given the companies’ massive incomes, such penalties are easy to recover from and ultimately, they run counter to the preventive purpose of the punishment.

As a result, these companies could soon fall under the terms of the Digital Services Act and the Digital Markets Act, which were proposed by the European Commission at the end of 2020 to upgrade rules governing digital services in the EU. This new set of regulations, which specifically targets tech companies, increases potential fines to 10 % of the global turnover.

New details on alleged spying on allies by the NSA

It has been known for years that the US National Security Agency (NSA) had been targeting leading politicians. But now new details of the spying operation are coming to light. Several European media investigated the case and found out that the NSA had been using Danish underwater internet cables from 2012 to 2014 to eavesdrop on leading European politicians. It was only through the research that the members of the governments learned of the spying. With regard to this, questions arose, whether Denmark was involved and knew about the operation. Now various European countries demand answers to the allegations.

The media reports revealed that the Danish Defence Intelligence Service (DDIS) had helped the NSA to wiretap European politicians (in German) by allowing the NSA to use the secret Sandagergårdan listening post near Copenhagen. An important internet hub for various underwater cables was then tapped there. The NSA apparently got access to text messages, telephone calls and internet traffic including searches, chats and messaging services.

Following the revelations by former NSA contractor Edward Snowden and a subsequent investigation by a secret internal working group at DDIS, the Danish-US cooperation in the surveillance of European neighboring countries was documented in an internal report of DDIS in 2015. However, the findings have not been disclosed until today. Nevertheless, the Danish government has probably known about the spying operation since 2015 at the latest. More than that, the surveillance apparently also targeted Denmark itself (in German), including the Ministry of Foreign Affairs and the Ministry of Finance.

Danish Defence Minister Trine Bramsen was informed about the spying in August 2020. In the wake of that, some DDIS employees were fired, without a full explanation being released. The government said at the time that an audit had raised suspicions of illegal surveillance by DDIS. In October 2020, the Danish Ministry of Justice ordered a commission of inquiry into the operations at DDIS. Its conclusions are due at the end of 2021.

French President Emmanuel Macron and German Chancellor Angela Merkel, being among those affected by the espionage, made clear that such tactics were not acceptable between allies. Norwegian Prime Minister Erna Solberg and Swedish Defence Minister Peter Hultqvist agreed with the statements. While emphasizing the value of relations between Europeans and Americans, they insisted on explaining the case by the two accused countries. Neither of the intelligence services would comment on the allegations. The Danish Defence Minister only stated in general terms that systematic wiretapping of close allies was unacceptable.

EDPS investigating EU institutions’ use of US cloud services

2. June 2021

The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.

The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.

Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.

The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.

Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:

I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.

If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.

Officers’ data leaked in Poland

28. May 2021

The Polish Personal Data Protection Office (UODO) has received a notification of a data breach involving the disclosure of personal data of uniformed services officers. The case is currently being analyzed and supplemented with additional materials and information that shall clarify all its circumstances.

The data controller also notified other authorities about the incident. Among these are the police, the Governmental Computer Security Incident Response Team (CSIRT NASK) and the National Public Prosecutor’s Office. The controller informed UODO that the individuals whose data was subject to the breach would be notified individually through the officers’ home units. Nevertheless, many aspects are still unclear. Therefore, in the course of the investigation, UODO sent a letter to the data controller asking for explanations related to the data breach. Any further action will depend on the information provided by the data controller.

As a result of this situation, UODO emphasises that there is a risk associated with the possibility of unauthorized use of the officers’ personal data, which may involve tangible harm to them. Such activity may include (identity) fraud and invasion of privacy.

In this respect, UODO reminds what actions should be taken to minimize the negative consequences of such a breach. First of all, one should be very careful when providing data via the Internet. Furthermore, it is important to carefully analyse all content included e.g. in SMS messages or e-mails in order to avoid phishing attacks in particular, the aim of which is to obtain additional personal data. In this connection, materials were provided by UODO with further tips on how to reduce the risk of identity theft.

Pages: 1 2 3 4 5 6 Next
1 2 3 6