Category: GDPR

Belgium publishes new data protection law

12. September 2018

On September 5 2018, the new data protection law (“Law of 30 July”) was published in the Belgian Official Gazette (“Belgisch Staatsblad”) and entered into force with this publication.

After the “Law of 3 December 2017”, which replaced the Belgian Privacy Commission with the Belgian Data Protection Authority (“Gegevensbeschermingsautoriteit”), the Law of 30 July is the second law that implements the General Data Protection Regulation (GDPR).

The laws regulate various essential areas of data protection. New regulations are for instance, the reducing of the age of consent from 16 (as regulated in GDPR) to 13 years old for information society services or the requirement to list persons who have access to genetic, biometric and health-related data. Therewith, Belgium has also made use of the possibility to deviate from the GDPR in different scopes.

With the law of 30 July, Belgium has thus completed the incorporation of the GDPR into national law. The Law is available in French and Dutch.

Category: Belgium · GDPR
Tags: ,

EU Commission: Using Personal Data In Political Campaigns

29. August 2018

Following the Facebook-Cambridge Analytica case, the EU Commission intends to prohibit the misuse of Collection data of voters in order to influence elections. As the Irish Times reports, the EU Commission is drafting an amendment to existing party funding rules prohibiting parties profiting from data collections of the kind as alleged against Cambridge Analytica.

Cambridge Analytica has been accused of obtaining information of millions Facebook users without the data subjects’ consent by using a personality-analysis app during Donald Trump’s presidential campaign.

It is expected that sanctions will have the extent of approximately 5 percent of the annual budget of a political party. An official said “it is meant to ensure that something like Cambridge Analytica can never happen in the EU”.

Considering the upcoming election of the European Parliament in May 2019, various measures are to be recommended or imposed by the EU Commission that shall be followed by the member states in order to prevent misuse of voters’ personal data or the online manipulation of voters. While it is intended to recommend the governments to watch over and clamp down on groups sending personalized political messages to users of social media without their consent, the member states shall also be stricter about the transparency requirements of political advertisement on national level by amending national law.

Last month, Vera Jourova, EU justice commissioner, said: “voters and citizens should always understand – when something is an online campaign – who runs the campaign, who pays for it and what they want to achieve.”

However, she also made clear that the EU will respect free expression and that the EU is not going to regulate online activities of political parties. “The internet is a zone for free expression. Everybody can be a journalist or an influencer, and these are the things that we don’t want to touch”, she stated.

Database operators in Sweden exempt from GDPR

24. August 2018

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Dutch Data Protection Authority: Randomly selected companies will be subject to GDPR-compliance investigations

31. July 2018

This month, the Data Protection Authority (DPA) of the Netherlands has launched an investigation according to Art. 57 (1) a GDPR which obliges the supervisory authorities to “monitor and enforce compliance” with the EU General Data Protection Regulation (GDPR). The Dutch DPA thereby verifies compliance with Art. 30 GDPR (records of processing activities) in 30 randomly selected large companies of the private sector (i.e. which have more than 250 employees) rooted in 10 different branches: industry, water supply, construction, retail, hospitality, travel, communications, finance, business services, and health care across the Netherlands. Its investigative powers in terms of this investigation derive from Art. 58 (1) a GDPR which enables the DPAs “to order the controller and the processor, and, where applicable the controller’s or the processor’s representative, to provide any information the supervisory authority requires for the performance of its tasks”.

For those investigations it is not necessary that a complaint has been lodged or any other indication of non-compliance occurs. In particular, the Dutch DPA regularly carries out such “ex officio” investigations focusing on certain enforcement priorities depending on the sector or the topic. With their investigation strategy they aim to focus on the compliance with certain requirements of the GDPR that may typically create adequate safeguards in organizations to issue and maintain compliance with the general Principles of the GDPR (Art. 5 et seqq GDPR).

Therefore, the authorities decided for the private sector that the records of processing activities (Art. 30 GDPR) are the key drivers for GDPR compliance, since these records eventually enable an organization knowing about what personal data they process and for which purposes. Since the results of the investigation will most probably be published anonymously (e.g. numbers and other details of the violation in specific sectors), they might hope to create a ripple effect on other organizations of the respective sectors.

A prediction of the crucial penalties that may be the result of this “ex officio” investigations of the Dutch DPA is basically not possible, as the organizations involved and the state of their GDPR compliance are unknown. But it might be interesting that the Dutch DPA is also allowed to issue a so-called “enforcement notice under penalty” according to the Dutch GDPR Execution Act if an organization has been established non-compliant. This enforcement notice can contain an order for the respective organization to comply and demonstrate compliance within a fixed time frame. For each day or week that they fail to comply with such an order, a fixed penalty may apply.

Such an enforcement order may be issued in the event of a violation of Art. 30 GDPR that is not likely to result in a risk for the data subjects. Where the investigation shows that non-compliance may result in a risk for the freedoms and rights of the data subjects or is potentially deemed unfair, the penalty could also result in the maximum category of possible fines.

 

Category: GDPR · The Netherlands

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

Japan and the EU are establishing an environment of data protection between its citizens (and companies)

18. July 2018

As part of the Economic Partnership Agreement (EPA), the European Union and Japan have signed the 17th July 2018, the two parties recognise each other’s data protection laws as equivalent. In this manner, personal data will flow in the future safely between the EU and Japan.

In Europe, a committee composed of representatives of the EU Member States has to give its consent and the European Data Protection Board (EDPB) publishes its opinion before the European Commission adopts the adequacy decision. Once the agreement is established, EU citizens and 127 Million Japanese consumers will benefit from international trading that includes the high privacy standards of the General Data Protection Regulation (GDPR).

Japanese companies now have to comply some safeguards to fulfil the European data protection level, like the protection of sensitive data, the requirements for transfer of data to a third country or the exercise of individual rights to access individual rights (compared to Art. 12 – 23 of the GDPR). The Japanese watchdog (PPC) will implement these rules as well as a complaint-handling mechanism to investigate and resolve complaints of European citizens concerning the data processing of Japanese controllers.

This agreement is a result of the communication Exchanging and Protecting personal data in a globalised world, announced by the Commission in January 2017.

The EEA EFTA States incorporate the General Data Protection Regulation (GDPR) soon

9. July 2018

On 20th of July 2018 the European Data Law will come into effect also in the three EFTA States (Iceland, Norway and Liechtenstein). This has been the result of the incorporation Agreement by the EEA Joint Committee in Brussels on July 6th 2018.

Before the GDPR becomes applicable throughout all three states, each of the states shall notify the agreement by a parliamentary process.

As usual for the EEA Joint Agreements, the EFTA States are obligated to implement the EU Regulation and they are affected by the Jurisdiction of the European Court of Justice (ECJ). The supervisory authority of the EFTA States also participates in the activities of the European Data Protection Board, without having the right to vote and to stand for election as chair or deputy chairs of the board.

Switzerland is not part of this agreement and has its own legal basis for data protection.

Data breach at Panini’s online service ‘MyPanini’

2. July 2018

According to a report in the magazine ‘Der Spiegel’, personal data and images of users who wanted to create Panini images with their own photos could be accessed by third parties.

The Italian scrapbook manufacturer for football images Panini has serious problems with the security of their online customer database. Through changing the browser’s URL, unauthorized persons could have accessed personal data of other customers, including pictures of minors. Therefore, the case can be considered as particularly serious.

Through its ‘MyPanini’ service, Panini offers fans the opportunity to upload photos with their own images and have these personalised images sent to them. Until a few days ago, logged in users could have also seen the uploaded images and personal data of other customers. Apparently the full name, the date of birth and partly even the place of residence of the customers are listed.

To a certain degree, the uploaded images showed children and young children from different countries in the private domestic environment, some even with their naked upper body.

The data breach was confirmed and has been known internally for days. Supposedly, the problem has been solved by a security update, but it is not possible to access the website at the moment.

It remains to be seen what financial consequences the data breach has for either Panini or the technical service provider. In accordance with new European General Data Protection Regulation (GDPR) infringements of the provisions can lead to administrative fines up to 10 000 000 EUR or up to 2% of the total worldwide annual turnover of the preceding financial year.

The French Constitutional Council ruled in favour of the new data protection law implementing the EU General Data Protection Regulation

20. June 2018

The Senators referred the recently adopted data protection law to the Constitutional Council (‘Conseil Constitutionnel’) to prevent its promulgation on time for the General Data Protection Regulation (GDPR) to enter into force on last May 25. Now that the law has overcome the constitutional obstacle, it is expected to be promulgated in the next days.

The decision of the Constitutional Council (Décision n° 2018-765 DC) on June 12 demonstrates that the senators questioned the constitutionality of a number of Articles, e.g. 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.

Initially, the validity of universal law was weighed against the objective of constitutionality in terms of legislative accessibility and intelligibility. The senators argued that the implementation with the provisions of the GDPR was not clear and could “seriously mislead” citizens about their rights and obligations with regard to data protection.
The Council did not endorse this reasoning, stating that the law was readable and that Article 32 of the law referred to actually empowered the Government to take the measures required “in order to make the formal corrections and adaptations necessary to simplify and ensure consistency and simplicity in the implementation by the persons concerned of the provisions bringing national law into compliance” with the General Data Protection Regulation.

Furthermore, the constitutionality of most of the above-mentioned Articles was established. Nonetheless, Article 13 of the law amends Article 9 of the current law, according to which personal data relating to criminal convictions and offences or related security measures may only be processed “under the control of an official authority” or by certain categories of persons listed in the law. However, according to the Council, it is only a reproduction of Article 10 of the GDPR, without specifying the categories of persons authorised to process such data under the control of the authority, or the purposes of such processing. The words “under the control of the official authority” are not specific enough and therefore unconstitutional. This terminology will not be found in the promulgated law.

For France this symbolises a major step forward to join the small circle of European countries that have succeeded in implementing the GDPR at a national level.

Update on ePrivacy Regulation

12. June 2018

The council of the European Union’s Bulgarian presidency has released a progress report on the draft ePrivacy Regulation ahead of a council meeting June 8th, 2018.

The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) should replace the current ePrivacy Directive and was originally intended to enter into force together with the General Data Protection Regulation (GDPR) on May, 25th 2018.

The report offers several updates including its scope and link to the GDPR, processing of electronic communications content and metadata, among others. Latter mentioned has been one of the main concerns of the Member States. The balance between privacy and innovation regarding processing of metadata seems to be a key aspect of the ePrivacy Regulation.

Furthermore, significant changes of privacy settings according to the future Art. 10 are important for the Commission. The providers of software are only obliged to inform the end-users about the settings and the way the end-users may use them, at the time of installation or first usage and when updates change the privacy settings.

The report ends with three questions for the policy debate at the TTE Council on June 8th. Among others, the versions relating to the permitted processing of metadata and the protection of terminal equipment and privacy settings are open for discussion if it is an acceptable basis to move forward.

Pages: 1 2 3 4 5 Next
1 2 3 5