Category: GDPR
31. August 2017
In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.
The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.
The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.
It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.
11. July 2017
The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.
Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.
The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.
As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:
- only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
- consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
- track the location of employees only where it is strictly necessary,
- communicate every monitoring to your employees effectively,
- do a proportionality check prior the deployment of any monitoring tool,
- be more concerned with prevention than with detection,
- keep in mind data minimization; only process the data you really need to,
- create privacy spaces for users,
- on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.
4. May 2017
The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).
In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.
In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.
For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.
20. April 2017
On 12 April 2017, a discussion paper on Seals, Marks and Certifications under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms has been released by the Centre for Information Policy Leadership (“CIPL”).
It is regarded as a formal input into that process and contains recommendations on GDPR`s provisions on use of certification mechanisms and their development implementation.
Certifications may be profitable for multinational companies as they may facilitate business arrangements with service providers and business partners. Their comprehensive GDPR compliance structure should also be useful for medium-sized and small enterprises. Their potential to create interoperability with other legal regimes can also be used efficiently.
Namely, the Discussion Paper contains the following:
- Certification is foreseen to be available for service, system, product and particular process or an entire privacy program
- Certification should be created for the purpose of data transfers (art. 42 (2)(f))
- Specific GDPR certification sectors may be covered by a sector-specific codes of conduct
- Certification proliferation should be avoided in order to make it most wanted
- Certifications should be adaptable to different contexts, affordable and scalable to the different companies sizes
- Organization`s BCR approvals should be leveraged in order to achieve the certification
- There should be created a common baseline certification, which may be directly used
- Baseline certification should differentiate in its application depending on the certification bodes and processes
- GDPR certification should be consistent with other certification schemes (the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Japan Privacy Mark, ISO/IEC Standards, and the APEC CBPR)
- DPAs should affirm certifications as recognized means of GDPRs compliance
16. March 2017
Ultimately, the Italian police department (in cooperation with Garante – Italian data protection authority) has carried out an investigation, which has revealed a violation of a data protection legislation and specific actions aimed at introducing the legal circulation of money onto the Chinese market.
Four agent companies and one multinational have turned out to split money transfers for remaining sub-threshold under this perspective. Under these circumstances an unlawful massive personal data processing of unaware individuals (payments and senders) has been performed. What is more, some of the records were up to be filed by not existing individuals or even deceased. Other records however, were left blank.
Taking into account all of the gathered facts, which actually indicated that personal data were used in order to unlawfully avoid the money laundering provisions, a wide-ranging Italian data protection authority sanctioning initiative has been launched. As a result, Garante has issued the highest fines ever in Europe.
Given the number of violations of data protection provisions, the Garante has set the whole amount of sanctions up to a total sum of almost 11,000,000 euros (850,000; 1,260,000; 1,590,000 1,430,000 euros for the agent companies and 5,880,000 euros for the multinational company).
It is believed that such a strict data protection authorities sanction will encourage individual data controllers and companies to accelerate their compliance with the upcoming GDPR (May 2018).
10. February 2017
On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).
If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.
What’s new?
Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.
By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.
Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.
Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.
In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.
The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.
ePrivacy Regulation and GDPR
Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation. This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.
What’s next?
After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.
19. December 2016
The European Article 29 Working Party just published Guidelines after their December plenary meeting.
These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.
When do you have to appoint a DPO?
Article 37 (1) of the GDPR states that a DPO has to be appointed
a) where the processing is carried out by a public authority or body
b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
How does the Article 29 Working Party define these requirements?
“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.
Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.
“Large scale” refers to the number of data subjects and not the company’s size.
The Working Party 29 defines the following identification aspects for a “large scale”:
- The number of data subjects affected.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.
16. December 2016
Background
On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.
The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.
Current situation according to the EU Directive
The Dutch Administrative Court based its argumentation on the following key aspects:
- WhatsApp is a controller, as already admitted by the company at oral argument.
- The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
- WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
- WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
- Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.
Will this change with the GDPR?
With the GDPR the requirement to appoint a representative in the EU will change in two ways:
- Also processors will be subject to this obligation
- it will be possible to appoint one single representative for all the EU operations.
Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.
Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.
14. December 2016
As it was just reported by huntonprivacyblog, that Politico released an article saying that the European Commission wishes to upgrade the e-Privacy Directive to a Regulation.
This upgrade would cause highly important legal consequences under European law due to the fact that a Directive needs to be implemented in to national law, whereas a Regulation implies requirements that are directly applicable in the Member States.
The draft of the Regulation, which was leaked to Politico, tries to complete the European GDPR. As Politico explained, the draft was last reviewed on the 28th November 2016. It is expected that it will be officially published at the beginning of 2017.
The e-Privacy Directive shall protect privacy and confidentiality of users of electronic communication services.
30. November 2016
Elizabeth Denham, UK Information Commissioner, participated at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers during which she gave a keynote speech. In her statement Denham explained that the UK prepares for the upcoming GDPR. She confirmed the government’s position that the GDPR will be implemented in the UK as well – Brexit aside.
Denham’s statement includes that the first regulatory guidance on the GDPR can be expected to be published by the Article 29 Working Party at the end of this year. It is believed that this guidance will probably make a number of key aspects of the GDPR of discussion.
Another point of her speech included the fact that the Article 29 Working Party is about to release a concept of risk under the GDPR and carrying out Data Privacy Impact Assessments at the beginning of 2017.
Furthermore, it was mentioned that the Article 29 Working Party aims to publish guidance in terms of certifications under the GDPR.