Category: GDPR

Google changes Privacy Policy due to GDPR

19. December 2018

As it is widely known these days, the General Data Protection Regulation (GDPR) came into force earlier this year to standardize data protection regulation in the EU. This has now lead to the fact that Google will update the company’s terms of service and privacy policy to be compliant with the GDPR.

The company started to notify the countries in the European Economic Area (EEA) and Switzerland in regard to some upcoming changes. They will come into effect on January 22, 2019.

The most important update, also legally, is the change of the data controller. The Google Ireland Limited will become the so called “data controller” who is responsible for the information of European and Swiss users . Therefore, Google Ireland Limited will be in charge to respond to request from users and to ensure compliance with the GDPR. At present, these services are provided by Google LLC, based in the U.S.

For website operators this means that they might also have to adapt their privacy policy accordingly. This is the case, for example, if Google Analytics is used.

Furthermore, there are no changes in regard to the current settings and services.

Guidelines for Binding Corporate Rules issued in Argentina

18. December 2018

The Argentine Authority of Access to Public Information (Agencia de Acceso a la Información Pública – AAIP) has recently issued its guidelines for Binding Corporate Rules (BCRs) on international data transfer. The Binding Corporate Rules are a mechanism for multinational corporations to legitimize international transfers of personal data within the group. This tool for creating a contractually binding “code of conduct” regarding international data transfers was evolved in the EU and has also been incorporated expressly in Article 47 GDPR. BCRs have been designed as a global solution to comply with the principles of data protection and thus create an adequate level of data protection (cf. Art. 44, 47 GDPR).

Like the GDPR, the Argentine Personal Data Protection Law No. 25, 326 does not permit the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of data protection. Such transfers would be allowed in accordance with Regulatory Decree No. 1558/2001 when the data subjects expressly gave their consent to the transfer; an appropriate international data transfer agreement is in place; or an adequate protection level arises from self-regulation systems.

According to Regulation 159/2018 published Dec. 7, 2018, the AAIP has now approved guidelines for such BCRs that legitimize international data transfer to countries or international organizations that have not been recognized as providing an adequate level of data protection.

These guidelines provide a framework of principles for a self-regulation mechanism reflecting the requirements and conditions imposed by the Argentine Personal Data Protection Law. The rules of the self-regulation system have to be legally binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries (e.g. data subjects, AAIP). Among other things, those BCRs must consider lawfulness conditions of processing, data subjects’ rights and specific protection concerning sensitive aspects. Furthermore, the subsequent cross-border data transfer to those entities providing a non-adequate level of data protection shall be restricted, data subjects shall be able to place a judicial or administrative complaint and under the BCRs must an appropriate staff data protection training has to take place with regard to data processing activities.

The AAIP shall eventually be entitled to engage in international data transfers originating from an Argentine entity as data exporter and – as third-party beneficiary – in those cases in which personal data of subjects in Argentina is affected.

However, the approval of the AAIP of BCRs that follow the requirements of Regulation No. 159/2018 is not required. In the case a group of companies would rely on BCRs that differ from those conditions though, the relevant documents need to be submitted to the AAIP for approval within the term of 30 calendar days from the date that the transfer took place.

As a valid mechanism to legitimize the international transfer of data within a group of companies, the use of BCRs is been reasonably expected to increase when it comes to in Argentina.

French Data Protection Authority launches a public consultation on future standards – Data Processing for Managing Business Activities and Unpaid Invoices

12. December 2018

Due to the GDPR and the new French data protection law (“loi Informatique et Libertés”), the French Data Protection Authority (“CNIL”) launched two draft standards (in French: référentiels) on November 29, 2018. One o these CNIL’s draft standards deals with the processing of personal data to manage business activities, the other with unpaid invoices.

Until January 11, 2019 the possibility to consult the CNIL on the two draft Referentials will be open to the public. According to the CNIL, the draft standards will afterwards be adopted by the CNIL in plenary session.

CNIL’s Draft Referential on Data Processing for Managing Business Activities represents an update to the CNIL’s Simplified Norm No. 48 on the management of customers and prospective customers. It provides a framework for the implementation of “customer” and “prospect” files. The Draft Referential is applicable to data processing activities carried out by any data controller, except the following: health or educational institutions, banking or similar institutions, insurance companies and operators subject to approval by the French Online Gambling Regulatory Authority.

CNIL’s second draft (Draft Referential on Data Processing for Managing Unpaid Invoices) intends to provide a framework regarding the processing of personal data for managing unpaid invoices by private or public law entities. It does not apply to the processing of customer data for detecting risks of non-payment, or to identify other infringements (such as incivilities shown by customers).

Adherence to these two standards will ensure that the processing of unpaid invoices and business activities comply with current data protection principles.

Category: French DPA · GDPR · General

Electronic receipts sent by leading retailers may not comply with data protection rules

After investigating several large retailers the consumer body Which? claims that many retailers in the UK include in their e-receipt marketing messages.

A lot of retailers offer the possibility to send digital receipts instead of paper receipts to the shoppers. However, it should be noted that when the General Data Protection Regulation (GDPR) came into force on May 25th earlier this year, the regulations concerning this area were tightened.

Retailers are not allowed to send direct marketing to new customers by email unless the recipient has consented to receive it. Shoppers must be given the opportunity to opt out in case the retailer asks for their email address at the point of sale with the intention to afterwards send marketing information.

According to Which? the following companies were visited at least three times by “mystery shoppers” to test if they send out unwanted marketing information in their e-receipts: Topshop, Dorothy Perkins, Nike, Clarks, New Look, Arcadia Group (Miss Selfridge, Outfit, Burton), Gap, Mothercare, Halfords, Currys PC World and Schuh. The “mystery shoppers” requested an electronic receipt without receiving any additional marketing.

The retailers dealt with this situation differently. One shop apparently sent a marketing email with the e-receipt as an attachment, while others included prompts to sign up for a newsletter or invitations to complete a survey in return for money off a future purchase. The concern is that consumers might be “bombarded” with unwanted marketing messages.

Spain publishes new data protection law

11. December 2018

On December 6, 2018, the new Spanish data protection law was published in the “Boletín Oficial Del Estado”. The “Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales” (Organic Law on Data Protection and Digital Rights Guarantee) has been approved with 93% parliamentary support and implements the GDPR into national law.

The new law contains a number of regulations that will affect data processing operations. For example that the consent of a data subject is not enough to legitimate the processing of special categories of data if the main purpose is e.g. to identify an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic data.

The law also includes a list of cases in which entities must appoint a data protection officer for example entities that operate networks and provide electronic communications services, education centres and public and private universities. All businesses have up to 10 days after (mandatory or voluntary) appointing a data protection officer to notify the Spanish Data Protection Authority of that fact.

However, one of the biggest changes is the introduction of new digital rights such as the right to universal access to the internet; the right to digital education; the right to privacy and use of digital devices in the workplace; the right to digital disconnection in the workplace; the right to privacy in front of video surveillance devices and sound recording at work; the right to digital will.

EDBP: Guidelines on the territorial scope of the GDPR

29. November 2018

As the European Data Protection Board (EDPB) announced, the board adopted new draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR). The goal of the guidelines is to “provide a common interpretation of the territorial scope of the GDPR and provide further clarification on the application of the GDPR in various situations”. The territorial scope is laid down in Article 3 GDPR.

In the meantime, the EDPB published a version of the guidelines for public consultation.

The guidelines cover the following topics:

  • Application of the establishment criterion – Art 3 (1)
  • Application of the targeting criterion – Art 3 (2)
  • Processing in a place where Member State law applies by virtue of public international law
  • Representative of controllers or processors not established in the Union

The guidelines not only describe and clarify the regulatory content of Article 3 GDPR. It also provides various examples from a practical point of view in order to simplify the issue. For controllers and processors of personal data, it is of significant relevance to know whether one falls under the scope of the GDPR considering the legal and possible financial consequences.

Therefore, legal terms should be as clear as possible. Already on the first pages, an example for the necessity to clarify and specify the regulatory content of Art 3 GDPR can be found. The EDPB points out, that the notion “establishment” (unlike the notion “main establishment”, which is defined in Article 4 (16) GDPR) is not defined in Article 3 GDPR, resulting in an attempt to clarify the term.

Category: GDPR
Tags: , ,

Brexit: Draft withdrawal agreement – GDPR remains applicable for foreseeable future

23. November 2018

Last week the U.K. and EU could conclude a draft withdrawal agreement for the United Kingdom to leave the European Union as of 30th March 2019. The agreement covers the “divorce” of both of them and a non-binding political statement concerning their ideas for the future relations. The declaration is referring to a commitment regarding an ambitious free trade agreement, containing areas including financial services, continued free flow of data, and other subjects relating to the EU such as defense matters have been picked up.

After the U.K. will have left the EU in March 2019 a 21-month transition period is planned in order to facilitating business sectors in their planning. Thus, at least until the beginning of 2021, EU regulations would remain effective keeping the U.K. in the single market and Customs Union. However, this time frame could also be extended by common agreement.

With regard to data protection, the withdrawal agreement directly addresses data protection and security issues in Articles 70 to 74. These provisions stipulate that EU data protection rules, including the GDPR, shall apply in the U.K. when using personal data of data subjects outside the United Kingdom exchanged before the end of the transition period. Furthermore, after the end of the transition period, the U.K. is obliged to further apply these EU rules to the processing of “EU personal data”, until the U.K. data protection laws to be enacted ensure an adequate level of data protection which is “essentially equivalent” to that of the EU.  In the process of becoming subject to this formal adequacy decision to be established by the EU Commission the U.K.’s applicable data protection regime has to be assessed in the first place. In the event of annulling or repealing the adequacy decision, the provisions of the withdrawal agreement would be relevant for the EU personal data transferred to the U.K. to ensure the same “essentially equivalent” standard of data protection directly.

In other words, under the concluded agreement, the GDPR as well as the corresponding Data Protection Act would remain the applicable data protection law in the U.K. for the foreseeable future.

Microsoft violates the GDPR on a massive scale

20. November 2018

A Data Protection Impact Assessment (DPIA) outsourced by the Dutch Ministry of Justice and Security, concluded that Microsoft collects and stores personal data of Office users on a large scale without informing them. According to this report, Microsoft thus violates the General Data Protection Regulation (GDPR) on a massive scale.

The DPIA was carried out to probe the use of Microsoft Office in the public sector. Most of the Dutch authorities use Microsoft Office 2016, Office 365 or an older version. The Dutch judiciary, police, various ministries and tax offices use Word, Excel, Outlook and PowerPoint. The DPIA found that Microsoft not only collects and stores personal data but also send them to the US. In addition, users are not informed and it is not offered to switch off the collection or to see what data are collected. The Assessment outlined eight different risks and possible risk mitigating measures. One example is the “Lack of Transparency”. A possible measure recommended for Microsoft is the public documentation and the implementation of a data viewer tool because at the moment the content of the diagnostic data (i.e. “all observations stored in event logs about the behaviour of individual users of the services”) is not accessible.

Microsoft stated that -for the examined Office versions- between 23,000 and 25,000 event logs are sent to Microsoft servers and that 20 to 30 development teams analyse the data. The company agreed to change its practices by April 2019 and until then offers “zero exhaust” settings to shut down the data collection. A Microsoft spokesperson told The Register: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws.”

In addition to applying the new settings, the DPIA encourages users to deactivate Connected Services and Microsoft’s data sharing system, not use the web-based Office 365, SharePoint, or OneDrive, delete the directory of the system, and consider using alternative software.

Privacy International accuses seven companies of violating the GDPR

13. November 2018

On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.

Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.

According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.

Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.

“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.

With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).

Apple, Google and Co. endorse a more GDPR-like U.S. federal privacy law

6. November 2018

At the 4oth International Conference of Data Protection and Privacy Commissioners (ICDPPC) Apple CEO Tim Cook and other prominent representatives of leading tech companies, all expressed their endorsement of a more GDPR-like privacy legislation around the globe and particularly the US. The ICDPPC takes place in Brussels once a year and apart from independent data protection authorities as accredited members, the attendees include representatives of states without independent data protection supervisory bodies, international organisations, non-governmental organisations as well as representatives from science and industry.

On this platform, Cook strongly supported the idea of introducing similar data protection standards to those of the GDPR in the US and encouraged his fellow tech companies to do so as well. The Apple CEO warned of a danger of a “data industrial complex”, where information about individuals is being weaponized against humanity “with military efficiency”. Cook pointed out that scraps of personal data are “carefully assembled, synthesized, traded and sold” creating an “enduring digital profile which lets companies know individuals better than they may know themselves”, since businesses would use these information to make billions and billions of dollars. As this would end up in surveillance while those stockpiles of data only serve to enrich companies, he ensures Apple’s “full support of a comprehensive federal privacy law in the United States”.

Without mentioning them, the Apple CEO refers in particular to the data giants Google and Facebook by emphasizing their responsibility of creating adequate data protection standards. Both of them have been in the focus of a global discussion on whether they provide their users with adequate privacy settings. However, Facebook’s CPO Erin Egan replied, unequivocally, “yes”, when she was asked whether she would support a GDPR-like data protection law in the U.S. as well as Google General Counsel Kent Walker said, “we’ve been on record for some time calling for comprehensive privacy legislation in the past years” when he was asked about Google’s position on a U.S. federal privacy bill. Walker also pointed to Google’s recent release of principles it supports as part of a federal bill.

Last but not least, Microsoft Corporate Vice President and Deputy General Counsel Julie Brill eventually stated that Microsoft has extended many of the GDPR’s protection measures to their entire customer base and has been a supporter of a U.S. federal privacy bill since 2005. In particular, Brill endorsed a “strong, robust, and horizontally effective baseline privacy legislation.” She further ensured that at Microsoft people are using their voice as strongly as they could to encourage that to take place.

Bearing in mind the data scandals around – in particular – Google and Facebook, and the rather low data protection standards in the U.S., it seems that at least four representatives of the top seven tech companies in the world endorse a new U.S. federal privacy bill and will encourage in supporting an adequate privacy standard around the globe. Regarding the actual stance of the Trump administration, FTC Commissioner and recent Trump appointee Noah Phillips, gave an indication about how this subject will be treated. According to his personal opinion, such a regulation should be done “only if necessary and then very carefully.” Being asked whether the U.S. has the right laws in place to regulate technology appropriately, or whether there were any gaps, he replied, “that is a big question we are debating right now in the United States.”

Pages: Prev 1 2 3 4 5 6 7 8 9 10 Next
1 3 4 5 6 7 10