Category: General Data Protection Regulation

South Africa’s Data Protection Act comes into force

9. July 2020

On July 1, 2020, South Africa’s Protection of Personal Information Act 2013 finally came into effect. The Act had been in planning for the last seven years, with parts of it already published in 2014, and will fully come into effect with oversight provisions in June 2021, allowing for a 12 months period to enable companies to become compliant with the new regulations.

Due to its long planning period, most companies already have organised compliancy. On the other side, a lot of businesses haven’t taken the necessary steps yet, as they have been waiting for the final push to see if the Act would even come into effect. Full enforcement will be enacted on July 1, 2021, giving those companies a countdown to become compliant.

The initial draft made in 2013 was mainly based on the EU Data Protection Directive 95/46/EC, with some changes for stricter provisions. The partial enforcement in 2014 allowed for the establishment of an Information Regulator in 2016, which has released Guidances in light of the future enforcement of the Act.

The right to privacy has been a fundamental right since 1996, and the act aims to promote the protection of personal data for any business processing personal information in South Africa. However, different from a lot of other Data protection Regulations around the world, the South African Protection of Personal Information Act also includes protection of the juristic person, such as companies, banks, trusts, etc.

One of the bigger changes in regards to South Africa’s previous handling of protection of personal data represents the obligation to notify a data breach to the authorities and, in some cases, to the data subjects. It also includes further requirements for international data transfers, as well as finally detailing data subjects’ rights.

German State Data Protection Commissioner imposes 1.2 million € GDPR fine

1. July 2020

The German State Data Protection Commissioner of Baden-Württemberg (“LfDI Ba-Wü”)  imposed a GDPR fine of 1.240.000€ on the German statutory health insurance provider AOK Baden-Württemberg (“AOK”). The fine was a result of the health insurance’s lack of technical and organisational measures pursuant to Art. 32 GDPR. It is the highest fine the LfDI Ba-Wü has ever imposed.

Between 2015 and 2019 the AOK organised lotteries on various occasions and collected personal data of the participants, including their contact details and current health insurance affiliations. The AOK wanted to use the data of the lottery participants for advertising purposes, insofar as the participants gave their consent to this. To ensure the security of processing, the AOK implemented internal guidelines and data protection training of their staff as technical and organisatioal measures. However, these measures were not sufficient to comply with Art. 32 GDPR because AOK staff used the personal data of more than 500 lottery participants for advertising purposes without their prior consent.

Following the investigation of the LfDI Ba-Wü, the AOK immediately stopped all marketing activities in order to revise their internal policies and processes against the GDPR. The LfDI Ba-Wü explained that in determining the extent of the fine, it considered the following mitigating factors:

  • the cooperation of the AOK with the Data Protection Authority,
  • the fact that the AOK as a statutory health insurance provider is an important part of the German healthcare system, and
  • the burdens of the current Corona-Pandemic on the healthcare system.

Finally, the Commissioner pointed out that technical and organisational measures must be regularly adjusted to the actual conditions of each processing activity, in order to ensure an adequate level of data protection in the long term.

EDPB releases new official register of Art. 60 GDPR decisions

29. June 2020

On 25 June 2020, the European Data Protection Board (“EDPB”) released a new register of final decisions by national European Data Protection Authorities (Supervisory Authorities) cooperating with one another pursuant to Art. 60 GDPR. The register provides access to the decisions themselves, summaries of the decisions in English, and information on the identity of the cooperating Lead Supervisory Authority and Concerned Supervisory Authorities.

The GDPR postulates that Supervisory Authorities have to cooperate in potential cases of GDPR violations that include cross-border data processing activities. During this cooperation, the Lead Supervisory Authority will be in charge of preparing the draft decision and involving the Concerned Supervisory Authorities, and will act as the sole interlocutor of the Controller or Processor (“One-Stop-Shop”-Principle), Art. 56 and Art. 60 GDPR.

To date, the new EDPB register contains 110 final decisions. The EDPB states in its announcement that ‘the register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice.’

DPA Liechtenstein published a description on the procedure for data protection inspections

24. June 2020

The Data Protection Authority of Liechtenstein (DPA) – Datenschutzstelle Fürstentum Liechtenstein –  recently published a description on the procedure for data protection inspections conducted by the DPA to provide transparent information on the process from the first contact until the completion of the audit.

The DPA distinguishes five kind of inspections:

  1. Investigations in individual cases on the basis of complaints or indications;
  2. Preventive or unprompted investigations in the form of data protection checks;
  3. Investigations at the request of a responsible person or processor;
  4. Investigations based on a legal mandate;
  5. Coordinated joint investigations.

According to the published statement the purpose of a data protection inspections is to assess the actual situation (current status) established by the reviewed organisation and, if necessary, to bring data processing activities into compliance with the GDPR or the DSG  in a specific way and within a specific period of time, in particular by giving instructions (target status).

The process depends on the individual case and the individual steps can be repeated or may be executed in a different order, but basically the process contains 6 steps:

  1. Contact and announcement;
  2. Document check;
  3. (optional);
  4. Audit report;
  5. Exercise of remedial powers and injunction;
  6. follow-up test.

The DPA also focuses on the accountability and cooperation obligations of the controller and explains which documents are usually requested and reviewed and which have an impact on the report.

Inter alia, the following documents are requested:

  • Records of Processing Activities;
  • Information of the Data Subjects;
  • Model consent form;
  • Information on Data Protection Trainings of employees;
  • Contracts regarding Data Processing on behalf;
  • Data Protection Impact Assessments.

Furthermore, the DPA also requests documents to be able to evaluate the effectiveness of the implemented technical and organisational measures, like:

  • Organization Chart;
  • Authorization Concept;
  • Confidentiality and Non Disclosure Agreements;
  • Data Deletion and Retention Concept.

To assess the current status, an evaluation scale is used to assess the degree of implementation of the respective measure. This ranges from ‘Not available’ to ‘Optimized’.

The duration of the assessment depends on the individual case and may take several months.

The statement is accessible in German only.

France’s supreme court, the Conseil d’État, restricts the CNIL’s Cookie Guidelines

22. June 2020

On June 19th, 2020, the French Conseil d’État has ordered the Commission Nationale de l’Informatique et des Libertés (CNIL) in a court decision to dismiss particular provisions made in its Guidelines on the subject of cookies and other tracers, which it published in 2019.

The Conseil d’État has received several complaints by businesses and professional associations, who turned to the supreme court in order to have the CNIL’s Guidelines refuted.

The main focus of the decision was the ban on cookie walls. Cookie walls are cookie consent pages which, upon declining consent to the processing of the cookies used for the website, deny the user access to the website. In their Guideline on cookies and other tracers from 2019, the CNIL had declared that such cookie walls were not in accordance with the principles of the General Data Protection Regulation (GDPR), causing a lot of businesses to appeal such a provision in front of the Conseil d’État.

In their decision on the matter, the Conseil d’État has declared that the CNIL, as only having suggestive and recommendatory competence in data protection matters, did not have the competence to issue a ban on cookie walls in the Guidelines. The Conseil d’État focused on the fact that the CNIL’s competence was only recommendatory, and did not have the finality to issue such a provision.

However, in its decision, the supreme court did not put to question whether the ban of cookie walls was in itself lawful or not. The Conseil d’État refrained from giving any substantive statement on the matter, leaving that question unanswered for the moment.

The Conseil d’État has further stated in its decision that in the case of the ability of data subjects to give their consent to processing activities, it is indeed necessary, in order to form free and informed consent, that the data subject is informed individually about each processing activity and its purpose before giving consent. However, business have the margin to decide if they collect the data subject’s consent througha one time, global consent with specifically individualized privacy policies, or over individual consent for each processing activity.

In the rest of its decision, the Conseil d’État has confirmed the remainder of the CNIL’s guidelines and provision on the matter as being lawful and applicable, giving the complainants only limited reason to rejoice.

Thailand postpones Enforcement of new Personal Data Protection Act

In response to the European General Data Protection Regulation (“GDPR”) becoming applicable in 2018, Thailand adopted its first-ever Personal Data Protection Act (“PDPA”) into law on 28 May 2019. As it is fashioned after the GDPR, the PDPA is built around principles that vastly align with the GDPR, especially in the areas of data protection principles, legal bases, and data subject rights. Originally, it was determined that the PDPA would start its applicability one year after its adoption, on 27 May 2020.

Now, the Thai Government has approved of a draft decree by the Ministry of Digital Economy and Society (“MDES”) to postpone the enforcement of most sections of the PDPA to 31 May 2021. The MDES explained that the reasons for delay are the current Corona pandemic and its strain on businesses, as well as many businesses not being prepared for PDPA compliance. Notably, Brasil also postponed the enforcement of its new Data Protecion Law (“LGPD”) for similar reasons (we reported).

The only sections of the PDPA that will be enforced as originally planned include the appointment of the Personal Data Protection Committee members and the establishment of the Office of the Personal Data Protection Committee. Whilst the delay allows companys more time to become PDPA compliant, the lack of enforcement regarding data subject rights in the meantime are a big concern of critics, especially in light of the recent adoption of Thailand’s controversial new cybersecurity law.

Hungary Update: EDPB publishes Statement on Art. 23 GDPR

17. June 2020

Since March 2020, Hungary has been in a “state of emergency” following the COVID-19 pandemic. The country’s COVID-19 related emergency laws and state of emergency received worldwide criticism from constitutional experts, politicians and civil rights groups, because it allows the Prime Minister to rule by decree during the state of emergency and does not provide a predefined end date. During the state of emergency, Prime Minister Victor Orbán made extensive use of his newly gained powers by passing more than a hundred decrees, including Decree No. 179/2020, which suspended the GDPR data subject rights in Art. 15-22 GDPR with respect to personal data processing for the purpose of preventing, understanding, detecting the coronavirus disease and impeding its further spread (we reported).

In response to this suspension of GDPR rights, the European Data Protection Board (“EDPB”) has recently published a Statement on restrictions on data subject rights pursuant to Art. 23 GDPR, which is the provision that Hungary’s measure was based on. This article allows the member states to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State such as public health.

In its Statement, the EDPB points out that any restriction must respect the essence of the right that is being restricted. If the essence of the right is compromised, the restriction must be considered unlawful. Since the data subject’s right of access and the right to rectification are fundamental rights according to Art. 8 para. 2 of the Charter of Fundamental Rights of the European Union, any restriction of those rights must be carefully weighed up by the member states, in order respect the essence of the rights. The EDPB considers that restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights, without any clear limitation in time, equate to a de facto blanket suspension and denial of those rights and are not be compatible with the essence of the fundamental rights and freedoms.

The EDPB also recalls that the restrictions under Art. 23 GDPR must be necessary and proportionate. It argues that restrictions that are imposed for a duration not precisely limited in time or which apply retroactively or are subject to undefined conditions, are not foreseeable to data subjects and thus disproportionate.

Furthermore, the EDPB takes the view that in order to safeguard important objectives of general public interest such as public health (Art. 23 para. 1 lit. e GDPR), there must be a clearly established and demonstrated link between the foreseen restrictions and the objective pursued. The mere existence of a pandemic or any other emergency situation alone does not justify a restriction of data subject rights, especially if it is not clearly established, how the restrictions can help dealing with the emergency.

Following the international public backlash, the Parliament of Hungary passed legislation on 16 June 2020 to revoke the emergency laws as soons as the current state of emergency will be terminated by the Government. Hungary’s Government announced in May that it intends to lift the state of emergency on 20 June 2020. After that, the restrictions on the GDPR rights shall be lifted as well, so that data subject may exercise their Art. 15-22 GDPR rights again.

Series on COVID-19 Contact Tracing Apps Part 2: The EDPB Guideline on the Use of Contact Tracing Tools

25. May 2020

Today we are continuing our miniseries on contact tracing apps and data protection with Part 2 of the series: The EDPB Guideline on the Use of Contact Tracing Tools. As mentioned in Part 1 of our miniseries, many Member States of the European Union have started to discuss using modern technologies to combat the spread of the Coronavirus. Now, the European Data Protection Board (“EDPB”) has issued a new guideline on the use of contact tracing tools in order to give European policy makers guidance on Data Protection concerns before implementing these tools.

The Legal Basis for Processing

In its guideline, the EDPB proposes that the most relevant legal basis for the processing of personal data using contact tracing apps will probably be the necessity for the performance of a task in the public interest, i.e. Art. 6 para. 1 lit. e) GDPR. In this context, Art. 6 para. 3 GDPR clarifies that the basis for the processing referred to in Art. 6 para. 1 lit. e) GDPR shall be laid down by Union or Members State law.

Another possible legal basis for processing could be consent pursuant to Art. 6 para. 1 lit. a) GDPR. However, the controller will have to ensure that the strict requirements for consent to be valid are met.

If the contact tracing application is specifically processing sensitive data, like health data, processing could be based on Art. 9 para. 2 lit. i) GDPR for reasons of public interest in the area of public health or on Art. 9 para. 2 lit. h) GDPR for health care purposes. Otherwise, processing may also be based on explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.

Compliance with General Data Protection Principles

The guideline is a prime example of the EDPB upholding that any data processing technology must comply with the general data protection principles which are stipulated in Art. 5 GDPR. Contact tracing technology will not be an exeption to this general rule. Thus, the guideline contains recommendations on what national governments and health agencies will need to be aware of in order to observe the data protection principles.

Principle of Lawfulness, fairness and transparency, Art. 5 para. 1 lit. a) GDPR: First and foremost, the EDPB points out that the contact tracing technology must ensure compliance with GDPR and Directive 2002/58/EC (the “ePrivacy Directive”). Also, the application’s algorithms must be auditable and should be regularly reviewed by independent experts. The application’s source code should be made publicly available.

Principle of Purpose limitation, Art. 5 para. 1 lit. b) GDPR: The national authorities’ purposes of processing personal data must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis.

Principles of Data minimisation and Data Protection by Design and by Default, Art. 5 para. 1 lit. c) and Art. 25 GDPR:

  • Data processed should be reduced to the strict minimum. The application should not collect unrelated or unnecessary information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.;
  • Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;
  • Appropriate measures should be put in place to prevent re-identification;
  • The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.

Principle of Accuracy, Art. 5 para. 1 lit. d) GDPR: The EDPB advises that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. Moreover, the applications should include the ability to correct data and subsequent analysis results.

Principle of Storage limitation, Art. 5 para. 1 lit. e) GDPR: With regards to data retention mandates, personal data should be kept only for the duration of the COVID-19 crisis. The EDPB also recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.

Principle of Integrity and confidentiality, Art. 5 para. 1 lit. f) GDPR: Contact tracing apps should incorporate appropriate technical and organisational measures to ensure the security of processing. The EDPB places special emphasis on state-of-the-art cryptographic techniques which should be implemented to secure the data stored in servers and applications.

Principle of Accountability, Art. 5 para. 2 GDPR: To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB suggests that national health authorities could be the controllers. Because contact tracing technology involves different actors in order to work effectively, their roles and responsibilities must be clearly established from the outset and be explained to the users.

Functional Requirements and Implementation

The EDPB also makes mention of the fact that the implementations for contact tracing apps may follow a centralised or a decentralised approach. Generally, both systems use Bluetooth signals to log when smartphone owners are close to each other.  If one owner was confirmed to have contracted COVID-19, an alert can be sent to other owners they may have infected. Under the centralised version, the anonymised data gathered by the app will be uploaded to a remote server where matches are made with other contacts. Under the decentralised version, the data is kept on the mobile device of the user, giving users more control over their data. The EDPB does not give a recommendation for using either approach. Instead, national authorities may consider both concepts and carefully weigh up the respective effects on privacy and the possible impacts on individuals rights.

Before implementing contact tracing apps, the EDPB also suggests that a Data Protection Impact Assessment (DPIA) must be carried out as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). Furthermore, they strongly recommend the publication of DPIAs to ensure transparency.

Lastly, the EDPB proposes that the use of contact tracing applications should be voluntary and reiterates that it should not rely on tracing individual movements but rather on proximity information regarding users.

Outlook

The EDPB acknowledges that the systematic and large scale monitoring of contacts between natural persons is a grave intrusion into their privacy. Therefore, Data Protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures. It further underlines that public authorities should not have to choose between an efficient response to the current pandemic and the protection of fundamental rights, but that both can be achieved at the same time.

In the third part of the series regarding COVID-19 contact tracing apps, we will take a closer look into the privacy issues that countries are facing when implementing contact tracing technologies.

Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.

Enforcement of Brazil’s new Data Protection Law postponed due to COVID-19

8. May 2020

The Coronavirus is affecting South America, like the rest of the world, and it is spreading rapidly in its largest country: Brazil. Brazil’s Government and Legislators try to handle both the public health crisis and the economic crisis that the country is facing. Now both branches have adopted emergency measures to alleviate the effects of the virus, even impacting the enforcement of the country’s new national Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”).

The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020 (we reported). As the effects of the Coronavirus began to impact Brazilian businesses, many companies called for the postponement of the LGPD’s effective date due to the difficult economic environment and due to the fact that Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional.

On 3 April 2020, the Senate of Brazil unanimously approved of the Law Bill “PL 1179/2020” which includes a provision to delay the effective date of the LGPD until 1 January 2021. Furthermore, the Bill sets forth that non-compliance with the LGPD shall not be sanctioned by the Data Protection Authorities until 1 August 2021.

The second chamber of Brazil’s National Congress, the House of Representatives, debated “PL 1179/2020” all throughout April 2020 and considered the implications of the LGPD’s postponement for the privacy rights of individuals, especially with many emergency measures on the way that were increasingly restrictive on privacy rights. A vote on “PL 1179/2020” by the House of Representatives was still pending by the end of the month.

On 29 April 2020, the President of Brazil took matters into his own hands when he issued Provisional Measure #959/2020. The measure postponed the effective date of the LGPD to 3 May 2021, without segmenting the postponement into two stages like the Senate’s Law Bill “PL 1179/2020” stipulated.

Provisional Measures issued by the President of Brazil serve as temporary law and are valid for a period of 60 days which the President may extend for another 60 days. During this time period, both chambers of the National Congress must approve of the Provisional Measure in order to become permanent law. If Congress disapproves, the measure will be invalidated.

Amidst the Coronacrisis, the National Congress passed legislation to enable an expedited process for approval of Provisional Measures on 20 March 2020. It shortens a Provisional Measure’s period of validity to 16 days. Given the issuing date of the President’s Provisional Measure #959/2020, the National Congress now must approve of it until 15 May 2020.

Pages: 1 2 3 4 5 6 7 8 9 10 11 Next
1 2 3 11