Category: General Data Protection Regulation
13. January 2017
On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.
The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.
The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.
In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.
The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.
Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.
Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.
19. December 2016
The European Article 29 Working Party just published Guidelines after their December plenary meeting.
These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.
When do you have to appoint a DPO?
Article 37 (1) of the GDPR states that a DPO has to be appointed
a) where the processing is carried out by a public authority or body
b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
How does the Article 29 Working Party define these requirements?
“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.
Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.
“Large scale” refers to the number of data subjects and not the company’s size.
The Working Party 29 defines the following identification aspects for a “large scale”:
- The number of data subjects affected.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.
14. December 2016
As it was just reported by huntonprivacyblog, that Politico released an article saying that the European Commission wishes to upgrade the e-Privacy Directive to a Regulation.
This upgrade would cause highly important legal consequences under European law due to the fact that a Directive needs to be implemented in to national law, whereas a Regulation implies requirements that are directly applicable in the Member States.
The draft of the Regulation, which was leaked to Politico, tries to complete the European GDPR. As Politico explained, the draft was last reviewed on the 28th November 2016. It is expected that it will be officially published at the beginning of 2017.
The e-Privacy Directive shall protect privacy and confidentiality of users of electronic communication services.
13. December 2016
Peter Fleischer, a global privacy counsel, raised the question: „Should the balance between the right to free expression and the right to privacy be struck by each country?“
In basic terms, the right-to-be-forgotten is a right of every European citizen to demand the erasure of certain links from the internet. However, this can also be seen as cencorship and rewriting history, which is why there is a neverending debate upon this topic.
The French Data Protection Authority, CNIL, has demanded an ultimate right-to-be-forgotten, which would mean that French data could be demanded to be removed, for example from Google search, from all over the world.
The problem which might occur is that also non-democratic countries have to follow this rule in theory. One might argue that the internet can be seen as as an independent source of infromation that is now being endangered.
Google disagrees with the idea that the right-to-be-forgotten should also be applied upon the countries outside the Europe.
Google’s only confirmation is that it is acting in accordance with the local laws as well as within the standards set by the European Court. What is more, Google makes a promise to remove the respective links from all European Google versions simultaneously.
Nevertheless, it has also beeen pointed out that one still could have found a link on the non-European version of Google.
As a feedback Google has delisted links as well on Google.com, Google.co.kr and Google.com.mx.
30. November 2016
Elizabeth Denham, UK Information Commissioner, participated at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers during which she gave a keynote speech. In her statement Denham explained that the UK prepares for the upcoming GDPR. She confirmed the government’s position that the GDPR will be implemented in the UK as well – Brexit aside.
Denham’s statement includes that the first regulatory guidance on the GDPR can be expected to be published by the Article 29 Working Party at the end of this year. It is believed that this guidance will probably make a number of key aspects of the GDPR of discussion.
Another point of her speech included the fact that the Article 29 Working Party is about to release a concept of risk under the GDPR and carrying out Data Privacy Impact Assessments at the beginning of 2017.
Furthermore, it was mentioned that the Article 29 Working Party aims to publish guidance in terms of certifications under the GDPR.
24. November 2016
Background information:
Due to the fact that the German Federal Data Protection Act states that companies must appoint a Data Protection Officer if at least ten persons are involved in the automated processing of personal data, companies are asked to appoint an employee as an internal Data Protection Officer or appoint an external Data Protection Officer. In general, the Data Protection Officer needs to have the necessary knowledge of data protection law and must also be reliable and independent. Furthermore, a Data Protection Officer is reliability and independency in case he/she does not have other obligations which could lead to a conflict of interest.
What happened?
A German Data Protection Authority just fined a company as it appointed an internal Data Protection Officer who was also the IT-Manager. The Data Protection Authority argued that the position of an IT-Manager is incompatible with the position of the Data Protection Officer due to the fact that the Data Protection Officer would be required to monitor himself/herself. The Data Protection Authority explained that such self-monitoring is contradictory to the required independency that is necessary.
This is a very important statement as the upcoming GDPR requires the appointment of a Data Protection Officer as well and states further that it is not allowed that any further tasks and oblgations of the Data Protection Officer result in a conflict of interests – Having in mind that a violation of this may result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher.
22. November 2016
A White Paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation was just released by the Centre for Information Policy Leadership at Hunton & Williams LLP.
The White Paper provides guidance and recommendations in terms of the implementation requirements of the GDPR concerning the role of the Data Protection Officer, DPO.
According to the privacy and information Blog of Hunton & Williams, the mentioned White Paper aims
- “to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December and
- to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).”
11. November 2016
The IAPP just published an article saying that INTERPOL calls on governments around the world to share terrorists’ biometric data in order to increase global security.
This statement was issued by INTERPOL’s General Assembly saying that it currently possesses information about 9,000 terrorists. However, only 10 percent of these files include biometric information. INTERPOL’s Secretary General, Jürgen Stock, explaines that this can be seen as “a weak link” in the prevention of terrorism.
On one side, some countries – among these are multiple ASEAN countries – have taken big steps with regard to data sharing as they have recently agreed to share biometric data for the purposes of counter-terrorism. On the other side, many governments are still discussing how to handle biometric data domestically. So the sharing of data would be one step ahead.
However, governments worldwide becoming more and more interested in biometric security which might help to fight terrorism. The mentioned suggestion of INTERPOL might also increase this kind of cooperation.
12. October 2016
Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:
- More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
- Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
- On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
- Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
- Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless, just 9 % expect to be fully prepared.
6. October 2016
Last month, the CIPL held its second workshop in Paris as part of its two-year GDPR implementation project.
During this workshop almost 120 business delegates as well as 12 data protection authorities, four European Member State governments both the European Commission and the European Data Protection Supervisor, a non-DPA regulator and several academics and on top of all of the named above the IAPP participated in order to develop best practices and to build a bridge between authorities and economy.
This time, the workshop mainly focused both on the role of the data protection officers and on the privacy impact assessment, also called PIA.
In this context it was also announced that the Article 29 Working Party is going to release its first guidelines concerning the GDPR either before the end of the year or at the beginning of 2017. These guidelines will include advise on data portability and the role of the DPO. Furthermore, the Article 29 Working Party will also release guidance on risk, PIAs and certifications later on.
Pages: Prev 1 2 3 ... 6 7 8 9 10 11 12 13 14 15 16 Next