Category: General Data Protection Regulation

WP29: Guideline for profiling and automated decision-making

19. October 2017

The Article 29 Data Protection Working Party (WP29) adopted a guideline for the automated individual decision-making and profiling which are addressed by the General Data Protection Regulation (GDPR). The GDPR will be applicable from the 25th May 2018. WP29 acknowledges that “profiling and automated decision-making can be useful for individuals and organisations as well as for the economy and society as a whole”. “Increased efficiencies” and “resource savings” are two examples that were named.

However, it was also stated that “profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards”. One risk could be that profiling may “perpetuate existing stereotypes and social segregation”.

The Guideline covers inter alia definitions of profiling and automated decision-making as well as the general approach of the GDPR to these. It is addressed that the GDPR introduces provisions to ensure that the use of profiling and automated decision-making does not have an “unjustified impact on individuals’ rights” and names examples, such as “specific transparency and fairness requirements” and “greater accountability obligations”.

UK government introduced Data Protection Bill

13. October 2017

The UK government introduced the Data Protection Bill to implement the General Data Protection Regulation (GDPR – 2016/679).

The GDPR enters into force on 25th May 2018 in the European Union. After the brexit, until now it was unclear if the UK would implement the GDPR into UK domestic law. The Data Protection Bill implements not only the legal requirements of the GDPR. The Law Enforcement Directive (2016/680) and the standards of the Council of Europe’s draft modernized Convention 108 on processing of personal data carried out by the intelligence services will also be adopted in the new Data Protection Law of the UK.

The new Law will replace the existing UK Data Protection Act 1998.

Currently the bill is at the beginning of the parliamentary process. The first reading in the House of Lords was held on 13th September, the second on 10th October. The bill consist of seven parts and 18 Schedules.

The data flow between European countries and the UK will not cause those problems that caused concerns after the Brexit, because the data protection level in Europe and the UK will be equal.

New Zealand: Police uses backdoor in law to gather private data

5. September 2017

According to the New Zealand Council of Civil Liberties, in several cases private data was handed over by banks to the police, after the police requested these data from them. It is further explained that the police used forms that looked official, instead of applying to a judge for a search warrant or examination. The police should neither have an oversight, nor a register which tracks the amount of filed requests.

The Police and banks rely on a legal loophole in the Privacy Act that allows organisations to reveal information about persons in order “to avoid prejudice to the maintenance of the law”. The Privacy Commissioner John Edwards is willing to end the further use of this backdoor. Referring to the case of handing over the private information of activist and journalist Martyn Bradbury, he said:

“…we concluded that Police had collected this information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.”

New Data Protection Act in Austria

31. August 2017

In regards to the General Data Protection Regulation (GDPR), coming into force on 25th May 2018, the Austrian Parliament has passed the new Data Protection Act.

The GDPR is directly applicable which means that the GDPR will regulate the data protection within the European Union, without the need for any transposing act of the member states. Nevertheless the GDPR contains a certain amount of opening clauses. Opening clauses enable the countries to complete the law. Moreover, in some cases, the member states are obliged to provide specifications. Because of this reasons the member states have to revise the existing Data Protection Law. The first country with renewed law was Germany and now Austria follows.

The first draft of the new act was published on 12th May 2017. After evaluating the results of the consultation the new Data Protection Act was published in the federal law gazette on 31st July 2017.

It is noticeable that the Austrian parliament has been reticent with deviations from the GDPR which benefits the harmonization of data protection within the European Union.

Cifas: Identity theft at epidemic level

24. August 2017

According to BBC.com, the fraud prevention group Cifas warns that cases of identity theft increase year by year in the UK. In the first six months of the year Cifas already recorded 89,000 cases, which is a 5% increase in relation to the same period of the last year and a new record.

BBC.com further reports that Simon Dukes, chief executive of Cifas, said: “We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day.” It is further explained that “these frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”

Fraudsters are targeting data such as the name, address, date of birth or bank account details. They gather these data by hacking computers, stealing mails or buying data through the “dark web”. Also, victims are tricked into giving away their personal data. However, most of the thefts, about 80%, are committed online and mostly without notice of the victims. The crimes often come to light, when for example the first random bill arrives.

The victims of impersonation were breaked down into categories of ages, showing that it is most likely that people in their 30s and 40s are victims of identity thefts, since about this group of people often a high amount of information was gathered online. It is further reported that according to Cifas, the amount of cases fell for the group of over-60s, while the group of 21 to 30 years old showed the biggest increase of cases.

India: Is the “right to privacy” a fundamental human right?

4. August 2017

The Indian Supreme Court has to decide if the “right to privacy” should be considered a fundamental human right.

According to the Wire, a bench of nine justices was set up after several petitions that challenged the constitutional validity of India’s Aadhaar scheme, with some petitioners claiming that the biometric authentication system is a violation of the privacy of Indians. The bench examined over the last two weeks the nature of privacy as a right in context of two earlier judgements. Back in 1954 and 1962 these judgements came to the conclusion that the right to privacy was not a fundamental right. Legal experts expect the judgement in the last week of August.

Times of India reports that the Supreme Court outlined a three-tier graded approach to examine the question whether privacy can be considered as a fundamental right. The Bench therefore configures privacy into three zones. As stated by a justice of the Bench, the first zone could be the most intimate zone concerning for example marriage or sexuality. The state should only intrude this zone under “extraordinary circumstances provided it met stringent norms”.

The second zone would be the private zone. This zone could involve personal data like the use of credit card or the income tax declaration. In this zone, “sharing of personal data by an individual will be used only for the purpose for which it is shared by an individual”, it is further said.

The third zone would be the public zone. This zone should require only minimal regulation. However, that should not mean that the individual would lose the right of privacy, but “retain his privacy to body and mind”.

 

Article 29 WP releases opinion on data processing at work

11. July 2017

The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.

Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.

The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.

As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:

  • only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
  • consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
  • track the location of employees only where it is strictly necessary,
  • communicate every monitoring to your employees effectively,
  • do a proportionality check prior the deployment of any monitoring tool,
  • be more concerned with prevention than with detection,
  • keep in mind data minimization; only process the data you really need to,
  • create privacy spaces for users,
  • on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

European Commission releases proposal to complete data protection framework

13. January 2017

On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.

The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.

The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.

In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.

The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.

Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.

Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.

Article 29 Working Party released Guidelines on Data Protection Officers, Data Portability & One-Stop Shop

19. December 2016

The European Article 29 Working Party just published Guidelines after their December plenary meeting.

These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.

When do you have to appoint a DPO?

Article 37 (1) of the GDPR states that a DPO has to be appointed

a) where the processing is carried out by a public authority or body

b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale

or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.

How does the Article 29 Working Party define these requirements?

“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.

Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.

 

“Large scale” refers to the number of data subjects and not the company’s size.

The Working Party 29 defines the following identification aspects for a “large scale”:

  • The number of data subjects affected.
  • The volume of data and/or the range of different data items being processed.
  • The duration, or permanence, of the data processing activity.
  • The geographical extent of the processing activity.

However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.

 

Pages: Prev 1 2 3 ... 6 7 8 9 10 11 12 13 14 15 16 Next
1 11 12 13 14 15 16