Category: General Data Protection Regulation
14. December 2016
As it was just reported by huntonprivacyblog, that Politico released an article saying that the European Commission wishes to upgrade the e-Privacy Directive to a Regulation.
This upgrade would cause highly important legal consequences under European law due to the fact that a Directive needs to be implemented in to national law, whereas a Regulation implies requirements that are directly applicable in the Member States.
The draft of the Regulation, which was leaked to Politico, tries to complete the European GDPR. As Politico explained, the draft was last reviewed on the 28th November 2016. It is expected that it will be officially published at the beginning of 2017.
The e-Privacy Directive shall protect privacy and confidentiality of users of electronic communication services.
13. December 2016
Peter Fleischer, a global privacy counsel, raised the question: „Should the balance between the right to free expression and the right to privacy be struck by each country?“
In basic terms, the right-to-be-forgotten is a right of every European citizen to demand the erasure of certain links from the internet. However, this can also be seen as cencorship and rewriting history, which is why there is a neverending debate upon this topic.
The French Data Protection Authority, CNIL, has demanded an ultimate right-to-be-forgotten, which would mean that French data could be demanded to be removed, for example from Google search, from all over the world.
The problem which might occur is that also non-democratic countries have to follow this rule in theory. One might argue that the internet can be seen as as an independent source of infromation that is now being endangered.
Google disagrees with the idea that the right-to-be-forgotten should also be applied upon the countries outside the Europe.
Google’s only confirmation is that it is acting in accordance with the local laws as well as within the standards set by the European Court. What is more, Google makes a promise to remove the respective links from all European Google versions simultaneously.
Nevertheless, it has also beeen pointed out that one still could have found a link on the non-European version of Google.
As a feedback Google has delisted links as well on Google.com, Google.co.kr and Google.com.mx.
30. November 2016
Elizabeth Denham, UK Information Commissioner, participated at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers during which she gave a keynote speech. In her statement Denham explained that the UK prepares for the upcoming GDPR. She confirmed the government’s position that the GDPR will be implemented in the UK as well – Brexit aside.
Denham’s statement includes that the first regulatory guidance on the GDPR can be expected to be published by the Article 29 Working Party at the end of this year. It is believed that this guidance will probably make a number of key aspects of the GDPR of discussion.
Another point of her speech included the fact that the Article 29 Working Party is about to release a concept of risk under the GDPR and carrying out Data Privacy Impact Assessments at the beginning of 2017.
Furthermore, it was mentioned that the Article 29 Working Party aims to publish guidance in terms of certifications under the GDPR.
24. November 2016
Background information:
Due to the fact that the German Federal Data Protection Act states that companies must appoint a Data Protection Officer if at least ten persons are involved in the automated processing of personal data, companies are asked to appoint an employee as an internal Data Protection Officer or appoint an external Data Protection Officer. In general, the Data Protection Officer needs to have the necessary knowledge of data protection law and must also be reliable and independent. Furthermore, a Data Protection Officer is reliability and independency in case he/she does not have other obligations which could lead to a conflict of interest.
What happened?
A German Data Protection Authority just fined a company as it appointed an internal Data Protection Officer who was also the IT-Manager. The Data Protection Authority argued that the position of an IT-Manager is incompatible with the position of the Data Protection Officer due to the fact that the Data Protection Officer would be required to monitor himself/herself. The Data Protection Authority explained that such self-monitoring is contradictory to the required independency that is necessary.
This is a very important statement as the upcoming GDPR requires the appointment of a Data Protection Officer as well and states further that it is not allowed that any further tasks and oblgations of the Data Protection Officer result in a conflict of interests – Having in mind that a violation of this may result in fines of up to 10.000.000 EUR or up to 2 % of the total worldwide annual turnover, whichever is higher.
22. November 2016
A White Paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation was just released by the Centre for Information Policy Leadership at Hunton & Williams LLP.
The White Paper provides guidance and recommendations in terms of the implementation requirements of the GDPR concerning the role of the Data Protection Officer, DPO.
According to the privacy and information Blog of Hunton & Williams, the mentioned White Paper aims
- “to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December and
- to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).”
11. November 2016
The IAPP just published an article saying that INTERPOL calls on governments around the world to share terrorists’ biometric data in order to increase global security.
This statement was issued by INTERPOL’s General Assembly saying that it currently possesses information about 9,000 terrorists. However, only 10 percent of these files include biometric information. INTERPOL’s Secretary General, Jürgen Stock, explaines that this can be seen as “a weak link” in the prevention of terrorism.
On one side, some countries – among these are multiple ASEAN countries – have taken big steps with regard to data sharing as they have recently agreed to share biometric data for the purposes of counter-terrorism. On the other side, many governments are still discussing how to handle biometric data domestically. So the sharing of data would be one step ahead.
However, governments worldwide becoming more and more interested in biometric security which might help to fight terrorism. The mentioned suggestion of INTERPOL might also increase this kind of cooperation.
12. October 2016
Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:
- More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
- Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
- On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
- Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
- Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless, just 9 % expect to be fully prepared.
6. October 2016
Last month, the CIPL held its second workshop in Paris as part of its two-year GDPR implementation project.
During this workshop almost 120 business delegates as well as 12 data protection authorities, four European Member State governments both the European Commission and the European Data Protection Supervisor, a non-DPA regulator and several academics and on top of all of the named above the IAPP participated in order to develop best practices and to build a bridge between authorities and economy.
This time, the workshop mainly focused both on the role of the data protection officers and on the privacy impact assessment, also called PIA.
In this context it was also announced that the Article 29 Working Party is going to release its first guidelines concerning the GDPR either before the end of the year or at the beginning of 2017. These guidelines will include advise on data portability and the role of the DPO. Furthermore, the Article 29 Working Party will also release guidance on risk, PIAs and certifications later on.
5. October 2016
The Cloud Infrastructure Services Providers in Europe, CISPE, published a Data Protection Code of Conduct for Cloud Infrastructure Service Providers.
CISPE is a relatively new accosiation including more than 20 cloud infrastructure providers that operate within Europe.
The CISPE Code of Conduct focuses on transparency and compliance with EU data protection laws. Therefore, the CISPE Code of Conduct has been designed in such a way that it will be compliant with the GDPR coming into force in May 2018. The CISPE Code of Conduct has been built on internationally recognised state-of-the-art of security measures increasing the data security for cloud customers.
In the press release, Axelle Lemaire, French Minister for Digital Affairs and Innovation, commented that “The CISPE Code of Conduct show that the European cloud computing industry is capable to provide secure and compliant services for all personal and technical data in Europe and improve trust in digital services.”
26. September 2016
Last week, the Belgian Data Protection Authority “Privacy Commission”, published Guidelines containing 13 Steps that will help organizations in order to prepare for the EU General Data Protection Regulation. The Guidelines were published in French and in Dutch.
The Belgian Data Protection Authority recommended to follow the steps shown below in order to be compliant with the GDPR:
- Awareness: Instruct the relevant persons about the upcoming changes.
- Internal Records: Document the stored data, where it came from and to whom it is transfered.
- Privacy Notice: Review and update the Privacy Notice.
- Individuals’ Rights: Check existing procedures in order to comply with individuals’ rights.
- Access Requests: Review current procedures about access requests. Consider how these requests will be handled in accordance with the new GDPR time limits.
- Legal Basis: Document all data processing procedures. Demonstrate the respective legal basis for each data processing procedure.
- Consent: Review how consent is collected and recorded.
- Children’s Personal Data: Plan procedures in order to verify the ages of individuals. Determine how to gather parental or legal guardian consent for processing procedures that involve children’s data.
- Data Breach: Guarantee that procedures are implemented on how to handle data breaches.
- Data Protection by Design and Data Protection Impact Assessments: Check these concepts. Consider how to implement them.
- Data Protection Officer: Appoint and review the Data Protection Officer.
- International: Check which Data Protection Authority will be responsible for you.
- Existing Contracts: Review the current contracts.
Pages: Prev 1 2 3 ... 6 7 8 9 10 11 12 13 14 15 16 Next