Category: General Data Protection Regulation

Request for European Commission to investigate “Pokemon Go”

25. August 2016

A Belgian Minister of European Parliament wants that the European Commission investigates the App “Pokemon Go” in order to determine whether the App is compliant with European data protection law and furthermore, to warn European citizens of the dangers caused by the App.

Therefore, the respective Minister of European Parliament, Marc Tarabella, commented that the App violates not only the General Data Protection Regulation but furthermore, that it might violate the Europeans E-Privacy Directive due to the fact that the App stores cookies and trackers on users’ smartphones. He added  “In their eyes, tracking personal data of people is clearly considered a game and a source of research or revenue” and concluded “In Europe, the protection of privacy remains a fundamental right. We have to react, warn and strongly condemn these massive scams.”

Is there a high risk that the Privacy Shield will be invalidated?

5. August 2016

Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.

Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.

An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”

Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.

Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.

However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.

 

The European Court of Justice ruled on the question which Member State’s data protection laws should apply

29. July 2016

As already published the European Court of Justice had to clarify which Member State’s data protection laws should apply to data processing established within the EU but directed at a number of EU Member States.

Yesterday, the European Court of Justice ruled in the case VKI v. Amazon EU that “ (…) the processing of data (…) is governed by the law of the Member State in whose territory that establishment is situated.”

However, the European Court of Justice did not discuss the respective contract between Amazon and its customers stating that “Luxembourg law shall apply.”

Nevertheless, the European Court of Justice came to the conclusion that “It is for the national court to determine (…) whether Amazon EU carries out the data processing in question in the context of the activities of an establishment situated in a Member State other than Luxembourg.”

Which European DPA is in charge of supervising Amazon?

28. July 2016

In the case Verein für Konsumenteninformation v. Amazon, the Court of Justice of the European Union has to decide which Member State’s data protection law should apply in case goods are sold across national borders but within the EU. In the respective case goods are sold from a German or Luxembourgish website to an Austrian consumer.

This can be seen as one of the more significant data protection cases of 2016. The judgement will be significant due to the fact that the EU is in the process of implementing the new General Data Protection Regulation. As a consequence an European Data Protection Board (EDPB) will be established, which will represent Data Protection Authorities of different Member States. The EDPB will also be responsible for conflicts of jurisdiction. However, this process has been described as a “ (…) hyper bureaucratic procedure that will lead to more complexity and longer procedures.”

In case the Court of Justice of the European Union clarifies the jurisdiction of Data Protection Authorities, there may be less need to utilise these hyper-bureaucratic procedures. This could make the EU’s single market more efficient.

The Court of Justice of the European Union will probably rule on this matter today.

In order to prepare for the GDPR the ICO advises companies to establish internal data breach procedures

22. July 2016

The ICO has advised organisations to implement internal data breach procedures, which should be encouraged by employee trainings, in order to be prepared as soon as the General Data Protection Directive (GDPR) comes into effect in 2018.

Therefore, the recommendation made by the ICO in terms of its breach notification recommendation instruct companies to be compliant from the first day the GDPR is implemented. Furthermore, the recommendation states that “You should make sure that your staff understands what constitutes a data breach, and that this is more than a loss of personal data” and goes on by saying that “You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision making about whether you need to notify the relevant supervisory authority or the public. In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” On top of this, the ICO points out that companies will not have much time to notify the authorities of any data breach due to the fact that article 33 of the GDPR requires notification to take place “without undue delay and, where feasible, not later than 72 hours after having become aware of it (…) unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”.

A personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

75.4% of Cloud Apps are not compliant with GDPR

18. July 2016

According to the Netskope Cloud Report from June 2016, almost 75.4% of the cloud apps are not compliant with the GDPR. The main reason for this incompliance is the lack of awareness that most organizations have about the amount of cloud apps being used at the company.

The compliance evaluation was based on eight aspects of the GDPR: geographic requirements, data retention, data privacy, terms of data ownership, data protection, data processing agreement, auditing and certifications.

Compliance with the GDPR involves not only that customers as data controllers implement the provisions of the GDPR accordingly, but also that cloud apps vendors (as data controllers) are also compliant. This compliance requirement of the data processor is one of the new requirements that the GDPR imposes. Data processors are also subject to strict data processing requirements and are liable for breach of their obligations. This way, customers are liable for the use they make of the cloud apps and cloud vendors are liable for inherent security and enterprise-readiness.

The report reveals that the main incompliances relate to the data export requirements after termination of service, to excessively long retention periods and to data ownership terms. Moreover, malware also represents an increasing problem regarding cloud apps.

Upon the entry into force of the GDPR, companies shall be able to

  • Identify existing cloud apps in their organization and analyze the risks involved
  • Identify cloud apps storing sensitive data
  • Adopt measures in order to be compliant according to the eight main aspects mentioned above
  • Identify cyber threats and implement adequate measures to safeguard personal data

The future of privacy rules after UK´s referendum to leave the EU

27. June 2016

On the 23rd June, UK celebrated a referendum to vote about UK´s EU membership. About 52% of the participants, voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.

The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.

Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, “if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018”.

Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force.

French DPA launches public consultation on GDPR

21. June 2016

In June 2016, a public consultation process about the GDPR was opened by the French DPA (CNIL). The consultation is based on the topics that the WP 29 identified as having priority in its action plan for the implementation of the GDPR, published beginning 2016.

The consultation aims at encouraging stakeholders to formulate questions regarding the GDPR in order to identify potential interpretation difficulties. Once the main questions and difficulties have been addressed, the WP 29 will issue guidelines regarding the relevant topics. The CNIL also offers the possibility to formulate questions about other topics, which are not directly mentioned in the consultation.

The main topics that are object of the current consultation are the institution of the DPO, Privacy Impact Assessments (PIA), data protection certifications and the right to data portability.

The consultation is opened until the 15th July 2016 and stakeholders can participate through the CNIL´s website. After that, the French DPA will publish a summary with the contributions.

Accountability initiative by the EDPS: achieving compliance with the GDPR

8. June 2016

The EDPS announced yesterday the launch of a new initiative that may help EU institutions, public bodies and private organizations to be compliant and prepare for the GDPR. This initiative relates to the accountability principle, which is explicitly mentioned in the GDPR. Accountability regarding the processing of personal data means:

  • Implementing policies within the organization in order to achieve transparency
  • Training employees and persons within the organization with regard to the implementation of the policies
  • Monitoring the implementation of the policies
  • Establishing procedures in order to identify incompliances and act against data breaches

The EDPS states that the accountability principle involves a culture change within organizations and means the promotion of sustainable data processing. This means that organizations should assess the fairness and legality of complex data processing operations. This involve that both, public bodies and private organizations, should develop a risk management strategy that addresses their specific needs, so that they are compliant with the GDPR upon its entry into force in May 2018.

This initiative has been firstly implemented at the EDPS institution itself by using questionnaires addressed to the Supervisors, the Director, the staff responsible for processing operations and the DPO. The implemented actions were also documented and followed up on a regular basis. The questions aimed at ensuring a control over the processing of personal data and the lawfulness of the processing.

The role of the DPOs under the new GDPR: the German reference

7. June 2016

The new GDPR, which will enter into force in May 2018, updates the current European Data Protection legislation. One of the key aspects of the Regulation is the obligation to appoint a Data Protection Officer (DPO) in the following cases:

  • If the processing is carried out by a public authority, except court acting in their judicial capacity
  • If the core activities of the controller or the processor consist of processing operations which according to their nature or scope require regular and systematic monitoring of data subjects on a large scale or
  • If the core activities of the controller or the processor consist of processing on a large scale of sensitive data

Currently, several jurisdictions mention the possibility to appoint a DPO, but Germany is the only EU member State that imposes the obligation to appoint a DPO if more than nine people within an organization handle with personal data. The DPO can be a member of the organization or an external expert.

According to German Data Protection law, DPOs are appointed by the management of the organization but fulfill their duties without being subject to any instructions of the data controller. Moreover, they have the obligation to report the management regarding the compliance status of the organization and, even if they recommendations are not followed, the DPO has fulfilled his/her duty. This DPO culture in Germany means also that not only people with legal backgrounds are DPO; furthermore, the role of the DPO is assumed by persons with different backgrounds, for example by engineers or HR employees that have been given this responsibility.

Thomas Spaeing, CEO of the German Association of Data Protection Officers, remarks the importance that the appointed person knows the processes and organization of the company and that he/her can integrate the legislation with the organizational data processing activities. The DPO should be seen as a person who helps businesses implementing data protection processes in interest of both, the data subjects and the company itself.

The GDPR mentions the possibility to appoint either an external or an internal DPO and describes their position in similar terms to those existing under German Data Protection law. In Germany, this will not mean a greater change in the local legislation, but other countries who do not even currently regulate the institution of the DPO, will have to make any necessary changes to be compliant with the requirements of the GDPR until May 2018.

Pages: Prev 1 2 3 4 5 6 7 8 9 Next
1 6 7 8 9