Category: General

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

CJEU ruling on One-Stop-Shop mechanism

On June 15th, 2021, the Court of Justice of the European Union (CJEU) ruled that “under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority”. It grants each supervisory authority the power to bring matters within its supervisory area before the courts. If a non-lead supervisory authority wishes to bring cross-border cases to court, it can do so under the so-called emergency procedure under Article 66 of the GDPR.

The General Data Protection Regulation (GDPR) provides that the data protection authority of the country in which a company has its principal place of business in the EU has primary jurisdiction for cross-border proceedings against such companies (the so-called one-stop-shop principle). Facebook and a number of other international companies have their EU headquarters in Ireland. The Irish data protection authority has been criticised several times for dragging out numerous important cases against tech companies. The CJEU’s ruling is likely to lead to more enforcement proceedings by local data protection authorities.

In 2015 – before the GDPR came into force – the Belgian data protection authority filed a lawsuit in Belgian courts against Facebook’s collection of personal data via hidden tracking tools. These tracking tools even tracked users without Facebook accounts. After the GDPR came into force, Facebook argued that lawsuits against data protection violations could only be filed in Ireland. A court of appeal in Brussels then referred the question to the ECJ as to whether proceedings against Facebook were admissible in Belgium. This has now been confirmed by the ECJ. The Belgian court is now free to make a final decision (please see our blog post).

The CJEU has now ruled that, in principle, the lead data protection authority is responsible for prosecuting alleged GDPR violations if they involve cross-border data processing. The data processing must therefore take place in more than one Member State or have an impact on individuals in several member states. However, it is also specified that the “one-stop-shop” principle of the GDPR obliges the lead authority to cooperate closely with the respective local supervisory authority concerned. In addition, local data protection authorities may also have jurisdiction pursuant to Art. 56 (2) and Art. 66 GDPR. According to the CJEU, if the respective requirements of these provisions are met, a local supervisory authority may also initiate legal proceedings. The CJEU has clarified that actions by non-lead data protection authorities can still be upheld if they are based on the Data Protection Directive, the predecessor of the GDPR.

The EU consumer association BEUC called the ruling a positive development. BEUC Director General Monique Goyens said:

Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU.

While Facebook’s associate general counsel Jack Gilbert said:

We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU.

EDPB adopts final Recommendation 01/2020 on Supplementary Measures for Data Transfers to Third Countries

22. June 2021

On June 21st, 2021 during its 50th plenary session, the European Data Protection Board (EDPB) adopted a final version of its recommendations on the supplementary measures for data transfers.

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has decided that, while the Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism, controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In the cases where the effectiveness of appropriate safeguards is reduced due to the legal situation in the third country, exporters may need to implement additional measures that fill the gaps.

To help exporters with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted this recommendation. They highlight steps to follow, potential information sources as well as non-exhaustive examples of supplementary measures that are meant to help exporters make the right decisions for data transfers to third countries.

The recommendations advise exporters to follow the following steps in order to have a good overview of data transfers and potential supplementary measures necessary:

1. Know the data transfers that take place in your organization – being aware of where data flows is essential to identify potentially necessary supplementary measures;

2. Verify the transfer tool that each transfer relies on and its validity as well as application to the transfer;

3. Assess if a law or a practice in the third country impinges on the effectiveness of the transfer tool;

4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard;

5. Take formal procedural steps that may be required by the adoption of your supplementary measure, depending on the transfer tool you are relying on;

6. Re-evaluate the level of protection of the data you transfer at appropriate intervals and monitor any potential changes that may affect the transfer.

The EDPB Chair, Andrea Jelinek, stated that “the effects of Schrems II cannot be underestimated”, and that the “EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance”.

The recommendations clearly highlight the importance of exporters to understand and keep an eye on their data transfers to third countries. In Germany, the Supervisory Authorities have already started (in German) to send out questionnaires to controllers regarding their data transfers to third countries and the tools used to safeguard the transfers. Controllers in the EU should be very aware of the subject of data transfers in their companies, and prepare accordingly.

Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers

21. June 2021

On May 20th, 2021, the Belgian Data Protection Authority (Belgian DPA) announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (EU Cloud CoC). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation in May 2018.

The EU Cloud CoC represents a sufficient guarantee pursuant to Article 28 (1) and 28 (5) of the GDPR, as well as Recital 81 of the GDPR, which makes the adherence to the code by cloud service providers a valid way to secure potential data transfers.

In particular, the EU Cloud CoC aims to establish good data protection practices for cloud service providers, giving data subjects more security in terms of the handling of their personal data by cloud service providers. In addition, the Belgian DPA accredited SCOPE Europe as the monitoring body for the code of conduct, which will ensure that code members comply with the requirements set out by the code.

It further offers cloud service providers with practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.

In the press release, the Chairman of the Belgian DPA stated that „the approval of the EU Cloud CoC was achieved through narrow collaboration within the European Data Protection Board and is an important step towards a harmonised interpretation and application of the GDPR in a crucial sector for the digital economy“.

China passes new data security law

15. June 2021

China’s “National People’s Congress”, the Chinese legislative body, approved the new “Data Security Law 2021” on June 10th, 2021 (unofficial English translation here). The new law gives President Xi Jinping the power to shut down or fine tech companies. The law will go into effect on September 1st, 2021.

The law applies to data processing activities and security surveillance within China’s territory. Data processing activities outside China’s territory that threaten China’s national security and public interests are also covered by the law. For international companies, the law means they must localize data in China. For example, data generated in factories in China must be kept in China and be subject to cyber data oversight.

Companies that leak sensitive data abroad or are found “mishandling core state data” can be forced to cease operations, have their licenses revoked, or fined up to 1.6 million US$, and companies who provide electronic information to foreign law enforcement authorities can be fined up to approx. 150.000 US$ or forced to suspend their business.

While the Chinese government is increasing its financial involvement in tech companies it is also producing new legislations to tighten its grip on such companies. The new data law is expected to provide a wide outline for future rules for Internet services and to ease the tracking of valuable data in the interest of national security. This may include directives that certain types of data must be stored and handled locally, as well as requirements for companies to track and report the information they hold.

A personal information protection law is still under review in China.

ICO fined several companies for data protection infringements

The UK Information Commissioner’s Office (“ICO”) has fined several companies at the beginning of June for data protection infringements.

All fines have in common that the fined companies conducted marketing measures without having the required consent for doing so.

  • Conservative Party

The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails without having the required legal basis and in violation of Regulation 22 of the Privacy and Electronic Communications Regulation 2003 (PECR).

The Conservative Party sent out a total of 1.190.280 marketing emails between July 24th and July 31st 2019, right after the election and in the name of Rt Hon Boris Johnson MP.

The ICO investigated that the party failed to ensure having a valid legal basis for marketing emails when changing the email provider. Even though the ICO assumes that there are more than 51 concerned data subjects, the ICO only received complaints of 51 individuals, thus the fine is based on this amount of concerned data subjects.

  • Colour Car Sales Ltd.

The ICO has fined Colour Car Sales Ltd (CCSL)  £170,000  for sending spam text messages from October 2018 to January 2020. CCSL is a credit intermediary for used car finance and the purpose of the spam texts was to direct the recipients to car finance websites.

Also in this case basis for the fine has been complaints of concerned data subjects which complained about not have given consent for receiving marketing emails from CCSL.

  • Solarwave of Grays

The ICO has fined Solarwave of Grays £100,000 for conducting 73.217 marketing calls about solar panel maintenance from January to October 2020.

The complainants that raised the concerns stated that they were registered with the Telephone Preference Service and should have received any marketing telephone calls based on this.

The Telephone Preference Service is the UK’s “do not call register” with which individuals can register to show that they are not interested in receiving any kind of marketing phone calls.

Beside the violation of the data protection law and the Telephone Preferences Service the concerned data subjects also stated that the callers were rude and persistent and ignored stop requests.

  • LTH Holdings

The ICO has fined LTH Holding, a Cardiff based telephone marketing company, £145,000 for conducting 1.4 million calls trying to sell funeral plans between May 2019 and May 2020.

In this case the ICO received 41 complaints and the complainants were also registered with the Telephone Preferences Service. Beside this infringement, the concerned data subjects also told the ICO that LTH adopted aggressive, coercive and persuasive methods to sell funeral plans.

  • Papa John’s

The ICO has fined Papa John’s Limited, a national takeaway pizza company, £10,000 for sending 168,022 nuisance marketing messages to its customers.

In this case the ICO received 15 complaints also stating the distress and annoyance the messages were causing. Some customers received up to 100 messages in two months without ever have given consent for marketing emails.

The ICO investigated that Papa John’s has sent over 210.000 messages to customers between October 1st 2019 and April 30th 2020.

In the contrary to the opinion of Papa John’s the ICO did not see the possibility to rely on “soft opt-in” because the data used for the marketing emails has been obtained for processing orders and not receiving marketing emails. Furthermore, the required information of the customers on this processing activity is missing.

EU Commission initiates infringement proceedings against Belgium for possible violations of the GDPR

10. June 2021

The EU Commission has initiated infringement proceedings against Belgium for alleged violations of the GDPR. Following several complaints from data protectionists, the EU Commission has now also expressed doubts about the independence of the Belgian data protection authority. Belgium is thus threatened with proceedings before the European Court of Justice and would thus be the first EU country to be threatened with corresponding steps for violating the European General Data Protection Regulation.

Data protectionists and now also the European Commission complained that the Belgian data protection authority was not acting as an independent body. This is due to the fact that the authority’s decisions, such as imposing sanctions in accordance with the GDPR, are made in close consultation with government representatives. However, this is precisely what is required for a data protection authority according to the GDPR.

While two of the government representatives who have come under criticism have since resigned from their posts, two others remain in office. One of the two is responsible for data protection initiatives, the other for authorizing certain public sector data releases. Both government officials deny the allegations.

As a first step, the commission has now sent an official letter to the state representative, who is expected to comment on the allegations.

Category: General

New SCCs published by the EU Commission for international data transfers

On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.

The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.

What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:

Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller

The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.

The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.

However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.

Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.

Ecuador has a new data protection law

Ecuador’s National Assembly unanimously approved a new data protection law on May 10, 2021. The new data protection law was already countersigned by the now former President Moreno on May 21, 2021.

The EU’s General Data Protection Regulation (GDPR) has served as the model for enacting the law. For example, it has imposed obligations on the controller to implement appropriate technical and organizational security measures in the company. Further, it has to appoint a data protection officer and inform individuals before processing certain personal data. Accordingly, the law not only contains obligations for the relevant processors, but also endows the data subjects with their own protection rights. Thus, data subjects have the right to request access to, modification and deletion of their personal data.

The Data Protection Law also provides for the establishment of a national data protection authority. It also contains regulations for international and cross-border data exchange.

In contrast to the GDPR, however, the Data Protection Act provides lower fines for violations. The level of penalties here has been set between 0.1% and 1% of a company’s annual turnover. The specific amount is also made dependent on the severity of the violation, among other factors. The GDPR’s catalog of fines, on the other hand, provides fines of up to 20 million euros. Fines of up to four percent of the annual turnover achieved worldwide in the last financial year are also possible.

The reason for passing the new law was a massive data breach that resulted in the personal data of up to 20 million people being made available online.

Dutch data protection authority imposes fine of €525,000

Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.

The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.

After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.

Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.

An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.

As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 29 30 31 Next
1 4 5 6 7 8 31