ICO passed Children’s Code

8. September 2020

The UK Information Commissioner’s Office (ICO) passed the Age Appropriate Design Code, also called Children’s Code, which applies especially to social media and online services likely to be used by minors under the age of 18 in the UK.

The Children’s Code contains 15 standards for designers of online services and products. The aim is to ensure a minimum level of data protection. Therefore, the Code requires that apps, games, websites etc. are built up in a way which provides already a baseline of data protection. The following default settings should be mentioned here:

  • Glocalization disabled by default,
  • Profiling disabled by default,
  • Newly created profiles private and not public by default.

Base for the Children’s Code is the UK Data Protection Act of 2018 – local implementation law of the GDPR. Thus, the standards also include the GDPR Data Protection principles Transparency and Data Minimisation.

The requirements also and especially apply to the major social media and online services used by minors in the UK, e.g. TikTok, Instagram and Facebook.

The Code is designed to be risk-based. This means that not all organizations have to fulfil the same obligations. The more companies use, analyse and profile data from minors, the more they must undertake to comply with the Code.

Apple’s new iOS Update will enhance Privacy Features

31. August 2020

At its Worldwide Developers Conference 2020 back in June, Apple announced new privacy features coming in a future iOS 14 update for its devices. These updates, coming in the fall, are supposed to include more control of sharing location data and indicators when an app is using the microphone or camera.

The updates mean that it will be further possible to limit how much location information is shared with apps, only allowing it to share approximate data rather than the devices precise location. Apple also introduced labels for app permissions to inform people how much data an app requests, before they even download them. The feature will show people those labels in two categories, on “Data Linked To You” and “Data Used to Track You“. However, this will have to be provided by the app developers themselves, leaving grey areas open.

“For food, you have nutrition labels,” said Erik Neuenschwander, Apple’s user privacy manager. “So we thought it would be great to have something similar for apps. We’re going to require each developer to self-report their practices.”

Further, the privacy updates also incorporate the Safari browser, allowing for a report on privacy while surfing the internet through the use of a “privacy report” button. It will allow the overview of all third-party trackers through one click, and allow the user to block them directly.

Apple also moved from the opt-out standard for apps using the user’s personal data to an opt-in scheme, requiring the active consent of the users in order to allow the use of their data.

While this is a positive development for all Apple users, Facebook states that it sees issues for small developers having to face these new privacy settings.

In a blog post, Facebook said it was making a change to its own apps, which in addition to its flagship app also include WhatsApp and Instagram, that would likely spare them from having to ask iPhone users for data-tracking permissions that many advertising industry insiders believe users will refuse. Facebook also stated it was making changes due to Apple’s new privacy rules that could hurt smaller developers that use a Facebook tool for serving apps in third-party apps.

Overall, Apple’s new privacy rules are a welcomed changes for its users, handing them further control over their own personal data.

Brazil Update: Rapid Developments regarding Brazil’s LGPD come with legal Uncertainty

28. August 2020

Earlier this year, in April, the President of Brazil issued Provisional Measure #959/2020, which dealt with emergency measures in face of the pending Coronacrisis. The Provisional Measure (“PM”) did not only set rules for the federal banks’ payments of benefits to workers affected by the reduction in salary and working hours and the temporary suspension of employment due to the pandemic, but also postponed the effective date of Brazil’s first Data Protection Law (“LGPD”) from the 14 August 2020 to the 3 May 2021 (we reported).

In Brazil, PMs serve as temporary law and are valid for a maximum period of 120 days, in which both chambers of the National Congress must approve of the PM in order to become permanent law.

As the 120 days period was coming to an end, the House of Representatives approved of the PM on 25 August 2020, but included an amendment to delay the effective date only to the 31 December 2020. One day later, on 26 August 2020, the Senate approved of the PM, but provided yet another amendment to not include any delay of the LGPD’s effective date at all. The Senate’s amendment rather postulates that violations against the LGPD shall not be santioned by the Data Protection Authority until 1 August 2021. Thus, neither the House of Representative’s postponement to the 31 December 2020 nor the President’s intial postponement to the 3 May 2021 were approved of. This development came to a great surprise because in April, Brazil’s Senate itself introduced  Law Bill “PL 1179/2020” which aimed at postponing the effective date of the LGPD to 1 January 2021.

After all, the LGPD will become effective very soon. Upon the rapid developments regarding the LGPD, legal commentators from Brazil still share some confusion to when the law will become valid exactly. They report that the law will become effective either when the President signs it into law or retroactively on 14 August 2020. In any case, many Brazilian businesses are reportedly not ready for the LGPD whilst also facing a very difficult economic environment, as Brazil is suffering from the consequences of the pandemic.

Moreover, Brazilian businesses are also facing legal uncertainty because Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional. Only on 26 August 2020, Brazil’s President passed Decree 10.474 to establish the ANPD. However, the new Data Protection Law gives the ANPD many vital responsibilities that it has not been able to fulfil, because it hadn’t been established yet. These responsibilities include

  • Recognising good practices and best-in-class examples of accountable privacy programs,
  • Establishing rules, procedures and guidance for organisations as required by the LGPD,
  • Clarifying LGPD provisions,
  • Providing technical standards to organisations, and
  • Enabling international transfers of personal data.

As the recent developments and the status quo of the national Data Protection Authority suggest a rocky road ahead for Brazil’s privacy landscape, the fundamental milestones of making the LGPD effective and establishing the ANPD have been passed now. At the same time, Brazilian businesses can draw hope from the fact that they have time to become compliant until 1 August 2021.

Irish DPC to assess TikTok’s plans for opening Data Centre in Ireland

13. August 2020

The short video app TikTok is planning to establish a data centre in Ireland under the One Stop Shop (OSS) data processing mechanism, the Irish Data Commission has stated.

However, the company needs to first be assessed to determine if they meet the requirements of the OSS.

The OSS rules, introduced under the General Data Protection Regulations (GDPR) rules, mean companies can make the Irish Data Protection Commission the lead supervisory authority, if they meet the criteria, and would not have to deal with regulators in each of the 28 EU member states but could be monitored by a lead regulator in one state. This would benefit the company in the case that if something happens, it would be one investigation, one decision and one appeal, rather than one for each country affected.

These plans come at a time when the popular app is facing some criticism, however. Not only is TikTok on the verge of being banned in the United States, a lot of doubts in regard to their handling of user data have surfaced in the past few months.

Last week in Beijing, the Beijing Internet Court ruled against TikTok’s owner Tencent Holdings in cases alleging the misuse of user data. The data was shared without consent between the WeRead and WeChat apps, violating the users’ privacy.

The move to establish a data centre in Ireland “will create hundreds of new jobs and play a key role in further strengthening the safeguarding and protection of TikTok user data with a state of the art physical and network security defense system planned around this new operation,“ stated Global Chief Information Security Officer of the company, Roland Cloutier.

Following the moves of big tech giants of recent years, TikTok plans to open the data centre by the year 2022. The Irish Data Protection Commissioner stated that the examination for the OSS mechanism is currently underway.

U.S. Commerce Department publishes FAQs on EU-US Privacy Shield

12. August 2020

The U.S. Commerce Department has released a frequently asked questions page (FAQ) with regards to the EU-US Privacy Shield, following the latest decision of the Court of Justice of the European Union (CJEU) in the Schrems II case.

The FAQ consists of five questions which revolve around the situation after the invalidation of the Privacy Shield by the CJEU, especially the status of companies already certified under the Privacy Shield.

The Commerce Department states in its FAQ that despite the invalidity of the Privacy Shield certification as a GDPR compliant transfer mechanism, the decision of the CJEU does not relieve companies certified under the Privacy Shield from their obligations. On July 21, 2020, the Federal Trade Commission (FTC) stated that they expect controllers to continue to follow the obligations laid out under the Privacy Shield Framework for transfers.

Further, the Commerce Department will continue to administer certification and re-certification under the Privacy Shield despite the new development. The Commerce Department emphasizes that the continued dedication to the Privacy Shield will show the commitment of the parties and the controllers certified under it to the Data Protection cause.

However, the Commerce Department also notes that the costs coming along with a Privacy Shield certification will remain, which could have an effect on the motivation for companies to get self- and re-certified.

CJEU judges the EU-US Privacy Shield invalid

16. July 2020

On June 16th, 2020, the Court of Justice of the European Union (CJEU) has declared the invalidity of Decision 2016/1250, therefore rendering protection granted to data transfers under the EU-US Privacy Shield inadequate.

The background

The case originated in a complaint of Mr. Max Schrems against Facebook Ireland regarding the transfer of his personal data as a Facebook user to Facebook Inc., situated in the USA, for further processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to the USA. That complaint was rejected on the ground that, in Decision 2000/5205, the Safe Harbour Decision, the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on October 6th, 2015, the CJEU, to which the High Court of Ireland had referred questions for a preliminary ruling, declared that decision invalid, resulting in the Schrems I judgment.

Today’s judgement in the Schrems II case came from the request of the Irish High Court to Mr. Schrems to reformulate his initial complaint, seeing as the Safe Harbour Agreement had been deemed inadequate. In the following, Mr. Schrems reformulated his complaint, and claimed that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the Standard Contractual Clauses (SCCs) set out in the Annex to Decision 2010/87. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the SCCs, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court of Ireland also raised the question of the validity of both decisions,  Decision 2010/87 and  Decision 2016/1250.

Judgement in regard to SCCs

In its judgements, the CJEU has stated that it had, after examination of the SCCs in light of the Charter of Fundamental Rights, found nothing that affected the validity of the SCCs and Decision 2010/87.

With regards to the transfer of personal data to third countries, the CJEU claims that the requirements for such purposes set out by the GDPR concerning appropriate safeguards, enforceable rights and effective legal measures must be interpreted in such a way that data subjects whose personal data is transferred into a third country must be afforded a level of protection essentially similar to the level of protection granted within the European Union by the GDPR.

Data Protection Authorities must, unless an adequacy decision has been ruled by the Commission, be required to suspend or prohibit a transfer of personal data to a third country which does not meet these requirements.

The CJEU holds that the SCCs are still effective mechanisms that make it possible to ensure compliance with a level of protection required by the European Union. In that regard the CJEU points out that this imposes an obligation on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned, and to suspend the transfer of the personal data if it is not.

Judgement in regard to the EU-US Privacy Shield

The CJEU, after thorough examination, concluded that the EU-US Privacy Shield is not adequate protection for transfers to the USA.

This result comes from the fact that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The USA limits most of its protections of personal data from governmental surveillance to US citizen, but does not extend that protection to the personal data of citizens of other countries.

In essence, the limitations on the protection of personal data arising from the domestic law of the USA on the access and use by US public authorities of such data transferred from the European Union are not restricted in a way that satisfies requirements that are equivalent to those required under EU law, which were mentioned in regards to SCCs above. By the principle of proportionality, the surveillance programmes based on those provisions are not limited to what is strictly necessary.

Unless an empowerment and independence of the Ombudsperson takes place, which would give the competence to adopt decisions which are binding on US intelligence services, there are no substantial cause of actions for data subjects before a body which gives legal guarantees in the way that is required by European law for transfers to be equivalent in protection.

Assessment

Overall, the CJEU states that necessary data transfers are still able to continue under Article 49 of the GDPR. However, the provision’s interpretation is restrictive, leaving most companies with data transfers to the USA which are now considered illegal.

Due to the requirements of adequate protection even when relying on the validated SCCs, transfers under such circumstances may also be found unlawful due to the local intelligence laws in the USA, which do not uphold the requirements necessary by European law.

Overall, it is a clear statement of the necessity of reforms of the US intelligence laws, which have to create adequate protections to be able to guarantee the same level of data protection as the European Union, if they want to continue data trades and data transfers necessary for processing.

What does this mean for you?

  • If your business has a EU-US Privacy Shield certification, and uses such for legitimization of data transfers within a group of companies, you should push towards the use of the European Standard Contractual Clauses within that corporate group.
  • If you are employing service providers which rely on the EU-US Privacy Shield certification, you should also push for the use of Standard Contractual Clauses, or base the data transfer on a different solution for an adequate level of data protection.

CIPL submits DSR “White Paper” to the EDPB as input for future Guidelines

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper on Data Subject Rights (DSR) on July 8th, 2020, as input for the European Data Protection Board for future Guidelines on the subject.

The White Paper examines the effectiveness of the DSRs by keeping in mind the interpretation in the context of today’s data driven economy. It puts forth that the Guidelines should take into account new business models, data-driven processes and the data economy as well as the digitalisation of society.

In that aspect, the Paper offers suggestions for the EDPB to consider and reflect upon. Some few of the main subjects the Paper requests the Guidelines to touch on are:

  • Clarification of the requirements governing verification of the identity of individuals submitting DSR requests
  • Determination that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, additionally that extensions to the deadline may be justified in certain circumstances, e.g. where the controller receives an unusually high volume of DSR requests, etc.
  • Recognition that compelling interests of the organization, third-parties or society may limit DSR requests;
  • Limitations on excessive, unfounded or abusive requests from Data Subjects which are intended to disrupt the business;
  • Declaration of a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.

Furthermore, the White Paper highlights the necessity to change the level of a DPO’s responsibility in regards to DSRs, dividing it across different team rather than making the DPO solely responsible for the DSR requests.

In addition, the Paper demands the EDPB to establish a better harmonization of the application of the DSRs across the European Union, which comes from differences in Guidelines made by the different Data Protection Authorities (DPAs). The EDPB should have in its interest to establish common ground for the handling of DSRs and the related requests, as well as the handling of infringements in the matter by DPAs.

The Paper stems from the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019, and was drafted to visualize certain issues on the matter to the EDPB which have crystalized themselves in the two years since the application of the GDPR.

EU Commission highlights necessary preparations for end of Brexit transitioning period

14. July 2020

The European Commission has published a communication on July 9th, 2020, in order to highlight the main areas of change in view of the upcoming end of the transitional Brexit period before January 1st, 2021.

The communication aims to facilitate readiness and preparations for citizens, businesses and stockholders once the UK leaves the European Union. The European Commission states that readiness for these broad and far reaching changes is key, especially since they will take place regardless of the outcome of the negotiations between the UK and the EU.

The communication breaches subjects such as trade in goods, trade in services, energy, travelling and tourism, mobility and social security coordination, company law and civil law, intellectual property, data transfers and protection and international agreements of the EU.

The communication also includes advice in each of those areas and subjects for businesses to be able to start preparations in order to cope with the changes ahead.

With a view on data protection, the European Commission’s communication states that data transfers can continue after January 1st, 2021, however they will have to comply with EU rules and regulations for Third Country Transfers as put forth by the General Data Protection Regulation (GDPR). The Commission specifies the tools set out in Chapter V of the GDPR, which include Binding Corporate Rules, Standard Contractual Clauses, as well as an Adequacy Decision by the European Commission. The communication states that the EU will try its best to conclude the assessment of the UK regime by the end of 2020, in order to give at least some form of security for data transfers after the transitional period ends. On sides of the United Kingdom, the Adequacy of the European union is guaranteed until 2024.

The advice of the European Commission emphasizes compliancy with the GDPR as the best preparation for the Brexit, but lacks security as to what will happen on January 1st, 2021, especially with regards to the future applicable laws.

South Africa’s Data Protection Act comes into force

9. July 2020

On July 1, 2020, South Africa’s Protection of Personal Information Act 2013 finally came into effect. The Act had been in planning for the last seven years, with parts of it already published in 2014, and will fully come into effect with oversight provisions in June 2021, allowing for a 12 months period to enable companies to become compliant with the new regulations.

Due to its long planning period, most companies already have organised compliancy. On the other side, a lot of businesses haven’t taken the necessary steps yet, as they have been waiting for the final push to see if the Act would even come into effect. Full enforcement will be enacted on July 1, 2021, giving those companies a countdown to become compliant.

The initial draft made in 2013 was mainly based on the EU Data Protection Directive 95/46/EC, with some changes for stricter provisions. The partial enforcement in 2014 allowed for the establishment of an Information Regulator in 2016, which has released Guidances in light of the future enforcement of the Act.

The right to privacy has been a fundamental right since 1996, and the act aims to promote the protection of personal data for any business processing personal information in South Africa. However, different from a lot of other Data protection Regulations around the world, the South African Protection of Personal Information Act also includes protection of the juristic person, such as companies, banks, trusts, etc.

One of the bigger changes in regards to South Africa’s previous handling of protection of personal data represents the obligation to notify a data breach to the authorities and, in some cases, to the data subjects. It also includes further requirements for international data transfers, as well as finally detailing data subjects’ rights.

Transatlantic Data Transfers in light of the Two Year Anniversary of GDPR Application

7. July 2020

In the last two years since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, it has received an overall positive feedback and structured the data protection culture not only in the European Union, but has set an example for international privacy standards.

However, especially from the American side of the world, criticism has been constant. Different principles are a prerequisite for different opinions and priorities, and the effort to bring European data protection standards and American personal data business together has been a challenge on both sides.

One of the main criticisms coming from the US government is the increasing obstacles the GDPR poses in case of cybercrime investigations and law enforcement. Not only the restrictive implications of the GDPR are an issue, but also the divergent interpretations due to national adaptations of the GDPR are seen as a problem by government officials.

In the cases of cybercrime, the main issue for the US critics is the now less effective database of domain name owners, WHOIS. The online directory, which was created in the 1970s, is an important tool for law enforcement combatting cybercrime. Before the GDPR came into effect in 2018, the request for information on domain owners was straightforward. Now, due to the restrictions of the GDPR, this process has been made long and tedious.

But fighting cybercrime is not the only tension between the EU and the USA concerning data protection. In a judgement in the Schrems II case, expected for July 16, 2020, the European Court of Justice (ECJ) is expected to take a stance on transatlantic data transfers and the current Privacy Shield, which is the basis for the EU-US dataflows under adequate data protection standards. If the Privacy Shield is deemed insufficient protection, it will have a major effect on EU-US business transactions.

However, these are issues that the European Commission (EC) is very aware of. In their communication concerning the two-year review of the GDPR, the Commission stated that they are planning to balance out diverging and fragmented interpretations of the GDPR on national levels and find a common data protection culture within Europe.

In addition, the restrictions the GDPR poses to law enforcement are another point the European Commission knows it needs to fix. The plan for the future is a bilateral and multilateral framework that can allow for simple requests to share data for law enforcement purposes and avoid conflicts of law, while keeping data protection safeguards intact.

The upcoming judgement of the ECJ is seen with watchful eyes by the Commission, and will be incorporated in their upcoming adequacy decisions and re-evaluations, as well as their development of a modern international transfer toolbox, which includes a modernized version of the standard contractual clauses.

Overall, the two-year mark of the existence of the GDPR is seen more as a success, despite the clear areas for future improvement. One of the big challenges in transatlantic data transfers ahead is without a doubt the outcome of the judgement in the Schrems case in mid-July, the implications of which are, at this point in time, not yet able to be defined.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 47 48 49 Next
1 2 3 4 49