New SCCs published by the EU Commission for international data transfers

10. June 2021

On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.

The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.

What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:

Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller

The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.

The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.

However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.

Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.

Ecuador has a new data protection law

Ecuador’s National Assembly unanimously approved a new data protection law on May 10, 2021. The new data protection law was already countersigned by the now former President Moreno on May 21, 2021.

The EU’s General Data Protection Regulation (GDPR) has served as the model for enacting the law. For example, it has imposed obligations on the controller to implement appropriate technical and organizational security measures in the company. Further, it has to appoint a data protection officer and inform individuals before processing certain personal data. Accordingly, the law not only contains obligations for the relevant processors, but also endows the data subjects with their own protection rights. Thus, data subjects have the right to request access to, modification and deletion of their personal data.

The Data Protection Law also provides for the establishment of a national data protection authority. It also contains regulations for international and cross-border data exchange.

In contrast to the GDPR, however, the Data Protection Act provides lower fines for violations. The level of penalties here has been set between 0.1% and 1% of a company’s annual turnover. The specific amount is also made dependent on the severity of the violation, among other factors. The GDPR’s catalog of fines, on the other hand, provides fines of up to 20 million euros. Fines of up to four percent of the annual turnover achieved worldwide in the last financial year are also possible.

The reason for passing the new law was a massive data breach that resulted in the personal data of up to 20 million people being made available online.

Dutch data protection authority imposes fine of €525,000

Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.

The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.

After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.

Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.

An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.

As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.

EDPS investigating EU institutions’ use of US cloud services

2. June 2021

The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.

The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.

Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.

The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.

Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:

I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.

If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.

The new Digital Green Certificate

31. May 2021

The EU Digital Covid certificate (Digital Green Certificate) is scheduled to come into use on July 1, 2021. The certificate is intended to make it possible to move freely within the EU once again. Within the member states, the certificate is also expected to allow access to public events and gastronomy. The certificate will complement and not replace the national passport, such as the yellow vaccination passport in Germany. However, it is up to each country to require additional health documents.

At the national level, software will be developed to meet the requirements of such a certificate. In parallel, a European gateway will be developed. This gateway will then be installed in a data center in Luxembourg. Countries such as Norway, Switzerland and Lichtenstein will also connect to the platform.

The certificate will document vaccination status, who has already recovered from a Covid-19 infection and it will also be able to record negative PCR tests. At the vaccination centers or doctors’ offices, personal data such as name, date of birth and vaccination date of the person concerned will be digitally recorded and signed with the digital signature key of the issuing body (hospital, test centre, etc.). The issued certificate contains a QR code with a digital signature to protect against falsification. During border control, the data stored and encrypted in the certificate should not be transmitted, but only the validity of the crypto keys is checked. To do this, the checking apps contact the EU gateway server in Luxembourg and query there whether the key stored in the QR code is reported as valid there. If this is the case, the checking app displays green as well as the name and date of birth of the traveler, who must therefore also present an identification document such as a passport. The participating EU countries, represented by the designated national authorities or official bodies are considered as joint controllers of the processing in the gateway and must therefore provide users with adequate information about the processing of their personal data in the European federation gateway in accordance with Article 13 of the GDPR.

Data protectionists criticize that the digital certificate and the collected data could be used by member states to create movement profiles of those affected. Central storage would also increase the risk of a hacker attack.

Apple’s iOS 14.5 update

At the end of April, the new iOS update 14.5 was released. With the update comes the new App Tracing Transperency (ATT) feature.

The changes are intended to reduce unauthorized tracking and increase user awareness of digital privacy rights. With the new feature, users will receive push notifications asking for permission for the identifier for advertisers (IDFA) and thus for activity tracking. App developers have been able to use the identifier (IDFA) and other information to create detailed tracks of how users use their devices, including in other apps and on the web. Users must now actively give permission for apps to track their activities and sell their personal data, which includes information such as age, location, spending habits and health information to advertisers.  As a result, apps can no longer track behavior across other apps installed on the device without permission. However, activity within an app can still be performed without authorization. The new feature can be enabled or disabled via “Settings” since the update. If apps do not meet the new transparency standards, they will be removed from the App Store, according to Apple.

Apple celebrates the new features as a success for data protection. Criticism from app operators, which are mainly funded by advertising revenue, followed immediately. Assuming that many users will not consent to tracking, they accuse Apple of making it difficult for companies to continue their targeted advertising. Small companies in particular would be affected. But Internet giants like Facebook will also suffer significant losses without personalized advertising.

However, what can be seen as a step in the right direction in terms of data protection, also raises antitrust concerns. This is because Apple does not use the new privacy features for its own apps, but only for third-party apps. German business groups already filed an antitrust complaint against Apple.

Category: General
Tags: , , , ,

Officers’ data leaked in Poland

28. May 2021

The Polish Personal Data Protection Office (UODO) has received a notification of a data breach involving the disclosure of personal data of uniformed services officers. The case is currently being analyzed and supplemented with additional materials and information that shall clarify all its circumstances.

The data controller also notified other authorities about the incident. Among these are the police, the Governmental Computer Security Incident Response Team (CSIRT NASK) and the National Public Prosecutor’s Office. The controller informed UODO that the individuals whose data was subject to the breach would be notified individually through the officers’ home units. Nevertheless, many aspects are still unclear. Therefore, in the course of the investigation, UODO sent a letter to the data controller asking for explanations related to the data breach. Any further action will depend on the information provided by the data controller.

As a result of this situation, UODO emphasises that there is a risk associated with the possibility of unauthorized use of the officers’ personal data, which may involve tangible harm to them. Such activity may include (identity) fraud and invasion of privacy.

In this respect, UODO reminds what actions should be taken to minimize the negative consequences of such a breach. First of all, one should be very careful when providing data via the Internet. Furthermore, it is important to carefully analyse all content included e.g. in SMS messages or e-mails in order to avoid phishing attacks in particular, the aim of which is to obtain additional personal data. In this connection, materials were provided by UODO with further tips on how to reduce the risk of identity theft.

Belarus passes first personal data protection law

27. May 2021

Last month, on April 2nd, the Belarusian House of Representatives adopted in the second reading the draft law “On the Protection of Personal Data”. The law was passed on May 7th. It is the first Belarusian legal act specifically intended to lay down issues of data protection.

The law is aimed at the legal regulation of social relations arising from the processing of personal data of individuals as well as ensuring the protection of such data and the rights and freedoms of individuals in the processing of their personal data. It implies that

Processing of personal data must be commensurate with the stated purposes of its processing and ensure at all stages a fair balance between the interests of all persons concerned.

The provisions concern in detail, inter alia:

  • definition of the categories of personal data as well as principles and conditions of their processing, with and without the use of automated means
  • determination of the process for cross-border transfer of personal data; in particular, it is prohibited if a foreign country does not provide an adequate level of protection of personal data subjects rights
  • determination of the data subject rights and obligations of public authorities, legal entities and natural persons within the processing of personal data, with regard to particularly the appointment of a Data Protection Officer and data breach notifications
  • establishment of additional safeguards against arbitrary and uncontrolled collection, storage, use, dissemination, provision and other processing of personal data
  • procedure for the establishment of an authority empowered with the protection of data subject rights and its competence; the foundation of the mentioned authority shall be assigned to the Council of Ministers of the Republic of Belarus together with the Operations and Analysis Center under the President of the Republic of Belarus within three months after the official publication of the corresponding law
  • liability for violation of the provisions.

The purpose of adopting this law is to ensure an adequate level of protection of personal data and to support the development of business, trade and economic relations of the Republic of Belarus with other countries.

The main provisions of the law shall enter into force six months after its official publication.

Google Play Store to require new privacy information

25. May 2021

In a blog post published on May 6th, 2021, by Suzanne Frey, VP, Product, Android Security and Privacy, Google announced a new policy that will require developers to provide more privacy and security information about their apps. These details will be made available to users in a new “safety section” in the Google Play Store starting in 2022. The announcement comes a few months after Apple began displaying similar privacy information in their App Store.

The new “safety section” will require Android app developers to explain what kind of data is collected by their apps. For example, whether the app collects personal information, such as name, username or email and whether it collects information directly from the phone, such as approximate or exact location, contacts, media (photos, videos, audio files). Developers must also disclose how the app uses the data. For example, to improve app functionality and personalization. The section will also include information about security features, such as encryption and compliance with Google’s policy for apps aimed at children and families.

The new policy won’t be in effect for a few months in order to give developers enough time to implement the changes. Developers can begin declaring the new information in the fourth quarter of 2021. Users will be able to see the information on Google Play starting in the first quarter of 2022, and all new and existing apps will have to declare the information starting in the second quarter of 2022.

The changes seem designed to allow app developers to better explain to customers whether they can trust an app with their data, rather than working to make apps more data-efficient.

High Court dismisses Facebook’s procedural complaints in Data Transfer Case

18. May 2021

On Friday, May 14th 2021, the Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.

If finalized, the preliminary decision could force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S. While the decision of the High Court was only a procedural one, experts warn that the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws. This could potentially lead to a widespread disruption of trans-Atlantic data flows.

Facebook addressed the preliminary decision, stating that Friday’s court decision was procedural and that it planned to defend its data transfers before the Irish Data Protection Commission (DPC). It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”

However, the Irish DPC still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it comes into effect. That process could take months, not counting potential other court challenges by Facebook.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 57 58 59 Next
1 2 3 4 5 59