New details on alleged spying on allies by the NSA

18. June 2021

It has been known for years that the US National Security Agency (NSA) had been targeting leading politicians. But now new details of the spying operation are coming to light. Several European media investigated the case and found out that the NSA had been using Danish underwater internet cables from 2012 to 2014 to eavesdrop on leading European politicians. It was only through the research that the members of the governments learned of the spying. With regard to this, questions arose, whether Denmark was involved and knew about the operation. Now various European countries demand answers to the allegations.

The media reports revealed that the Danish Defence Intelligence Service (DDIS) had helped the NSA to wiretap European politicians (in German) by allowing the NSA to use the secret Sandagergårdan listening post near Copenhagen. An important internet hub for various underwater cables was then tapped there. The NSA apparently got access to text messages, telephone calls and internet traffic including searches, chats and messaging services.

Following the revelations by former NSA contractor Edward Snowden and a subsequent investigation by a secret internal working group at DDIS, the Danish-US cooperation in the surveillance of European neighboring countries was documented in an internal report of DDIS in 2015. However, the findings have not been disclosed until today. Nevertheless, the Danish government has probably known about the spying operation since 2015 at the latest. More than that, the surveillance apparently also targeted Denmark itself (in German), including the Ministry of Foreign Affairs and the Ministry of Finance.

Danish Defence Minister Trine Bramsen was informed about the spying in August 2020. In the wake of that, some DDIS employees were fired, without a full explanation being released. The government said at the time that an audit had raised suspicions of illegal surveillance by DDIS. In October 2020, the Danish Ministry of Justice ordered a commission of inquiry into the operations at DDIS. Its conclusions are due at the end of 2021.

French President Emmanuel Macron and German Chancellor Angela Merkel, being among those affected by the espionage, made clear that such tactics were not acceptable between allies. Norwegian Prime Minister Erna Solberg and Swedish Defence Minister Peter Hultqvist agreed with the statements. While emphasizing the value of relations between Europeans and Americans, they insisted on explaining the case by the two accused countries. Neither of the intelligence services would comment on the allegations. The Danish Defence Minister only stated in general terms that systematic wiretapping of close allies was unacceptable.

China passes new data security law

15. June 2021

China’s “National People’s Congress”, the Chinese legislative body, approved the new “Data Security Law 2021” on June 10th, 2021 (unofficial English translation here). The new law gives President Xi Jinping the power to shut down or fine tech companies. The law will go into effect on September 1st, 2021.

The law applies to data processing activities and security surveillance within China’s territory. Data processing activities outside China’s territory that threaten China’s national security and public interests are also covered by the law. For international companies, the law means they must localize data in China. For example, data generated in factories in China must be kept in China and be subject to cyber data oversight.

Companies that leak sensitive data abroad or are found “mishandling core state data” can be forced to cease operations, have their licenses revoked, or fined up to 1.6 million US$, and companies who provide electronic information to foreign law enforcement authorities can be fined up to approx. 150.000 US$ or forced to suspend their business.

While the Chinese government is increasing its financial involvement in tech companies it is also producing new legislations to tighten its grip on such companies. The new data law is expected to provide a wide outline for future rules for Internet services and to ease the tracking of valuable data in the interest of national security. This may include directives that certain types of data must be stored and handled locally, as well as requirements for companies to track and report the information they hold.

A personal information protection law is still under review in China.

ICO fined several companies for data protection infringements

The UK Information Commissioner’s Office (“ICO”) has fined several companies at the beginning of June for data protection infringements.

All fines have in common that the fined companies conducted marketing measures without having the required consent for doing so.

  • Conservative Party

The ICO has fined the Conservative Party £10,000 for sending 51 marketing emails without having the required legal basis and in violation of Regulation 22 of the Privacy and Electronic Communications Regulation 2003 (PECR).

The Conservative Party sent out a total of 1.190.280 marketing emails between July 24th and July 31st 2019, right after the election and in the name of Rt Hon Boris Johnson MP.

The ICO investigated that the party failed to ensure having a valid legal basis for marketing emails when changing the email provider. Even though the ICO assumes that there are more than 51 concerned data subjects, the ICO only received complaints of 51 individuals, thus the fine is based on this amount of concerned data subjects.

  • Colour Car Sales Ltd.

The ICO has fined Colour Car Sales Ltd (CCSL)  £170,000  for sending spam text messages from October 2018 to January 2020. CCSL is a credit intermediary for used car finance and the purpose of the spam texts was to direct the recipients to car finance websites.

Also in this case basis for the fine has been complaints of concerned data subjects which complained about not have given consent for receiving marketing emails from CCSL.

  • Solarwave of Grays

The ICO has fined Solarwave of Grays £100,000 for conducting 73.217 marketing calls about solar panel maintenance from January to October 2020.

The complainants that raised the concerns stated that they were registered with the Telephone Preference Service and should have received any marketing telephone calls based on this.

The Telephone Preference Service is the UK’s “do not call register” with which individuals can register to show that they are not interested in receiving any kind of marketing phone calls.

Beside the violation of the data protection law and the Telephone Preferences Service the concerned data subjects also stated that the callers were rude and persistent and ignored stop requests.

  • LTH Holdings

The ICO has fined LTH Holding, a Cardiff based telephone marketing company, £145,000 for conducting 1.4 million calls trying to sell funeral plans between May 2019 and May 2020.

In this case the ICO received 41 complaints and the complainants were also registered with the Telephone Preferences Service. Beside this infringement, the concerned data subjects also told the ICO that LTH adopted aggressive, coercive and persuasive methods to sell funeral plans.

  • Papa John’s

The ICO has fined Papa John’s Limited, a national takeaway pizza company, £10,000 for sending 168,022 nuisance marketing messages to its customers.

In this case the ICO received 15 complaints also stating the distress and annoyance the messages were causing. Some customers received up to 100 messages in two months without ever have given consent for marketing emails.

The ICO investigated that Papa John’s has sent over 210.000 messages to customers between October 1st 2019 and April 30th 2020.

In the contrary to the opinion of Papa John’s the ICO did not see the possibility to rely on “soft opt-in” because the data used for the marketing emails has been obtained for processing orders and not receiving marketing emails. Furthermore, the required information of the customers on this processing activity is missing.

EU Commission initiates infringement proceedings against Belgium for possible violations of the GDPR

10. June 2021

The EU Commission has initiated infringement proceedings against Belgium for alleged violations of the GDPR. Following several complaints from data protectionists, the EU Commission has now also expressed doubts about the independence of the Belgian data protection authority. Belgium is thus threatened with proceedings before the European Court of Justice and would thus be the first EU country to be threatened with corresponding steps for violating the European General Data Protection Regulation.

Data protectionists and now also the European Commission complained that the Belgian data protection authority was not acting as an independent body. This is due to the fact that the authority’s decisions, such as imposing sanctions in accordance with the GDPR, are made in close consultation with government representatives. However, this is precisely what is required for a data protection authority according to the GDPR.

While two of the government representatives who have come under criticism have since resigned from their posts, two others remain in office. One of the two is responsible for data protection initiatives, the other for authorizing certain public sector data releases. Both government officials deny the allegations.

As a first step, the commission has now sent an official letter to the state representative, who is expected to comment on the allegations.

Category: General

New SCCs published by the EU Commission for international data transfers

On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.

The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.

What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:

Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller

The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.

The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.

However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.

Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.

Ecuador has a new data protection law

Ecuador’s National Assembly unanimously approved a new data protection law on May 10, 2021. The new data protection law was already countersigned by the now former President Moreno on May 21, 2021.

The EU’s General Data Protection Regulation (GDPR) has served as the model for enacting the law. For example, it has imposed obligations on the controller to implement appropriate technical and organizational security measures in the company. Further, it has to appoint a data protection officer and inform individuals before processing certain personal data. Accordingly, the law not only contains obligations for the relevant processors, but also endows the data subjects with their own protection rights. Thus, data subjects have the right to request access to, modification and deletion of their personal data.

The Data Protection Law also provides for the establishment of a national data protection authority. It also contains regulations for international and cross-border data exchange.

In contrast to the GDPR, however, the Data Protection Act provides lower fines for violations. The level of penalties here has been set between 0.1% and 1% of a company’s annual turnover. The specific amount is also made dependent on the severity of the violation, among other factors. The GDPR’s catalog of fines, on the other hand, provides fines of up to 20 million euros. Fines of up to four percent of the annual turnover achieved worldwide in the last financial year are also possible.

The reason for passing the new law was a massive data breach that resulted in the personal data of up to 20 million people being made available online.

Dutch data protection authority imposes fine of €525,000

Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.

The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.

After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.

Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.

An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.

As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.

EDPS investigating EU institutions’ use of US cloud services

2. June 2021

The European Data Protection Supervisor (“EDPS”) announced on May 27th, 2021, that it has opened an investigation into the use of Microsoft’s Azure and Amazon’s AWS by EU institutions and has begun an audit of the European Commission’s use of Microsoft Office 365. The EDPS is the EU.s data protection authority.

The EDPS is the independent supervisory authority responsible for monitoring the processing of personal data by EU institutions and bodies.

Both investigations are a consequence of the Schrems II ruling of the Court of Justice of the European Union (“CJEU”) on June 16th, 2020 (please see our blog post). The CJEU ruled that U.S. its intense surveillance practices do not comply with the GDPR’s data protection standards. Accordingly, personal data of EU citizens may not be processed in the U.S. solely on the basis of the protection provided by so-called standard contractual clauses. Controllers, in cooperation with data importers, must examine and adapt additional measures on a case-by-case basis to ensure a level of data protection equivalent to the GDPR.

The investigations will examine whether EU institutions are complying with data protection rules and the Schrems II ruling.

Wojciech Wiewiórowski, EDPS head, is quoted in the EDPS announcement:

I am aware that the “Cloud II contracts” were signed in early 2020 before the “Schrems II” judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.

If the EDPS finds that Cloud II contracts do not comply with the Schrems II ruling, this could force EU institutions to switch to alternative cloud providers based in the EU in the future, as the EDPS has stated that he wants EU institutions to lead by example.

The new Digital Green Certificate

31. May 2021

The EU Digital Covid certificate (Digital Green Certificate) is scheduled to come into use on July 1, 2021. The certificate is intended to make it possible to move freely within the EU once again. Within the member states, the certificate is also expected to allow access to public events and gastronomy. The certificate will complement and not replace the national passport, such as the yellow vaccination passport in Germany. However, it is up to each country to require additional health documents.

At the national level, software will be developed to meet the requirements of such a certificate. In parallel, a European gateway will be developed. This gateway will then be installed in a data center in Luxembourg. Countries such as Norway, Switzerland and Lichtenstein will also connect to the platform.

The certificate will document vaccination status, who has already recovered from a Covid-19 infection and it will also be able to record negative PCR tests. At the vaccination centers or doctors’ offices, personal data such as name, date of birth and vaccination date of the person concerned will be digitally recorded and signed with the digital signature key of the issuing body (hospital, test centre, etc.). The issued certificate contains a QR code with a digital signature to protect against falsification. During border control, the data stored and encrypted in the certificate should not be transmitted, but only the validity of the crypto keys is checked. To do this, the checking apps contact the EU gateway server in Luxembourg and query there whether the key stored in the QR code is reported as valid there. If this is the case, the checking app displays green as well as the name and date of birth of the traveler, who must therefore also present an identification document such as a passport. The participating EU countries, represented by the designated national authorities or official bodies are considered as joint controllers of the processing in the gateway and must therefore provide users with adequate information about the processing of their personal data in the European federation gateway in accordance with Article 13 of the GDPR.

Data protectionists criticize that the digital certificate and the collected data could be used by member states to create movement profiles of those affected. Central storage would also increase the risk of a hacker attack.

Apple’s iOS 14.5 update

At the end of April, the new iOS update 14.5 was released. With the update comes the new App Tracing Transperency (ATT) feature.

The changes are intended to reduce unauthorized tracking and increase user awareness of digital privacy rights. With the new feature, users will receive push notifications asking for permission for the identifier for advertisers (IDFA) and thus for activity tracking. App developers have been able to use the identifier (IDFA) and other information to create detailed tracks of how users use their devices, including in other apps and on the web. Users must now actively give permission for apps to track their activities and sell their personal data, which includes information such as age, location, spending habits and health information to advertisers.  As a result, apps can no longer track behavior across other apps installed on the device without permission. However, activity within an app can still be performed without authorization. The new feature can be enabled or disabled via “Settings” since the update. If apps do not meet the new transparency standards, they will be removed from the App Store, according to Apple.

Apple celebrates the new features as a success for data protection. Criticism from app operators, which are mainly funded by advertising revenue, followed immediately. Assuming that many users will not consent to tracking, they accuse Apple of making it difficult for companies to continue their targeted advertising. Small companies in particular would be affected. But Internet giants like Facebook will also suffer significant losses without personalized advertising.

However, what can be seen as a step in the right direction in terms of data protection, also raises antitrust concerns. This is because Apple does not use the new privacy features for its own apps, but only for third-party apps. German business groups already filed an antitrust complaint against Apple.

Category: General
Tags: , , , ,
Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 58 59 60 Next
1 2 3 4 5 6 60