Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.

Enforcement of Brazil’s new Data Protection Law postponed due to COVID-19

8. May 2020

The Coronavirus is affecting South America, like the rest of the world, and it is spreading rapidly in its largest country: Brazil. Brazil’s Government and Legislators try to handle both the public health crisis and the economic crisis that the country is facing. Now both branches have adopted emergency measures to alleviate the effects of the virus, even impacting the enforcement of the country’s new national Data Protection Law (“Lei Geral de Proteção de Dados Pessoais” or “LGPD”).

The National Congress of Brazil only passed the LGPD in August 2018. It was originally scheduled to come into effect on 15 August 2020 (we reported). As the effects of the Coronavirus began to impact Brazilian businesses, many companies called for the postponement of the LGPD’s effective date due to the difficult economic environment and due to the fact that Brazil’s national Data Protection Authority (“ANPD”) is still not fully functional.

On 3 April 2020, the Senate of Brazil unanimously approved of the Law Bill “PL 1179/2020” which includes a provision to delay the effective date of the LGPD until 1 January 2021. Furthermore, the Bill sets forth that non-compliance with the LGPD shall not be sanctioned by the Data Protection Authorities until 1 August 2021.

The second chamber of Brazil’s National Congress, the House of Representatives, debated “PL 1179/2020” all throughout April 2020 and considered the implications of the LGPD’s postponement for the privacy rights of individuals, especially with many emergency measures on the way that were increasingly restrictive on privacy rights. A vote on “PL 1179/2020” by the House of Representatives was still pending by the end of the month.

On 29 April 2020, the President of Brazil took matters into his own hands when he issued Provisional Measure #959/2020. The measure postponed the effective date of the LGPD to 3 May 2021, without segmenting the postponement into two stages like the Senate’s Law Bill “PL 1179/2020” stipulated.

Provisional Measures issued by the President of Brazil serve as temporary law and are valid for a period of 60 days which the President may extend for another 60 days. During this time period, both chambers of the National Congress must approve of the Provisional Measure in order to become permanent law. If Congress disapproves, the measure will be invalidated.

Dutch DPA administers record €725 000 fine for GDPR violation

6. May 2020

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.

As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.

According to the Dutch DPA, none of the two exceptions apply.

In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.

The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.

As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.

EDPB ratifies new Guideline on Health Data Processing during COVID-19

27. April 2020

The European Data Protection Board (EDPB) adopted a new Guideline on the processing of health data for scienon the most urgent matters and issues in relation to the processing of health data. Those matters include the tific purposes in the context of the COVID-19 pandemic on April 21, 2020. It aims at providing clarity on the most urgent matters and issues in relation to the processing of health data. Those matters include the legal basis for processing, the implementation of adequate safeguards as well as data subjects’ rights.

The Guideline states that the GDPR contains several provisions for the processing of health data in relation to scientific research. The first one would be the consent in Art. 6 (II) a GDPR in combination with Art. 9 (II) a GDPR. The EDPB emphasizes the necessity of the consent having to meet all the necessary conditions in order to be valid, notably consent must be freely given, specific, informed, and unambiguous, and it must be made by way of a statement.

Further, the EDPB clarifies that Art. 6 (I) e or f GDPR in combination with the enacted derogations under Art. 9 (II) (i) or (j) GDPR can provide a legal basis for the processing of personal (health) data for scientific research. National legislators can implement their own derogations, setting ground for national legal bases in regulation with the GDPR.

The EDPB also addresses the case of further processing of health data for scientific purposes, which means the case when health data has not been collected for the primary purpose of scientific research. In these cases, the Guideline states that the scientific research is not incompatible with the original purpose of the processing, as long as the principles of Art. 5 GDPR are being upheld.

In regards to international transfers, the Guidelines make specific emphasis on the transfer to countries with no adequacy decision by the European Commission. In such cases, it is possible for the exporter of the data to rely on the derogations of Art. 49 (I) a, explicit consent, and d, transfer necessary for important public interest, GDPR. However, these derogations do not entitle continuous or repeated transfers, and are only supposed to be used as temporary measures. The EDPB states that this is a sanitary crisis like none before, and therefore the transfer to other countries in cases of scientific research form an international emergency in which the public interest may take first priority. But the Guideline makes clear that in case of repeated transfer, safeguards according to Art. 46 GDPR have to be taken.

The Guideline further emphasizes that situations like the current pandemic outbreak do not restrict data subjects to exercise their rights. However, Art. 82 (II) GDPR gives national lawmakers the possibility to restrict data subject rights, though these restrictions should apply only as is strictly necessary.

Over all, the EDPB states that it has to be noted that any processing or transfer will need to take into consideration on a case-by-case basis the respective roles (controller, processor, joint controller) and related obligations of the actors involved in order to identify the appropriate measures in each case.

Belgian DPA releases Guidance and FAQs on Cookies and Trackers

23. April 2020

On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.

The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.

The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.

Specifically, these cookie policies need to include and inform about:

  • identification of the cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis relied upon for the use of cookies;
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
  • information about any automated decision making, including profiling.

In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.

The consent especially needs to be:

  • obtained for the use of all non-essential cookies, as well as all social media plugins;
  • informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes,  the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
  • granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
  • unambiguous and provided through a clear affirmative action.

Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.

The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.

Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.

The Video-conference service Zoom and its Data Security issues

20. April 2020

Amidst the Corona crisis, the video communications service Zoom gained enormous popularity. The rate of daily Zoom users skyrocketed from 10 Mio in December 2019 to 200 Mio in March 2020. As it outshined many of its competitors, Zoom labels itself as “the leader in modern enterprise video communications”. However, the company has been facing a lot of public criticism because of its weaknesses in data security and lack of awareness in data protection matters.

Basic data security weaknesses unfolded little by little starting in March 2020:

  • Zoom had to admit that it was wrongly advertising to provide full end-to-end encryption for all shared contents like video, audio or screen sharing.
  • Security experts revealed several bugs that could have allowed webcam and mic hijacking and the theft of login credentials.
  • An online Tech Magazine reported that Zoom leaked thousands of their users’ email addresses and photos to strangers.
  • Video-conferences which users did not protect with a password, enabled “Zoombombing”, a phenomenon in which strangers hijacked videocalls and disrupted them by posting pornographic and racist images as well as spamming the conversations with threatening language. In response, Zoom introduced the Waiting Room feature and additional password settings.

At the same time, Zoom’s data privacy practices came under scrutiny:

  • Zoom shared web analytics data with third-party companies for advertising purposes without having a legal basis or notifying users about this practice. In response to criticism, Zoom revised its privacy policy and now declares that it does not share data from meetings for advertising.
  • The company also shared more analytics data of its users with Facebook than stated on Zoom’s privacy policy, even if the user did not sign in with their Facebook account. Zoom introduced an update in which this sharing is terminated.
  • The New York Times revealed that Zoom used a data mining feature that matched Zoom users’ names and email addresses to their LinkedIn profiles without the users knowing about it. Zoom then enabled automatic sharing of the matched LinkedIn profiles with other meeting members that were subscribers of a LinkedIn service for sales prospecting (“LinkedIn Sales Navigator”). In response to criticism, Zoom removed this feature permanently.
  • Zoom hosted a feature called Attention Tracking, which let the meeting’s host know when an attendee had clicked away the meeting window for more than 30 seconds. In the meantime, Zoom disabled the feature.

The security and privacy issues of Zoom have led various public authorities and companies internationally to ban their workers from using the service.

On 1 April 2020, Zoom’s founder and CEO Eric S. Yuan announced a 90-day plan to significantly improve their data security in an effort to build greater trust with their users. This plan includes freezing the introduction of new features, enlarge their cybersecurity team and engage outside help from security advisors.

Apple and Google join forces during Corona Pandemic

17. April 2020

Apple and Google two of the biggest internet giants announced that they will partner on the development of a COVD-19 contact tracing technology.

According to a statement, both of them published on their blogs, aim of the partnership is to develop an App respectively a technical tool which should support the protection of people and to help combat the virus. Furthermore, the tracing technology should help governments and health agencies reduce the spread of the virus.

Apple and Google want to develop a Bluetooth technology which can be used on iOS and Android devices as well as that it can be implemented in Apps of other providers via an API (Application Programming Interface) – which should be published in May.

The tracing technology, using the Bluetooth function and encryption, is designed to detect the distance between two devices in order to identify potentially vulnerable people who have been in close contact with a person tested positive for corona. Therefore, the devices should exchange temporarily ID numbers. In case, one person is tested positive he or she should change the status in the used app in order to inform all persons to which the data subject had contact in the past two weeks.

Both, Apple and Google, ensure that they take data protection requirements seriously. According to the provided information the data should firstly be stored on the respective devices and deleted automatically after two weeks. The data should only be uploaded to a server after change of status to tested positive and obtaining consent of the data subject. The exchanged ID numbers are planned to be uploaded to a list anonymously. In order to increase trust, it is planned to publish the software source codes. This would allow everyone to understand how the data is handled. In addition, this is to ensure that no data will be used for advertising purposes.

Consequences of the 2017 Equifax Data Breach

16. April 2020

It has been almost two years since the consumer credit reporting agency Equifax suffered a massive Data Breach.

Back in May 2017 Equifax has been hacked, but the operators first noticed the breach much later, at the end of July 2017 and informed the public on the beginning of September 2017.

The disclosure of sensitive data from approximately 143 million, not only US based consumers, was to be feared (we reported).

After the breach Equifax invested $ 200 million on the data security infrastructure and found itself in the middle of class action suits.

Now, two years after the hack, Reuters reports the settlement of a lawsuit in connection with which Equifax pays $ 19.5 million to Indiana and also the Chicago Daily Law Bulletin reports a $ 1.5 million settlement between the city of Chicago and Equifax.

Besides Indiana also Massachusetts filed a lawsuit against Equifax, which is reported to be settled as well – the amount of the settlement is not yet known.

CNIL publishes new Guidance on Teleworking

14. April 2020

The French Data Protection Authority (CNIL) has released a guidance on teleworking on April 1st, which is intended to help employers master the new working situation. In particular, it is supposed to bring clarity on the IT requirements in order to ensure a safe and well-functioning remote working environment.

In particular, the guidance touches on these following points to form a basis for coping with teleworking from an employer’s perspective:

  • It is recommended that employers formulate an IT Charter or internal regulation on how to use the teleworking systems which are to be followed by the employees,
  • Necessary measures have to be taken in case the systems have to be changed or adapted to the new situation,
  • It should be ensured that employee work stations have the minimum requirements of a firewall, anti-virus software and a tool blocking access to malicious websites,
  • To keep from being exposed on the internet and ensure security, a VPN is recommended to be put in use.

Furthermore, the CNIL has also given guidance on the cases where an organization’s services are mainly performed over the internet. In such cases, it recommended to follow a few necessary requirements in order to make sure the services can be delivered safely and smoothly:

  • Web protocols that guarantee confidentiality and authentication of the processes (such as https and sftp), and keeping them up to date,
  • Double factor authentication,
  • No access to interfaces of non-secure servers,
  • Reviewing logs of access to remotely accessible services to detect suspicious behaviors,
  • Ensuring that the used equipment follows latest security patches.

The CNIL also offered some best practices for employees to follow in cases of working remotely, to give both sides pointers on how to deal with the changing situation.

Specifically, employees are being recommended to ensure their WIFI is secure by using encryption such as WPA 2 or WPA 3, along with a secure password. In addition, the CNIL recommends work equipment given by the employer, as well as using a VPN provided by the company. In the case of using own devices, a firewall and an anti-virus software are the necessary requirements to ensure security of the equipment, as well as updating the operating system and software to the newest patches.

Lastly, the CNIL warns of increased phishing attempts in relation to the COVID-19 outbreak.

Overall, the guidance and best practices the CNIL has published indicate a need for continuous and active vigilance in regards to teleworking, as well as the sharing of personal data in the process.

This guidance is in line with our past assessment of the remote working situation, which you are welcome to check out in the respective blogpost in our Series on Data Protection and Corona.

Series on Data Protection and Corona – Part 8: Social assessment of the importance of data protection

30. March 2020

The Corona crisis is not only a challenge for the health system, the economy and each and every one of us. People in the so-called ‘systemically important’ professions have been working at their physical and psychological limits for days and are constantly exposed to the virus and its consequences.

The economic damage to be feared has so far only been guessed and is causing additional concern. The issue is currently omnipresent. Everyone is worried about infecting themselves or others and whether you, your family, friends and acquaintances will survive the crisis economically or in terms of health.

In these times, it is understandably difficult to continue dealing with data protection. Quite a few people, especially in times of the coronavirus, simply don’t want to deal with the “annoying” data protection issues and some even see data protection as an additional hurdle, for example when it comes to remote work.

Social assessment of data protection

In the last few days we have made every effort to explain to you the data protection regulations and measures as well as the special features of the current situation. Finally, we would like to mention the general social attitude towards the topic of data protection and want to point out the important role even in times of the coronavirus.

Already at the beginning of March, the German newspaper FAZ published an article on the results of a survey, which contained the results of a representative survey conducted by the market research company Innofact on behalf of Usercentrics. The result of this study was that a large part of the German population is prepared to accept restrictions on data protection and thus the right to informational self-determination in order to combat the corona crisis. In addition, the majority of the respondents also advocate the expansion of data retention (for example, of flight and travel data) in order to be able to track the spread of the pandemic. Moreover, more than 50% are prepared to disclose their health data voluntarily.

When the Robert-Koch-Institute (RKI) announced that it had received several terabytes of anonymised data from a German telecommunications provider in order to trace movement patterns of the users and thus assess the effectiveness of the measures imposed to date, there were also hardly any voices critical of such data transfer. This may be due to the fact that the data was anonymised. In other countries, however, data has not been transfered anonymously. In China, South Korea and Taiwan, for example, phone-tracking technologies and mobile phone apps were used to break down movement patterns to individuals.

A similar but slightly different way, based on the cooperation of the persons, has been established by the Austrian Red Cross. The Red Cross has developed the app “Stopp Corona” (article in German). Users of the app are supposed to track who they have been in contact with and, in case of an infection, also addthis information in the app to automatically inform the contacts of the last 48 hours about the infection and ask them to isolate themselves. According to the Red Cross, the data processing will take place anonymized. The app is available for Android devices in Austria since Tuesday, 24.03.2020. It remains to be seen whether and with what success this and similar apps can help in the spread of the pandemic.

Are these findings new?

But are these findings really new, or do they just appear in a different light due to reference to the corona crisis?

The majority of the population uses the social media services Facebook and Instagram. In addition, messengers such as WhatsApp continue to enjoy great popularity in society and are just as popular worldwide as Google Maps. What all these services have in common is that they have all been in the media because of conflicts with data protection regulations. Users must therefore be aware that they reveal a great deal about themselves personally, their interests, hobbies, whereabouts, etc. This is willingly accepted in order to take advantage of the supposedly free benefits they gain by using the above-mentioned services. However, the operators of these services are all too happy to be compensated with the voluntarily provided data of users, for example in order to place advertising tailored to the individual.

The realization that personal data is provided more or less voluntarily is therefore no news. In the current situation, the undoubtedly important purpose of combating the pandemic only seems a welcome excuse, because it seems ‘desirable’ to put data protection before a higher goal.

But even if certain measures, especially when data is used anonymously, seem to be useful in combating the corona virus, even now interventions in the informational self-determination of each individual should only be made after careful consideration, so that each person can continue to develop freely within the framework of his or her freedoms and rights. That is why, even in times of the corona crisis, it is important to preserve the data protection requirements of the GDPR and local data protection and other laws which carry the idea of informational self-determination, also and above all when sensitive data such as health data are to be processed.

This blogpost concludes the daily contributions of the Series on Data Protection and Corona. From time to time, we will of course add new contributions from the field to this series and will of course continue to keep you informed about data protection news that have no connection to Corona.

For more up-to-date information (in German) you are welcome to follow us on Twitter.

We wish you only the best, stay healthy and protect yourself and others.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 46 47 48 Next
1 2 3 4 5 6 48