1. June 2018
On the 25th of May, the day the General Data Protection Regulation (GDPR) came into force, noyb.eu filed four complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook.
The complaints filed by the organisation (None Of Your Business) led by Austrian activist Schrems could result in penalties worth up to 7 billion euros. Max Schrems has been fighting Facebook over data protection issues for almost ten years. His earlier lawsuit challenged Facebook’s ability to transfer data from the European Union to the United States (“Safe Harbor”).
The activist alleged that people were not given a “free choice” whether to allow companies to use their data. Noyb.eu bases its opinion on the distinction between necessary and unnecessary data usage. “The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent.” (See https://noyb.eu/wp-content/uploads/2018/05/pa_forcedconsent_en.pdf) The organisation also claims that under Art. 7 (4) of the GDPR forced consent is prohibited.
The broadly similar complaints have been filed in authorities in various countries, regardless of where the companies have their headquarters. Google (Android) in France (data protection authority: CNIL) with a maximum possible penalty in the amount of 3.7 billion euro although its headquarter is in the USA. Instagram (Facebook) in Belgium (DPA). WhatsApp in Hamburg (HmbBfDI) and Facebook in Austria (DSB). All of these last three have their headquarters in Ireland and could face a maximum possible penalty in the amount of 1.3 billion euro.
30. May 2018
Regardless the new data protection legislation in the EU, the worldwide standard of data protection increases too. Through the “Amendment of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (mostly known as “profiling”)” the European Court of Human Rights (ECtHR) will apply this expansion of the European Convention on Human Rights (ECHR) in the future.
For the last four decades, the Convention has been the only international legally binding instrument for the protection of privacy and personal data open to any country in the world. The aim of the amending is now to modernise and improve the Convention, taking into account the new challenges to the protection of individuals with regard to the processing of personal data that have occurred since the adoption of the Convention in 1980. In particular, this concerns new information and communication technologies, which require a different type of protection mechanism against privacy.
As for any other human right listed in the ECHR, any person can submit an individual application if she/he is violated by one of the contracting parties of the ECHR. This seems to be interesting especially regarding the investigation through profiling by national security authorities all over the European continent.
However, the adoption of the amendments also raises some questions. Particularly with regard to the relationship between European Union law and the Convention, which does not contain any explicit provisions in this respect, as well as deviations in the scope of application. Therefore the ECtHR will comment hopefully before the first lawsuits will start.
17. May 2018
On June 11, anti-net-neutrality is set to take effect in the USA. In a resolution, the Senate has now declared itself in favour of its preservation. The U.S. Senate on Wednesday voted narrowly (52 to 47) to reverse the Federal Communications Commission (FCC) decision in December 2017 to repeal net neutrality rules. Three Republicans voted with all 47 Democrats and two Democratic-leaning senators to back the measure.
The FCC resolution is under the rarely used Congressional Review Act. It is a law that allows Congress, with a simple-majority vote in both houses, to repeal new regulations by federal agencies within 60 legislative days of implementation. Despite the Senate’s passing of the resolution, the measure is unlikely to be approved by the House of Representatives because at least two dozen Republicans must vote against the party line.
Net neutrality is the concept that internet service providers (or governments) treat all data on the internet the same regardless of content, user, platform, application or device. Network neutrality prevents all internet service providers from slowing down connections for people attempting to access certain sites, apps and services, and blocking legal content.
14. May 2018
On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification not mandatory and it is not possible to enforce it directly. Nonetheless, it could become important in the sense of guideline or reference for their administration and enforcement agencies.
The “Specification” embodies a framework concerning the collection, retention, use, sharing and transfer of personal information.
The Information Security Technology – Personal Information Security Specification establishes primary rules for personal information security, notice and consent requirements, security measures, rights of data subjects and requirements related to internal administration and management.
It distinguishes between personal information and sensitive personal information. For the latter exist specific obligations for its collection and use.
Under the the „Specification“, sensitive personal information means information such as personal identity information (ID card or passport number), financial information (bank account number or credit information) and biological identifying information (fingerprint or iris information).
Even though the “Specification” is not binding it may become significant within China because it constitutes benchmarks for the processing of personal information by a wide variety of entities and organizations. Companies that collect or process personal information should make sure that their practices in China are in compliance with the „Specification“.
9. May 2018
Pursuant to Art. 35 of the General Data Protection Regulation (GDPR) the controller of personal data shall carry out an assessment of the impact of the data processing that takes place in the controller’s responsibility. That means mostly, to anticipate the possible data breaches and to fulfil the requirements of the GDPR before the personal data is processed.
Even if the date of enforcement of the GDPR (25th May 2018) comes closer and closer, just a few of the EU member states are well-prepared. Only Austria, Belgium, Germany, Slovakia and Sweden have enact laws for the implementation of the new data protection rules. Additional to this legislation the national data protection authorities have to publish some advises on how to rule a DPIA. Pursuant to Art. 35 (4) sent. 2 GDPR these handbooks on DPIA’s should be gathered by the European Data Protection Board for an equal European-wide data protection level. The Board as well seems not to work yet, as the Article 29 Working Part (WP29) is still the official authority.
But at least, Belgium and Germany have published their DPIA recommendations and listed processes for which a DPIA is required, pursuant to Art. 35 (4) GDPR, and in which cases a DPIA is not required, see Art. 35 (5) GDPR.
For example, in the following cases the Belgian authority requires a DPIA:
- Processing, that involves biometric data uniquely identifying in a space—public or private—which is publicly open,
- Personal data from a third party that determines whether an applicant is hired or fired,
- Personal data collected without given consent by the data subject (e.g. electronic devices like smart phones, auditory, and/or video devices),
- Processing done by medical implant. This data may be an infringement of rights and freedoms.
- Personal data that affects the vulnerable members of society (e.g., children, mentally challenged, physically challenged individuals),
- Highly personal data such as financial statement; employability; social service involvement; private activities; domestic situation.
8. May 2018
Austria’s governing parties passed a new law on data protection in the last month. This new law, which was intendet to implement the requirements of the General Data Protection Regulation (GDPR), complicates the enforcement of the new EU-wide data protection rules. This developement is result of a change in policy. Three years ago Austria’s justice minister complained that the EU’s forthcoming data protection rules were to weak, nowadays, the new government in Vienna says they are too strong.
It has been suggested, that the governing parties in Vienna are trying to turn the coountry into a sort of ‘safe haven’ – by complicating enforcement of the GDPR.
Purpose of the GDPR is, inter alia, to hand back the control of personal data to the data subjects. This aim could be undermined by the new provisions regarding the sanctions.
The GDPR stipulates, that sanctions are imposed by DPAs without any condition and without a room for specification or changes to member states’ law. In contrast to this the new Austrian data protection law contains a term that requires warnings before launching sanctions against violating firms. It must be feared, that most infringements will go unpunished.
The responsibles of the Austrian Data Protection Authority tried to weaken the concerns: The authority will still decide on a case-by-case basis whether to impose administrative fines or not – even it is the first violation of the company.
It remains to be seen how the new law will be applied in the future.
24. April 2018
The European Commission intends to grand more protection for Whistleblowers from retribution when they expose fraud, data breaches and other misdeeds, as Reuters reports. In order to reach this goal, the European Commission proposed new rules last Monday. However, also safeguards against malicious or abusive reports has been considered. The Vice President Francs Timmermans said, “There should be no punishment for doing the right thing”.
Before it can become law, the proposal has to be approved by the EU member states and the European Parliament. Such law would require companies to implement internal channels for whistleblowers while also protecting them from reprisals like sackings, demotion and litigation. Down to the present day, only 10 EU member states grant full protection to whistleblowers.
10. April 2018
When the General Data Protection Regulation (GDPR) comes into force on May 25th this year, not only in Europe the handling of personal data will have to change. Companies operating with customer data of EU citizens also have to observe the GDPR worldwide. But which non-European legal entity has to show consideration for the European Data Protection?
In accordance with Article 3 (1) GDPR, the GDPR applies to the processing of data of natural persons in so far as it takes place in the context of an activity of the controller (see Article 4 (7) GDPR) or a processor (see Article 4 (8) GDPR) in the Union. This applies irrespective of whether the data processing takes place on EU territory or in a third country.
If the data subject lives in the EU but the controller / data processor is located outside the EU, the scope of the GDPR according to Article 3 (2) GDPR is applicable if the data processing is related to goods or services offered within the EU (see Art. 3 (2) lit. a)). The GDPR applies cumulatively if the processor carries out a profiling on a EU-citizen (see Art. 3 (2) lit. b)).
Furthermore, the GDPR is also applied outside the EU territory to a controller / data processor who isn’t resident of the EU, if the law of a Member State becomes applicable on the basis of international public law (e.g. in consular or diplomatic matters, or on the basis of private international law).
4. April 2018
In the USA, the “Cloud Act” (Clarifying Lawful Overseas Use of Data Act) came into force a few days ago with the signature of President Trump.
The Cloud Act stipulates that US investigators should have access to personal data located on servers outside the USA. To this end, bilateral agreements may be concluded authorizing investigators to contact the cloud provider directly.
As part of this, the US Department of Justice filed an application with the US Supreme Court to declare United States of America vs. Microsoft Corporation (New York Search Warrant Case) closed. The case dates from 2013 and has been highly controversial ever since.
The question is whether Microsoft must disclose personal data stored outside the US, here on servers in Ireland, to US authorities. The basis for this was a search warrant issued by a federal district court in New York, which was intended to oblige Microsoft to hand the data over. Microsoft complained about this. A ruling was actually expected in June of this year, but now the matter could be filed before a decision is taken.
Noel J. Francisco, the US government’s chief litigant, filed a petition with the Supreme Court, citing the Cloud Act, arguing that the Microsoft-US dispute is over and no longer needs to be heard. A new search warrant based on the Cloud Act has already been sent to Microsoft.
3. April 2018
Continued from the article about the Working Party 29 (WP29) guidelines on consent, additional elements of the term should be considered as consent plays a key role for the processing of personal data.
The GDPR requires consent to further be specific, i.e. the data subject must be informed about the purpose of the processing and be safeguarded against function creep. The data controller has to, again, be granular when it comes to multiple consent requests and clearly separate information regarding consent from other matters.
In case the data controller wishes to process the data for a new purpose, he will have to seek new consent from the data subject and cannot use the original consent as a legitimisation for processing of further or new purposes.
Consent will also be invalid if the data controller doesn’t comply with the requirements for informed consent. The WP29 lists six key points for consent to be informed focussing on the aspect that the data subject genuinely needs to understand the processing operations at hand. Information has to be provided in a clear and plain language and should not be hidden in general terms and conditions.
Furthermore, consent has to be an unambiguous indication of wishes, i.e. it must always be given through an active motion or declaration. For example, the use of pre-ticked opt-in boxes is invalid.
However, explicit consent is required in situations where serious data protection risks emerge such as the processing of Special categories of data pursuant to Art. 9 GDPR.
In general, the burden of proof will be on the data controller according to Art. 7 GDPR, without prescribing any specific methods. The WP29 recommends that consent should be refreshed at appropriate intervals.
Concerning the withdrawal of consent, it has to be as easy as giving consent and should be possible without detriment.
The WP29 also recommends that data controllers assess whether processing of data is appropriate irrespective of data subjects’ requests.
Pages: Prev 1 2 3 ... 43 44 45 46 47 48 49 ... 67 68 69 Next 
