Officers’ data leaked in Poland

28. May 2021

The Polish Personal Data Protection Office (UODO) has received a notification of a data breach involving the disclosure of personal data of uniformed services officers. The case is currently being analyzed and supplemented with additional materials and information that shall clarify all its circumstances.

The data controller also notified other authorities about the incident. Among these are the police, the Governmental Computer Security Incident Response Team (CSIRT NASK) and the National Public Prosecutor’s Office. The controller informed UODO that the individuals whose data was subject to the breach would be notified individually through the officers’ home units. Nevertheless, many aspects are still unclear. Therefore, in the course of the investigation, UODO sent a letter to the data controller asking for explanations related to the data breach. Any further action will depend on the information provided by the data controller.

As a result of this situation, UODO emphasises that there is a risk associated with the possibility of unauthorized use of the officers’ personal data, which may involve tangible harm to them. Such activity may include (identity) fraud and invasion of privacy.

In this respect, UODO reminds what actions should be taken to minimize the negative consequences of such a breach. First of all, one should be very careful when providing data via the Internet. Furthermore, it is important to carefully analyse all content included e.g. in SMS messages or e-mails in order to avoid phishing attacks in particular, the aim of which is to obtain additional personal data. In this connection, materials were provided by UODO with further tips on how to reduce the risk of identity theft.

Belarus passes first personal data protection law

27. May 2021

Last month, on April 2nd, the Belarusian House of Representatives adopted in the second reading the draft law “On the Protection of Personal Data”. The law was passed on May 7th. It is the first Belarusian legal act specifically intended to lay down issues of data protection.

The law is aimed at the legal regulation of social relations arising from the processing of personal data of individuals as well as ensuring the protection of such data and the rights and freedoms of individuals in the processing of their personal data. It implies that

Processing of personal data must be commensurate with the stated purposes of its processing and ensure at all stages a fair balance between the interests of all persons concerned.

The provisions concern in detail, inter alia:

  • definition of the categories of personal data as well as principles and conditions of their processing, with and without the use of automated means
  • determination of the process for cross-border transfer of personal data; in particular, it is prohibited if a foreign country does not provide an adequate level of protection of personal data subjects rights
  • determination of the data subject rights and obligations of public authorities, legal entities and natural persons within the processing of personal data, with regard to particularly the appointment of a Data Protection Officer and data breach notifications
  • establishment of additional safeguards against arbitrary and uncontrolled collection, storage, use, dissemination, provision and other processing of personal data
  • procedure for the establishment of an authority empowered with the protection of data subject rights and its competence; the foundation of the mentioned authority shall be assigned to the Council of Ministers of the Republic of Belarus together with the Operations and Analysis Center under the President of the Republic of Belarus within three months after the official publication of the corresponding law
  • liability for violation of the provisions.

The purpose of adopting this law is to ensure an adequate level of protection of personal data and to support the development of business, trade and economic relations of the Republic of Belarus with other countries.

The main provisions of the law shall enter into force six months after its official publication.

Google Play Store to require new privacy information

25. May 2021

In a blog post published on May 6th, 2021, by Suzanne Frey, VP, Product, Android Security and Privacy, Google announced a new policy that will require developers to provide more privacy and security information about their apps. These details will be made available to users in a new “safety section” in the Google Play Store starting in 2022. The announcement comes a few months after Apple began displaying similar privacy information in their App Store.

The new “safety section” will require Android app developers to explain what kind of data is collected by their apps. For example, whether the app collects personal information, such as name, username or email and whether it collects information directly from the phone, such as approximate or exact location, contacts, media (photos, videos, audio files). Developers must also disclose how the app uses the data. For example, to improve app functionality and personalization. The section will also include information about security features, such as encryption and compliance with Google’s policy for apps aimed at children and families.

The new policy won’t be in effect for a few months in order to give developers enough time to implement the changes. Developers can begin declaring the new information in the fourth quarter of 2021. Users will be able to see the information on Google Play starting in the first quarter of 2022, and all new and existing apps will have to declare the information starting in the second quarter of 2022.

The changes seem designed to allow app developers to better explain to customers whether they can trust an app with their data, rather than working to make apps more data-efficient.

High Court dismisses Facebook’s procedural complaints in Data Transfer Case

18. May 2021

On Friday, May 14th 2021, the Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.

If finalized, the preliminary decision could force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S. While the decision of the High Court was only a procedural one, experts warn that the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws. This could potentially lead to a widespread disruption of trans-Atlantic data flows.

Facebook addressed the preliminary decision, stating that Friday’s court decision was procedural and that it planned to defend its data transfers before the Irish Data Protection Commission (DPC). It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”

However, the Irish DPC still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it comes into effect. That process could take months, not counting potential other court challenges by Facebook.

Microsoft Cloud Services will store and process EU data within the EU

7. May 2021

On May 7th, 2021, Brad Smith, Microsoft’s President and Chief Legal Officer, announced in a blogpost that Microsoft will enable its EU commercial and public sector customers to store all their data in the EU. Microsoft calls this policy “EU Data Boundary” and it will apply across all of Microsoft’s core business cloud services, such as Azure, Microsoft 365 and Dynamics 365. Microsoft is the first big cloud provider to take such a step. The transition is intended to be done by the end of 2022.

This move can be seen as a reaction to the Court of Justice of the European Union’s (CJEU) “Shrems II” ruling in June 2020 (please see our blogpost), in which the CJEU ruled that the “EU-US-Privacy Shield” does not provide sufficient protection and therefore invalidating the agreement. The “Privacy Shield” was a framework for regulating the transatlantic exchange of personal data for commercial purposes between the EU and the USA.

However, the CJEU has clarified that server location and standard contractual clauses alone are not sufficient to meet the requirements of the General Data Protection Regulation (GDPR). This is because under U.S. law such as the “CLOUD Act”, U.S. law enforcement agencies have the power to compel U.S.-based technology companies to hand over requested data stored on servers, regardless of whether the data is stored in the U.S. or on foreign soil. So even with Microsoft’s proposed changes, U.S. authorities would still be able to access EU citizens’ personal data stored in the EU.

Microsoft believes it has found a way around the U.S. intelligence agencies: The U.S. intelligence agencies’ right of access could be technically worked around if customers effectively protected their data in the cloud themselves. To do this, customers would have to encrypt the data with a cryptographic key. In such a case, it would not be Microsoft that would manage the keys, but the customer themselves, and it would not be possible for Microsoft to hand over the keys to the US intelligence agencies. Microsoft also states that they are going above and beyond with their “Defending your Data” (please see our blogpost) measures to protect their customers’ data.

These measures by Microsoft are a step in the direction of a GDPR-compliant use of cloud applications, but whether they are sufficient to meet the high requirements of the GDPR may be doubted given the far-reaching powers of the US intelligence agencies. The reference to the possibility that users can encrypt their data themselves and keep the keys should help to comply with EU data protection standards, but must also be implemented in practice. Microsoft will have to educate its customers accordingly.

The GDPR-compliant transfer of personal data of EU citizens to the US remains uncertain territory, although further positive signals can be observed. For example, the new U.S. administration under President Joe Biden recently showed itself open to concluding a new comprehensive data protection agreement with the EU.

Portuguese DPA Orders Suspension of U.S. Data Transfers by National Institute of Statistics

29. April 2021

On April 27, 2021, the Portuguese Data Protection Authority “Comissão Nacional de Proteção de Dados” (CNPD) ordered the National Institute of Statistics (INE) to suspend any international data transfers of personal data to the U.S., as well as other countries without an adequate level of protection, within 12 hours.

The INE collects different kinds of data from Portuguese residents from 2021 Census surveys and transfers it to Cloudfare, Inc. (Cloudfare), a service provider in the U.S. that assists the surveys’ operation. EU Standard Contractual Clauses (SCCs) are in place with the U.S. service provider to legitimize the data transfers.

Due to receiving a lot of complaints, the CNPD started an investigation into the INE’s data transfers to third countries outside of the EU. In the course of the investigation, the CNDP concluded that Cloudfare is directly subject to U.S. surveillance laws, such as FISA 702, for national security purposes. These kinds of U.S. surveillance laws impose a legal obligation on companies like Cloudfare to give unrestricted access to personal data of its customers and users to U.S. public authorities without informing the data subjects.

In its decision to suspend any international data transfers of the INE, the CNPD referred to the Schrems II ruling of the Court of Justice of the European Union. Accordingly, the CNPD is if the opinion that personal data transferred to the U.S. by the INE was not afforded a level of data protection essentially equivalent to that guaranteed under EU law, as further safeguards have to be put in place to guarantee requirements that are essentially equivalent to those required under EU law by the principle of proportionality. Due to the lack of further safeguards, the surveillance by the U.S. authorities are not limited to what is strictly necessary, and therefore the SCCs alone do not offer adequate protection.

The CNPD also highlighted that, according to the Schrems II ruling, data protection authorities are obliged to suspend or prohibit data transfers, even when those transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the recipient country. As Cloudfare is also receiving a fair amount of sensitive data n relation to its services for the INE, it influenced the CNDP’s decision to suspend the transfers.

Mexican data protection authority on taking action against biometric data registry

28. April 2021

Reuters reports that Mexico’s data protection authority is planning to take legal action against a controversial new law that requires telecommunication companies to collect biometric data from users. The data protection authority wants to argue that the privacy of the people concerned is being violated before the Supreme Court.

The law was already passed in April 2021. On paper, it aims to combat crimes such as extortion and kidnapping. The data collection is meant to make it harder for criminals to remain anonymous when buying new mobile phones.

The lawsuit is filed by the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI). Adrian Alcala, a commissioner of the INAI commented: “The prosecution of crimes is an issue that should concern us all and the state is responsible for ensuring the safety of the inhabitants, but this cannot and should not be a sufficient reason to restrict freedoms and human rights”.

Specifically, the amendment requires telecommunication companies to collect fingerprints or eye data from customers. The information collected will then be entered into databases managed by the Mexican Telecommunication Authority. The information will then be available for use in criminal investigations.

Last week, a Mexican judge stopped part of the law from coming into force. The argument was that it would put customers at risk, as they would have to fear that their contracts would be terminated if they did not disclose their data. However, the regulations on data collection and creation of the database are not affected by the judge’s decision.

Category: General

Irish DPC launches investigation into Facebook data leak

26. April 2021

On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.

The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.

The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.

Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

EPRS publishes report on post-Brexit EU-UK Data Transfer Mechanisms

20. April 2021

On April 9th, 2021, the European Parliamentary Research Service (EPRS) published a report on data transfers in the private sector between the EU and the U.K. following Brexit.

The report reviews and assesses trade dealings, adequacy challenges and transfer instruments under the General Data Protection Regulation (GDPR). The report is intended to help take regulatory and business decisions, and in the Press Release the European Parliament stated that “a clear understanding of the state of play and future prospects for EU-UK transfers of personal data is indispensable”.

The report provides in-depth analysis of an adequacy decision for the UK as a viable long-term solution for data flows between the U.K. and the EU, also considering possible mechanisms for data transfer in the potential absence of an adequacy decision, such as Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, and certification mechanism.

In this analysis the EPRS also sheds light on adequacy concerns such as U.K. surveillance laws and practices, shortcomings of the implementation of the GDPR, weak enforcement of data protection laws, and wavering commitment to EU data protection standards.

As part of its conclusion, the EPRS stated that the European Data Protection Board’s (‘EDPB’) opinion on the draft decision, which has just been published (please see our blogpost here), will likely scrutinise the Commission’s approach and provide recommendations on next steps.

EDPB adopts opinion on draft UK adequacy decisions

16. April 2021

In accordance with its obligation under Article 70 (1) (s) of the General Data Protection Regulation (GDPR), on April 13th, 2021, the European Data Protection Board (“EDPB”) adopted its opinions on the EU Commissions (“EC”) draft UK adequacy decision (please see our blog post). “Opinion 14/2021” is based on the GDPR and assesses both general data protection aspects and the public authority access to personal data transferred from the EEA for law enforcement and national security purposes contained in the draft adequacy decision, a topic the EC also discussed in detail. At the same time, the EDPB also issued “Opinion 15/2021” on the transfer of personal data under the Law Enforcement Directive (LED).

The EDPB notes that there is a strong alignment between the EU and the UK data protection regimes, especially in the principles relating to the processing of personal data. It expressly praises the fact that the adequacy decision is to apply for a limited period, as the EDPB also sees the danger that the UK could change its data protection laws. Andrea Jelinek, EDPB Chair, is quoted:

“The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission’s decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

But the EDPB also highlights areas of concern that need to be further monitored by the EC:

1. The immigration exemption, which restricts the rights of those data subjects affected.

2. How the transfer of personal data from the EEA to the UK could undermine EU data protection rules, for example on basis of future UK adequacy decisions.

3. Access to personal data by public authorities is given a lot of space in the opinion. For example, the Opinion analyses in detail the Investigatory Powers Act 2016 and related case law. The EDPB welcomes the numerous oversight and redress mechanisms in the UK but identifies a number of issues that need “further clarification and/or oversight”, namely bulk searches, independent assessment and oversight of the use of automated processing tools, and the safeguards provided under UK law when it comes to disclosure abroad, particularly with regard to the application of national security exemptions.

In summary, this EDPB opinion does not put any obstacles in the way of an adequacy decision and recognises that there are many areas where the UK and EU regimes converge. Nevertheless, it highlights very clearly that there are deficiencies, particularly in the UK’s system for monitoring national security, which need to be reviewed and kept under observation.

As for the next steps, the draft UK adequacy decisions will now be assessed by representatives of the EU Member States under the “comitology procedure“. The Commission can then adopt the draft UK adequacy decisions. A bridging period during which free data transfer to the UK is permitted even without an adequacy decision ends in June 2021 (please see our blog post).

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 58 59 60 Next
1 3 4 5 6 7 60