10. February 2017
On January 10, the European Commission published a proposal for an ePrivacy Regulation. After the adoption of the General Data Protection Regulation (‘GDPR’), a new ePrivacy Regulation would be the next step in pursuing the European Commission’s Digital Single Market Strategy (‘DSM’).
If adopted, the ePrivacy Regulation will replace both the ePrivacy Directive (2002/58/EC) and the Cookie Directive (2009/136/EC). In contrast to a Directive that has to be implemented into national law by each EU Member State, a Regulation is directly applicable in all Member States. Thus a Regulation would support the harmonisation of the data protection framework.
What’s new?
Since 2009, when the ePrivacy Directive was revised last, important technological and economic developments took place. In order to adapt the legal framework to the reality of electronic communication, the scope of the proposed Regulation is widened to apply to the so called ‘over-the-top’ (‘OTT’) service providers. These OTT providers, such as WhatsApp, Skype or Facebook, run their services over the internet.
By ensuring the privacy of machine-to-machine communication, the Regulation also deals with the Internet of Things and thus seems not only to consider the current situation of electronic communication, but also to prepare for upcoming developments within the information technology sector.
Electronical communications data (metadata as well as content data) cannot be processed without complying with the requirements of the Regulation. Metadata can be processed, if necessary for mandatory quality of service requirements or for billing, calculating interconnection payments, detecting or stopping fraudulent, or abusive use of, or subscription to, electronic communication services.
Content data can be used for the sole purpose of the provision of a specific service to an end-user, if the end-user or end-users concerned have given their consent to the processing of his or her electronic communications content and the provision of that service cannot be fulfilled without the processing of such content or if all end-users concerned have given their consent to the processing of their electronic communications content for one or more specified purposes that cannot be fulfilled by processing information that is made anonymous, and the provider has consulted the supervisory authority.
Regarding the use of cookies, the end-users’ consent is still the basic requirement, except for first party non-privacy intrusive cookies. These cookies can now be used without the consent of the end-user. The proposed Regulation furthermore allows to use browser settings as consent.
In contrast to the draft of the Regulation leaked in December 2016, the official proposal does not contain the commitment to ‘Privacy by default’, which means that software has to be configured so that third parties cannot store information on or use information about a user’s device.
The Commission’s proposal of the Regulation just demands that software must offer the option to prevent third parties from storing information on or using information about a user’s device.
ePrivacy Regulation and GDPR
Both the ePrivacy Regulation and the GDPR are part of the above mentioned ‘DSM’. Several commonalities prove this fact. For instance, the fines in both Regulations will be the same. Furthermore, the EU Data Protection Authorities responsible for the enforcement of the GDPR will also be responsible for the ePrivacy Regulation. This will contribute to the harmonisation of the data protection framework and increase trust in and the security of digital services.
What’s next?
After being considered and agreed by the European Parliament and the Council, the Regulation could be adopted by May 25th, 2018, when the GDPR will come into force. It is to see whether this schedule is practicable, considering how long the debate about the GDPR took.
9. February 2017
Lately, Google has lost a court case (in Philadelphia) on e-mail data storage on foreign server, so that, according to the judgement, from now on the data should be sent to the US FBI security service.
The Court diverges from the existing case-law since, in a recent case, Microsoft has successfully denied the publication of data stored on servers in the European Union, and referred to the legal requirements in the EU.
As a reason for Google’s publishing obligation, the judge argued that Google is constantly copying data between its data centers, so that it should be only needed a further transfer of the data requested by the FBI to the US, in order for the FBI to access it. Although this could be a violation of the rights of the user, this violation would take place in the USA and because of that again covered by the law. According to the court, the data transfer therefore does not represent any access to foreign data anyway.
Following the proclamation of the judgment, Google has already commented on the procedure and announced to appeal against the decision, and continue to oppose to all official demands that go too far. Google has also explained that data is distributed on the servers around the world for technical reasons and in some cases it is not at all clear where the data is being stored. The verdict shows that each year Google receives from the US investigators somewhat 25,000 information requests.
8. February 2017
Background
The Court of Justice of the European Union has invalidated the U.S.-EU Safe Harbor framework (October 2015), which was replaced by the Privacy Shield on 12 July 2016.
“Enhancing Public Safety in the Interior of the United States” (Executive Order) was issued by the US President Donald Trump on 25th January 2017. This act’s main aim was the immigration laws enforcement in the U.S.
In its Section 14 we may read: “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
The so-called “Umbrella Agreement” (signed on 2nd December 2016) between the U.S. and EU, ensured the personal data transfers for law enforcement purposes. This agreement applies also to the pre-existing agreements between the U.S. and EU along with the various Mutual Legal Assistance Treaties (“MLATs”), Passenger Name Records Agreement, and Safe Harbor framework.
Part 19 of the Umbrella Agreement enables every European citizen to seek judicial review in case of an unlawfully disclosure individual’s personal data or denial of the right to access or amend the personal data in agency’s possession.
Before the Umbrella Agreement, there was no such legal possibility, although the Privacy Act of 1974 extended those rights to permanent residents of the U.S. and its citizens. EU would only agree with the Umbrella Agreement once U.S. extends protections to the European citizens under the Privacy Act, so that the U.S. is expected to comply with the Umbrellas Agreement Art. 19.
Moreover, in February 2016 the Judicial Redress Act was passed as the U.S. and EU got along with each other, which extended protections of the Privacy Act (disclosure, access, amendment) to citizens of “covered countries’’ (as named in the Judicial Redress Act).
On 17th of January 2017 Loretta Lynch (new former U.S. Attorney General) designated “covered jurisdictions’’ (as named in the Judicial Redress act) to include in the Judicial Redress Act all the EU Members apart from Denmark and the UK, which has become effective on 1st February.
The Attorneys General designation however, is not subject to administrative or judicial review (within the Judicial Redress Act).
Conclusion
Donald Trump’s Executive Order is believed not to affect the Judicial Redress Act (which is applicable law in the context of data transfers for law enforcement purposes) in terms of the Privacy Act rights to the European citizens extension, so as to say that the Executive Order should not impact Privacy Shield Framework’s legal viability.
Unresolved is still an aspect of “covered countries’’ designation, as the Judicial Redress Act includes a “covered countries’’ designations removal process, which is still subject of a dispute.
27. January 2017
The Russian data protection authority “Roskomnadzor” sent on November, 17 2016 an order to the telecommunication companies to block access to LinkedIn within Russia. The reason for this step was, according to Roskomnadzor, that LinkedIn does not protect subjects’ data rights in a way that complies with the Russian data protection law.
The order of Roskomnadzor refers to a Moscow District court decision from August, 4 2016.
The case of LinkedIn is the first major test of the Russian law, which is on effect since September, 1 2015.
Roskomnadzor judges, that LinkedIn not only violates against the data localization requirement furthermore LinkedIn also violates a number of other requirements such as collecting personal data from non-users without their consent before they complete the registration process.
Now LinkedIn can take action against this decision within the six-month period to the Moscow Court and then appeal to the Russian Supreme Court. However, LinkedIn has not announced its intentions yet.
18. January 2017
A new law for telecommunication monitoring entered into force in the New Year´s Eve in Germany. This law grants the German federal intelligence service (BND) extensive monitoring powers. The BND gets a legal basis for the strategic telecommunication monitoring. The BND is allowed to collect, process and store the dates for six month. Also allowed is a targeted monitoring in hazardous situations, like feared terrorist attacks. The collected data must have an international reference, this means, that the data must been send by foreigners abroad.
The United States breach notification law is not an uniformed one. There exist separate laws in each 47 states plus District Columbia.
Nowadays, this conglomerate makes law enforcement in the U.S. somewhat complicated, as it has led to tokenization among the White House, consumer groups, retailers and others („Tokenization – when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value“ – source: Wikipedia).
This way card data is being protected while transmitted from one place to another – by storage in point-to-point encryption, retailers´ computer anti-hacking systems and tokanization.
Due to the fact that any business affected by a data breach suffers reputational and financial losses, the idea of obliging every business to publicly report data breaches has raised.
For instance, to diminish the stealing of card data by thieves, retailers have called on banks to replace the U.S. antiquated magnetic stripe credit card system with chip-and-PIN cards commonly used in other parts of the world. It is believed that such a chip is difficult to counterfeit.
Even though so far there have already been taken some steps in favour of solving the data breach problem, there was still no radical step on the legal level taken.
Having it lately noticed, Mallory Duncan – general counsel of the National Retail Federation – states: „Our nation badly needs a federal data breach notification law requiring everyone to disclose their own breaches“ (…) „But a national law needs to be uniform and comprehensive, covering not just retail but telecom companies, banks, credit card companies, card processors and all other entities that handle sensitive consumer data“.
Therefore there is a thorough need for the U.S. of enacting a federal law, which would notify consumers about data breach and help to keep data from being used improperly in order to keep it unbreached. The solution is now being worked on.
16. January 2017
As a recent study shows (published by French research group Eleas in October), more than a third of French workers use their devices everyday in order to work out-of-hours.
Despite the fact that checking professional emails after work gives employees a sort of autonomy and flexibility speaking of working outside the office mode, such a habit may also lead to the „info-obesity“ (according to a report submitted in September 2015 by labour minister Myriam El Khomri).
Computing and work-life balance expert Anna Cox (University of College London – UCL) says: “Some of the challenges that come with flexibility are managing those boundaries between work and home and being able to say ‘actually I am not working now’.
From 1st of January therefore, French companies should guarantee a „right to disconnect“ to their employees, which means that the new employment law has just entered into force. Since then, all the organisations that employ over 50 workers will be obliged to define employees „disconection from technology“ rights.
Its aim is to minimise an overuse of digital devices by employees after their working hours, which lately surged in unpaid overtime.
To diminish the problem, some steps have already been taken, among which there are an automatic erasure of emails for employees on holiday or email connections cutoff.
Eventhough no sanction for a breach of this obligation is foreseen, the company should publish a charter with employees out-of-hours demands and rights.
13. January 2017
On January 10th 2017 the European Commission released a Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications.
The presented proposal pursues the implementation of the EU’s Digital Single Market strategy. The Digital Single Market strategy aims to increase trust in and the security of digital services. With the upcoming General Data Protection Regulation further legislative measures have to be implemented in order to build a coherent regulatory framework.
The proposed Regulation will repeal the Directive 2002/58/EC Regulation on Privacy and Electronic Communications, also known as the “E-Privacy Directive”, which insufficiently regards current technological developments. Especially so-called Over the Top communication services, such as the messenger services WhatsApp, Skype or Facebook Messenger, are not regulated by the E-Privacy Directive and lack sufficient privacy for its users. According to the proposed Regulation, the content of messages as well as metadata will have to remain confidential and / or anonymized unless the user consented otherwise.
In addition, the new rules set out a strategic approach relating to international data transfer. By engaging in so-called “adequacy decisions” the transfer of personal data will be simplified while a high level of privacy remains.
The proposed Regulation further contains rules to ensure that personal data, which is processed by EU institutions and bodies, is handled according to the measures of the General Data Protection Regulation.
Finally, since the nature of the Proposal is a regulation instead of a directive, it should have a stronger impact for both consumers and businesses.
Ideally the legislative process will be finalized by May 25th 2018, when the General Data Protection Regulation will enter into force.
19. December 2016
The European Article 29 Working Party just published Guidelines after their December plenary meeting.
These Guidelines include explanations in terms of the role of the Data Protection Officer, the mechanisms for data portability and how a lead authority will be established with regard to the one-stop shop. Furthermore, some guidance on the EU-U.S. Privacy Shield was also included.
When do you have to appoint a DPO?
Article 37 (1) of the GDPR states that a DPO has to be appointed
a) where the processing is carried out by a public authority or body
b) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale
or c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
How does the Article 29 Working Party define these requirements?
“Core activities” are defined as the “key operations necessary to achieve the controller’s or processor’s goals.” The Article 29 Working Party gives the following example: a hospital needs to process health data as core to its ultimate activity of providing health care services.
Therefore, companies have to ask themselves whether the processing of personal data is a inextricably part for archiving their goals.
“Large scale” refers to the number of data subjects and not the company’s size.
The Working Party 29 defines the following identification aspects for a “large scale”:
- The number of data subjects affected.
- The volume of data and/or the range of different data items being processed.
- The duration, or permanence, of the data processing activity.
- The geographical extent of the processing activity.
However, the Working Party 29 welcomes feedback on the Guidelines from stakeholders through January 2017. Comments can be sent to just-article29wp-sec@ec.europa.eu and presidenceg29@cnil.fr.
16. December 2016
Background
On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.
The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.
Current situation according to the EU Directive
The Dutch Administrative Court based its argumentation on the following key aspects:
- WhatsApp is a controller, as already admitted by the company at oral argument.
- The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
- WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
- WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
- Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.
Will this change with the GDPR?
With the GDPR the requirement to appoint a representative in the EU will change in two ways:
- Also processors will be subject to this obligation
- it will be possible to appoint one single representative for all the EU operations.
Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.
Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.
Pages: Prev 1 2 3 ... 50 51 52 53 54 55 56 ... 67 68 69 Next 
