2. November 2016
The Article 29 Working Party published a statement on the EU-U.S. Umbrella agreement at the end of October.
On one side, the statement shows signs of support for the EU-U.S. Umbrella Agreement. However on the other side, it delivers recommendations in order to make sure that the agreement is compliant with European data protection law.
In general, the Article 29 Working Party supports the creaction of a general data protection framework in order for international data transfers to be compliant with national, European and international data protection laws. Therefore, the Article 29 Working Party elaborates that the respective agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the U.S., some of which were concluded before the development of the EU data protection framework”.
However, it is also mentioned that clarification is needed in terms of definitions, for example how to define personal data and data processing, due to the fact that European and U.S law have different opinions on what is meant by these terms.
31. October 2016
The IAPP reported, that the Article 29 Working Party issued a warning concerning possible violations of European data protection regulations in form of a letter to both Yahoo and Whatsapp.
Both companies have been topic of public debate due to the way they handle the personal data of users. The concerns of the Article 29 Working Party regarding WhatsApp are that the company shares data with Facebook. Whereas, the objections towards Yahoo are raised due to both data breaches in 2014 and due to the allegation that the company scans incoming user emails for U.S. law enforcement agencies.
Therefore, the Article 29 Working Party requests that both companies provide more information on the problems. It can not be ruled out that investigations are launched and fines are imposed.
28. October 2016
As the website of the European Court of Justice just released, is the EU-U.S. Privacy Shield being challenged by Digital Rights Ireland, an Irish privacy advocacy group.
The facts of this case (Digital Rights Ireland v Commission; Case T-670/16) are as follows:
- Digital Rights Ireland has filed an action for annulment against the European Commission’s adequacy decision on the EU-U.S. Privacy Shield.
- There has been no comment from Digital Rights Ireland yet.
- No documents have been published with regard to the case so far.
- However, as HuntonPrivacyBlog reported “(…) media sources quote a spokesperson for the European Commission acknowledging the case and stressing the European Commission’s conviction that the Privacy Shield meets all legal requirements.”
27. October 2016
The Federal Trade Commision just released Guidelines on how to act in case of a data breach. These are called Data Breach Response: A Guide for Business and also include a video and a business blog.
These Guidelines state the most imprtant steps to be taken in order to protect customer information:
- securing physical areas
- removal of improperly posted information from the web
- take service providers into account
- providing breach notification
- information about whom to contact in case of a data breach eg. law enforcement, affected businesses, and individuals
Furthermore, a model data breach notification letter is also included so that companies get to know the best way to alert concerned parties about an attack.
26. October 2016
As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.
Amongst others, the guidance to the GDPR shall refer to the following aspects:
- The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
- Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
- The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
- The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
- A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.
At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.
Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.
25. October 2016
After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.
First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.
The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.
Due to this conflict another meeting has to be scheduled to which the Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.
24. October 2016
Since the ECJ established the right to be delisted from search engines (right to be forgotten) in 2014, Google has received numerous requests from individuals and organizations regarding the deletion of search results that contain their personal data which is not any more current, correct, relevant or which causes damages to the data subjects. The right to be forgotten refers to certain domains, such as co.uk; fr, de, es or nl.
However the French DPA requested Google to delete these results from all Google search domains (including .com). As Google did not fully comply with this request, the French DPA (CNIL) imposed Google a fine early this year.
As the French Highest Court has still to decide about this, Wikimedia, the parent company of Wikipedia, filed a petition in order to take part in the case and support Google France regarding the ongoing dispute about implementation of the “right to be forgotten”. Wikimedia’s legal counsel said in a statement that “no single nation should attempt to control what information the entire world may access”. Furthermore, she added that the application of the right to be forgotten involves the disappearance of several Wikimedia websites, which has an impact on the availability of knowledge.
Not only in France, but also in other jurisdictions is Google facing similar processes regarding the application of the right to be forgotten.
… The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk,” concluded Sherif Elsayed-Ali, the head of Amnesty International’s Technology and Human Rights Team, after ranking 11 of the most popular messaging apps in a Message Privacy Ranking.
In this ranking, both Snapchat and Skype received some of the lowest scores. Snapchat only got 26 out of 100 on the organization’s scale, whereas Skype received 40 out of 100. This is due to the fact that end-to-end encryption is not used, although it is highly recommendet to do so, according to Amnesty.
The report explaines that “The apps were marked on their use of encryption and privacy safeguards, as well as how well they advised their users of the app’s security, and whether they released details of government requests for user data.” Furthermore, Sherif Elsayed-Ali stated that “It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption”.
Therefore, it is to note that although they are the world-leading messaging applications, Skype and Snapchat are among the least secure on the market, according to Amnesty.
20. October 2016
The European Court of Justice clarified the definition and the scope of personal data.
The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.
In detail, the European Court of Justice concludes:
- According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
- The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
- Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.
Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?
However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.
18. October 2016
As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.
The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.
Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.
Pages: Prev 1 2 3 ... 53 54 55 56 57 58 59 ... 67 68 69 Next 
