29. March 2016
The French Data Protection Authority (“CNIL”) fines Google for data protection violation. In May 2014, the European Court of Justice had decided, that citizens could request search engines to delist inadequate or irrelevant web search results of themselves; the so-called “right-to-be-forgotten” was born.
The CNIL has now fined the US search engine 100.000 Euros over the right-to-be-forgotten, since Google just delisted web search results regionally, for instance only accross their European websites, such as google.fr and not also on the google.com website. By delisting web search results of a person only regionally, the data subject will practically not be able to exercise her/his right-to-be-forgotten efficiently. Search engines should instead delist search results from all their domains.
With the refugee crisis, a new capital between Turkey and the EU has started. In order to receive visa liberalization for Turkish citizens in the EU, Turkey has to fulfill certain criteria. One of the required criteria for Turkey was to pass a personal data protection law. On March 24, the Turkish parliament has finally passed a personal data protection bill.
The Turkish personal data protection law will e. g. define personal data and sensitive personal data. Among others, it will also regulate data transfers and individual rights of the data subject.
Since the law has passed now, a next step will be creating a nine-member Committee of Personal Data Protection under the Personal Data Protection Institute, affiliated with the Prime Ministry.
23. March 2016
On March 17th, the EU Council issued its position on the draft of the GDPR.
The statement of the EU Council identifies and analyzes the following key aspects of the GDPR:
- Material, formal and territorial scope of application of the GDPR in order to achieve a harmonization at a EU level.
- Principles of the data processing, especially “pseudonymization” and “data minimization”
- Lawfulness of the processing based on the consent of the data subject, a contract, a legal obligation, etc.
- Empowerment of data subjects through the enhancement of their rights as data subjects to access the information that is held about them, the right to be forgotten, right to transparency on the processing, right to object to the processing of their personal data, etc.
- Controller and processor´s accountability for the processing operations. Additionally their obligation to appoint a Data Protection Officer (DPO) in order to ensure compliance with the GDPR.
- Transfers of personal data to third countries on the basis of adequacy decisions or other mechanisms that ensure an adequate level of data protection in third countries.
- The EU DPAs supervisory role on the application of the GDPR on each Member State.
- Remedies, liabilities and penalties as compensation mechanism in case of data breaches or damages caused to the data subjects.
- Specific data processing situations, for example regarding employee´s personal data
The EU Council remarks that the GDPR reflects the compromise reached between the EU Parliament and the EU Council. Furthermore, it invites the EU Parliament to formally approve the position of the EU Council.
17. March 2016
In March 2016, the Spanish Constitutional Court rectified the existing Spanish jurisprudence regarding employee monitoring. This rectification is based on a constitutional appeal from an employee of a well-known fashion store, who was dismissed due to misappropriation of money from the cash register.
The company found out this conduct through the video surveillance cameras that it had installed in its premises. A distinctive sign was placed at a visible place of the shop window. However, the employees were not informed about the use of the surveillance cameras.
According to Art. 5.1 and Art. 6.1 of the Spanish Data Protection Act, the data subject must be informed about the processing of his/her personal data and give his/her unambiguous consent to this processing.
In this sentence, the Spanish Constitutional Court declares that the prior information and consent of the employee to video recording is not required in this case because a video surveillance system aims at contributing to the control and security of employees. Additionally, as a visible distinctive sign had been placed at the premises, the employer was exempted from informing each employee individually. Furthermore, Art. 20 of the Spanish Statute of Rights for Workers allows the employer to control and monitor its employees, in order to ensure that they fulfill their obligations. In this sense, the monitoring cannot violate the employee´s dignity.
16. March 2016
On the 14th March, the Digital Commissioner Günther Oettinger spoke out on the EU-U.S. Privacy Shield at the CeBIT fair (Center for Office Automation, Information Technology and Telecommunication), which will take place in Hannover (Germany) from the 14th until the 18th March.
Oettinger stated that the EU DPAs will evaluate the EU-U.S. Privacy Shield in the upcoming weeks, so that the new Framework can be effective in June 2016. He also remarked that without a legal regulation for international transfers of personal data, “the trust in cloud services will be low”.
The EU DPAs are expected to meet on the 12th-13th April in order to issue their opinion on the EU-U.S. Privacy Shield. However, this opinion will not be binding.
The Consumer Protection Association of North-Rhine Westphalia submitted a formal complaint against the Fashion ID, run by Peek & Cloppenburg. The Düsseldorf District Court in Germany had to rule, whether Peek & Cloppenburg was allowed to have the Facebook Like button on their shopping website. The court decided, that in this case the Facebook Like button was violating German and EU Data Protection Law. The Fashion ID was transferring the gathered information of its consumers to the social media, irrespective of whether the consumer was signed on Facebook or not. Furthermore, it was criticized, that the information of the personal data subject was also transferred to Facebook, without even clicking the Facebook Like button before.
The Court decided, that such a procedure is not compliant with the applicable law. Companies should therefore implement measures, that safeguard the personal data of the consumer and not transfer the gained information to other parties, without the informed consent of the data subject.
11. March 2016
After the details of the EU-U.S. Privacy Shield were released on February 29th, several institutions will examine its legal implications and validity in order to determine if the new Framework complies with the European Standards on Data Protection. One of these institutions is the Article 29 WP, which will reveal its opinion on the EU-U.S. Privacy Shield by the end of April.
Eduardo Ustaran, an expert in international Privacy and Data Protection, has analyzed the positive impact that the EU-U.S. Privacy Shield may have for the future development of global privacy:
- This Framework may widespread the European Data Protection culture at an international level because multinationals will globally adopt this model, in order to comply with the European Standards.
- Additionally, the U.S. government is adapting its legislation to the Data Protection requirements established by the EU Legislation in this field. For example, the U.S. Judicial Redress Act was approved on February 2016 in line with the new conflict resolution system proposed in the Privacy Shield. This way, EU Citizens will have the possibility to raise complaints to U.S. Authorities when their rights to Privacy and Data Protection have been violated by an organization.
- Also the judiciary will play an important role as ultimate institution that mediates between the citizens and the state.
- As mentioned above, the conflict resolution system proposed in the Privacy Shield includes the participation of several institutions at different levels, which provides the individuals many possibilities to exercise their rights as data subjects. Therefore, individuals will be able, for example, to raise a complaint towards the organization or to raise a complaint at the local DPA.
- The Framework may foster the communication and collaboration between American and European Institutions. For instance, it is foreseen that an annual revision of the Framework takes place.
2. March 2016
According to an article on the International Association of Privacy website, Chinese privacy laws are still in their early stages and the existing laws are similar to international norms like notice and security. Nevertheless, the development of Chinese privacy law should not be ignored by companies, who wish to enter the Chinese market, since China is the growing economic power and has a wide consumer range. To understand Chinese privacy awareness, companies have to understand the cultural background and Chinese consumer expectations.
First of all, there should be a focus on community values, because the Chinese put a lot of importance to values and ethics. It is relevant to develop corporate policies, which show an understanding for the community values. For Chinese people it is important, that privacy law protects their private lives from community exposure.
Secondly, companies should try to understand the expectations of the Chinese consumers. The Chinese may be more open to data processing, especially if the processing leads to pragmatic outcomes, such as tailored features. Also, the Chinese may have fewer expectations towards privacy compared with other values, such as corporate transparency. Therefore companies should adjust their policies and put emphasis on transparency reports.
1. March 2016
On the 29th February 2016, the European Commission released a fact sheet about the Frequently Asked Questions related to the EU-U.S. Privacy Shield. The EU-U.S Privacy Shield aims at regulating international data transfers between the EU (including EEA countries Norway, Lichtenstein and Iceland) and the U.S. after the Safe Harbor Decision was declared invalid by the ECJ on October 2015.
The EU-U.S Privacy Shield is a new adequacy decision, under which the U.S. companies that comply with the described data protection principles and abide the obligations described in the framework, will be considered as ensuring an adequate level of data protection.
In contrast to the former Safe Harbor Decision, the EU-U.S. Privacy Shield imposes stronger obligations on companies related to monitoring and enforcement and prevents generalized access to EU personal data from U.S. public Authorities.
Under the Privacy Shield, U.S. companies will have to self-certify that they meet the requirements described in the Framework. The U.S. Department of Commerce will actively verify that the certifying company actually meets the requirements to certify, for example by reviewing the company´s privacy policy.
A key aspect of the Privacy Shield is the possibility for EU data subject to obtain redress in the US in case that their personal data is misused by commercial companies. The possibility to redress involves the following alternatives for the data subject:
- to lodge a complaint with the company itself, or
- to complaint towards their local DPA, or
- to use the Alternative Dispute Resolution (ADR) mechanisms, or
- through arbitration by having recourse to the Privacy Shield Panel, if the case is not resolved by any of the abovementioned alternatives.
The possibility to redress with regard to national security will be ensured by the institution of the Ombudsman.
All these aspects of the new EU-U.S. Privacy Shield have been reflected in the Judicial Redress Act, signed on February, 24th. This Act gives EU citizens the possibility to address privacy issues to U.S. Courts in relation to personal data transfers for law enforcement purposes. This Act aims at providing EU citizens with the same rights as U.S. citizens.
Also, the so called EU-U.S. “Umbrella-Agreement” covers relevant aspects of data protection regarding EU-U.S. law enforcement cooperation for the purposes of crime and terrorism prevention. This agreement is not a legal basis for data transfers itself, but it will provide safeguards for data transfers made under other existing agreements.
26. February 2016
In February 2016, the French DPA (CNIL), published a single decision (AU-046) addressed to cover data processing activities from public organisms and private organizations for the purpose of managing and enforcing court actions.
The CNIL states that corporations may process certain categories of personal data, such as criminal convictions, offences or security measures in this context, in order to defend their interests in court. Art. 25. I. 3° of the French Data Protection Act, regulates the processing of these categories of personal data, for which a prior authorization from the CNIL is required. Also the prevention of criminal offences falls under the scope of this article. However, this article does not apply if the offences and criminal convictions are not related to the criminal sphere.
The AU-046 aims at accelerating and simplifying the process to obtain CNIL´s authorization for the processing of these personal data categories. The scope of application of this authorization is the processing related to offenses, convictions and security measures to prepare, perform and follow disciplinary action or judicial proceedings and, if necessary, to enforce the decision.
This authorization concerns all sectors and all types of litigation.