Poland: First GDPR-fine imposed

29. March 2019

The President of the Polish Supervisory Authority (Personal Data Protection Office, UODO) imposed the first fine for the amount of PLN 943,000, which is around € 220,000.

A Warsaw-based company received this fine for not being compliant with GDPR, particularly for failure to meet the information obligation of Article 14. The fined company commercially processes data from more than six million entrepreneurs, which it obtained from publicly available sources, such as the Central Electronic Register and Information on Economic Activity (CEIDG). The company’s database is often used by banks to verify the creditworthiness of the data subjects. According to the Polish Authority, the company did not provide the data subjects with the information requested in Art. 14 para 1-3 GDPR (e.g. the source of their data, the purpose of the data processing, the data subject’s rights under GDPR), hence the data subjects had no possibility to object to further processing of their data or to request their rectification or erasure.

Out of the six million data subjects only 90 000 were informed by the company via e-mail (more than 12 000 of them objected to the processing of their data). For the remaining subjects (whose e-mails were unknown) the company only presented the information clause on its website and therefore failed to comply with Art. 14 GDPR.

“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, said Dr Edyta Bielak-Jomaa, President of UODO. The company claimed that information by registered mail would be associated with disproportionate costs and thus relies on the vaguely worded exception of Art. 14 (5) GDPR, which states that the provision of such information proves impossible or would involve a disproportionate effort. The supervisory authority however, finds this explanation insufficient as they could have called the data subjects or inform them by regular mail.

Advocate General: No Valid Cookie Consent When Checkbox Is Pre-ticked

25. March 2019

On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.

In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.

The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.

In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:

(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?

(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?

According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.

In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.

The EU Commission fined Google 1.49 billion euros regarding antitrust case

21. March 2019

On Wednesday Google was fined 1.49 billion euros by the European Commission in connection with hindering competitors in the online advertising business.

The accusation is that Google has illegally made use of its market dominance.The company inflicted a number of exclusivity clauses in contracts with third-party websites which prevented the company’s competitors from positioning their search adverts on these websites. This concerns a small area in Google’s “advertising machinery”. But still, as a result, other advertisers and website owners “had less choice and likely faced higher prices that would be passed on to consumers,” claimed the EU’s competition commissioner, Margrethe Vestager.

In the last two years, this represents the third time that Europe’s antitrust regulators, lead by Danish competition commissioner Margarethe Vestagers, fined the tech company. Google has appealed against the two previous fines. The first fine (2.42 billions euros) was for manipulating online shopping results and directing visitors to its comparison-shopping service at the expense of its contestants. The second one amounting to 4.34 billion euros concerned mobilephone producers that were forced to use Google’s Android operating system to install the company’s search and browser apps.

Category: EU · EU Commission · European Union · General
Tags:

Cookiebot publishes „Ad Tech Surveillance on the Public Sector Web“

20. March 2019

The website Cookiebot recently published a report of its “Ad Tech Surveillance on the Public Sector Web”. They used their scanning technology to analyse tracking across official government websites and public health service websites in all 28 European Union member states. More than 100 advertising technology companies track EU citizens who visit those public sector websites by gaining access through free third-party services such as video plug-ins and social sharing buttons.

Said ad trackers were found on 25 out of the 28 official government websites in the EU. Only the Dutch, German and the Spanish websites had no commercial trackers. Most of them were found on the French website (52 trackers) followed by the Latvian website (27 trackers).

Cookiebot also investigated the tracking on Public Health Service Sites and found out that 52% of landing pages with health information contained ad trackers. The worst ranked one was the Irish health service with 73% of landing pages containing trackers. The lowest ranked country – Germany – still hat one third of its landing pages held trackers.

Those trackers got in via free third-party website plugins. For example, Ireland’s public health service (Health Service Executive (HSE)) installed the sharing tool ShareThis, which is like a Trojan horse that releases more than 20 ad tech companies into every Website it’s installed on.

Most of the tracking tools are controlled by Google. It controls the top three domains found and therefore tracks the visits to 82% of the main government websites of the EU. A complete list of all the trackers can be find in the published report.

Draft of a new data protection law in Thailand

15. March 2019

Thailand’s National Legislative Assembly approved and endorsed a draft of a new data protection law called Personal Data Protection Act (PDPA).The legislative process will be completed within the next weeks. The process includes that the draft will be submitted for royal endorsement and publicated in the Government Gazette.

The draft provides a one year period for implementation of the new requirements. This grace period should help the business operaters to prepare and implement the new obligations.

The draft of the PDPA has followed and replicated the provisions of the European General Data Protection Regulation (GDPR) to demonstrate that Thailand has an adequate level of data protection. This is necessary for the adoption of an adequacy decision of the European Commission. The adequacy decision requires that the exchange of personal data is based on strong safeguards in regard of EU standards. In case the  European Commission adopts an adequacy decision, as they recently did with Japan, the data flows to Thailand as a third country in terms of the GDPR will be much easier for European companies.

GPEN publishes annual Sweep

14. March 2019

On May 9th, 2019, the „GPEN“(„Global Privacy Enforcement Network“) shared its “2018 Sweep”, an annual intelligence gathering that looked at how well organisations have implemented data privacy accountability into their internal privacy policies and programmes.

GPEN is a global network of more than 60 data protection agencies. The 2018 Sweep was a collaboration between  New Zealand’s (New Zealand Office of the Privacy Commissioner, “OPC”) and  UK’s (UK Information Commissioner’s Office, “ICO”) data protection authorities and was carried out by several data protection authorities across the globe.

The participating authorities reached out to 667 companies with a set of pre-determined questions that focus on key elements of responsible data protection. Those elements were:

  • The importance of internal policies and procedures for data governance;
  • Training and awareness;
  • Transparency about data practices;
  • The assessment and mitigation of risk;
  • Incident Management.

Of the 667 organisations contacted, only 53% (356) provided substantive responses and a large point of those had appointed an individual or a team to ensure compliance with relevant data protection regulations.

The 2018 Sweep shows that many organisations are quite good at providing data protection training to their employees but companies have to ensure that those training are offered to all employees and happen on a regular basis. It was also found that several organisations have processes in place on how to deal with data subject complaints and how to handle data breaches.

Overall, most organisations are aware of data protection and have a good understanding of it. Nevertheless, they have to make sure that they have clear policies and procedures in place and monitor their performance regarding the relevant laws and regulations.

Brexit: Deal or “No-deal”

12. March 2019

Yesterday evening, shortly before the vote of the UK parliament on the circumstances and if necessary a postponement of the Brexit, Theresa May met again with Jean-Claude Juncker in Strasbourg. Both sides could agree on “clarifications and legal guarantees” regarding the fall-back solution for Northern Ireland.

These (slightly) expand the United Kingdom’s (UK) opportunity to appeal to an arbitration court in the event that the EU should “hold the UK hostage” in terms of the membership of the customs union by means of the Backstop-Clause beyond 2020. This “legally binding instrument”, as Juncker said, intends to clarify that the Backstop-Clause on the Irish border is not to be regarded as a permanent solution. This shall also be confirmed in a joint political declaration on the future relations between the two sides. However, the wording of the complementary regulation is legally vague.

May is nevertheless confident that the British Parliament will approve the “new” agreement to be voted on tonight. Meanwhile, Jeremy Corbyn, Labour Party leader, has announced and urged to vote against the agreement. In any case, Juncker has already rejected further negotiations on adjustments to the current version of the withdrawal agreement, emphasizing that there will be no “third chance”. By 23rd May, when the EU elections begin, the Kingdom shall have left the EU.

The vote on “how” and “when” of the Brexit will be taken in the next few days, starting tonight at 8 p.m. CET. If the withdrawal agreement will be rejected again today, the parliament will vote on a no-deal Brexit tomorrow (the UK would then be a third country in the sense of the GDPR as of 30th March). In case this will also be rejected, on 14th March the parliament will eventually vote on a delay of the Brexit date. A postponement could then lead to a new referendum and thus to a renewed decision on the question of “whether” a Brexit will actually take place.

Category: EU · GDPR · General · UK
Tags:

Dutch DPA: Cookie walls do not comply with GDPR

11. March 2019

The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.

The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.

The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.

With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

Brexit: Authorities will enforce unlawful data transfers

It seems very likely that the UK will leave the EU under a “no-deal” Scenario and become a third country in terms of data protection. Beside the fact that in the absence of an adequacy decision each transfer of personal data between the EU and the UK will need to be appropriately safeguarded, UK companies making business in the EU may have to designate an EU representative. In addition, according to the GDPR, companies concerned with the cross-border transfer of personal data obtained within the area of the EU will need to consider specific documentation and information obligations.

As the UK and the EU could not even agree on a transition period yet, all these data protection obligations are required to be in place as of the 30th March, 00:00 h (CET). The data protection authorities of the EU already announced that they will not grant a transition period regarding the required data protection measures and actions pursuant to the GDPR that need to be taken. The unlawful transfer or processing of personal data to or within the UK will thus not be tolerated by the EU supervisory authorities as of day one after BREXIT. Bearing this in mind, first and foremost, the EU Commission’s Standard Contractual Clauses should be in place if there is no other appropriate safeguard, e.g. Binding Corporate Rules (BCR), existent to ensure the lawfulness of the transfer of EU personal data.

If not yet done, now is the time to think about the required steps and develop a “BREXIT data protection strategy” in order to be compliant with the GDPR when the UK leaves the EU under a “no-deal” BREXIT.

Category: General
Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 38 39 40 Next
1 6 7 8 9 10 40