Tag: EDPB

EDPB creates “Cookie Banner Taskforce”

5. October 2021

On September 27, 2021, the European Data Protection Board (EDPB) announced that it has established a “Cookie Banner” taskforce in order to coordinate the complaints and corresponding responses filed with several EU data protection authorities (DPA) by the non-governmental organization None of Your Business (NOYB) in relation to website cookie banners.

In May 2021 NOYB sent over 500 draft and formal complaints to companies residing in the EU regarding the use of their cookie banners. The complaints seem to focus on the absence of a “reject all” button on most of the websites as well as the way cookie banners use deceptive design in order to get data subjects to consent to the use of non-essential cookies. Another regular complaint is the difficulty for refusing cookies, as opposed to the simple way of consenting to them.

The EDPB stated that “this taskforce was established in accordance with Art. 70 (1) (u) GDPR and aims to promote cooperation, information sharing and best practices between the DPAs”. The taskforce is meant to exchange views on legal analysis and possible infringements, provide support to activities on the national levels and streamline communication.

EDPS and the EDPB call for a tightening of the EU draft legislation on the regulation of Artificial Intelligence (AI)

26. July 2021

In a joint statement, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) call for a general ban on the use of artificial intelligence for the automated recognition of human characteristics in publicly accessible spaces. This refers to surveillance technologies that recognise faces, human gait, fingerprints, DNA, voice, keystrokes and other biometric or behavioral signals. In addition to the AI-supported recognition of human characteristics in public spaces, the EDPS and EPDB also call for a ban of AI systems using biometrics to categorize individuals into clusters based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited under Article 21 of the Charter of Fundamental Rights. With the exception of individual applications in the medical field, EDPS and the EDPB are also calling for a ban on AI for sentiment recognition.

In April, the EU Commission presented a first draft law on the regulation of AI applications. The draft explicitly excluded the area of international law enforcement cooperation. The EDPS and EDPB expressed “concern” about the exclusion of international law enforcement cooperation from the scope of the draft. The draft is based on a categorisation of different AI applications into different types of risk, which are to be regulated to different degrees depending on the level of risk to the fundamental rights. In principle, the EDPS and EDPB support this approach and the fact that the EU is addressing the issue in general. However, they call for this concept of fundamental rights risk to be adapted to the EU data protection framework.

Andrea Jelinek, EDPB Chair, and Wojciech Wiewiórowski, of the EDPS, are quoted:

Deploying remote biometric identification in publicly accessible spaces means the end of anonymity in those places. Applications such as live facial recognition interfere with fundamental rights and freedoms to such an extent that they may call into question the essence of these rights and freedoms.

The EDPS and EDPB explicitly support, that the draft provides for national data protection authorities to become competent supervisory authorities for the application of the new regulation and explicitly welcome, that the EDPS is intended to be the competent authority and the market surveillance authority for the supervision of the Union institutions, agencies and bodies. The idea that the Commission also gives itself a predominant role in the “European Artificial Intelligence Board” is questioned by the EU data protection authorities. “This contradicts the need for a European AI Board that is independent of political influence”. They call for the board to be given more autonomy, to ensure its independence.

Worldwide there is great resistance against the use of biometric surveillance systems in public spaces. A large global alliance of 175 civil society organisations, academics and activists is calling for a ban on biometric surveillance in public spaces. The concern is that the potential for abuse of these technologies is too great and the consequences too severe. For example, the BBC reports that China is testing a camera system on Uighurs in Xinjiang that uses AI and facial recognition to detect emotional states. This system is supposed to serve as a kind of modern lie detector and be used in criminal proceedings, for example.

EDPB adopts final Recommendation 01/2020 on Supplementary Measures for Data Transfers to Third Countries

22. June 2021

On June 21st, 2021 during its 50th plenary session, the European Data Protection Board (EDPB) adopted a final version of its recommendations on the supplementary measures for data transfers.

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has decided that, while the Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism, controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In the cases where the effectiveness of appropriate safeguards is reduced due to the legal situation in the third country, exporters may need to implement additional measures that fill the gaps.

To help exporters with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted this recommendation. They highlight steps to follow, potential information sources as well as non-exhaustive examples of supplementary measures that are meant to help exporters make the right decisions for data transfers to third countries.

The recommendations advise exporters to follow the following steps in order to have a good overview of data transfers and potential supplementary measures necessary:

1. Know the data transfers that take place in your organization – being aware of where data flows is essential to identify potentially necessary supplementary measures;

2. Verify the transfer tool that each transfer relies on and its validity as well as application to the transfer;

3. Assess if a law or a practice in the third country impinges on the effectiveness of the transfer tool;

4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard;

5. Take formal procedural steps that may be required by the adoption of your supplementary measure, depending on the transfer tool you are relying on;

6. Re-evaluate the level of protection of the data you transfer at appropriate intervals and monitor any potential changes that may affect the transfer.

The EDPB Chair, Andrea Jelinek, stated that “the effects of Schrems II cannot be underestimated”, and that the “EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance”.

The recommendations clearly highlight the importance of exporters to understand and keep an eye on their data transfers to third countries. In Germany, the Supervisory Authorities have already started (in German) to send out questionnaires to controllers regarding their data transfers to third countries and the tools used to safeguard the transfers. Controllers in the EU should be very aware of the subject of data transfers in their companies, and prepare accordingly.

Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers

21. June 2021

On May 20th, 2021, the Belgian Data Protection Authority (Belgian DPA) announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (EU Cloud CoC). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation in May 2018.

The EU Cloud CoC represents a sufficient guarantee pursuant to Article 28 (1) and 28 (5) of the GDPR, as well as Recital 81 of the GDPR, which makes the adherence to the code by cloud service providers a valid way to secure potential data transfers.

In particular, the EU Cloud CoC aims to establish good data protection practices for cloud service providers, giving data subjects more security in terms of the handling of their personal data by cloud service providers. In addition, the Belgian DPA accredited SCOPE Europe as the monitoring body for the code of conduct, which will ensure that code members comply with the requirements set out by the code.

It further offers cloud service providers with practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.

In the press release, the Chairman of the Belgian DPA stated that „the approval of the EU Cloud CoC was achieved through narrow collaboration within the European Data Protection Board and is an important step towards a harmonised interpretation and application of the GDPR in a crucial sector for the digital economy“.

EDPB adopts opinion on draft UK adequacy decisions

16. April 2021

In accordance with its obligation under Article 70 (1) (s) of the General Data Protection Regulation (GDPR), on April 13th, 2021, the European Data Protection Board (“EDPB”) adopted its opinions on the EU Commissions (“EC”) draft UK adequacy decision (please see our blog post). “Opinion 14/2021” is based on the GDPR and assesses both general data protection aspects and the public authority access to personal data transferred from the EEA for law enforcement and national security purposes contained in the draft adequacy decision, a topic the EC also discussed in detail. At the same time, the EDPB also issued “Opinion 15/2021” on the transfer of personal data under the Law Enforcement Directive (LED).

The EDPB notes that there is a strong alignment between the EU and the UK data protection regimes, especially in the principles relating to the processing of personal data. It expressly praises the fact that the adequacy decision is to apply for a limited period, as the EDPB also sees the danger that the UK could change its data protection laws. Andrea Jelinek, EDPB Chair, is quoted:

“The UK data protection framework is largely based on the EU data protection framework. The UK Data Protection Act 2018 further specifies the application of the GDPR in UK law, in addition to transposing the LED, as well as granting powers and imposing duties on the national data protection supervisory authority, the ICO. Therefore, the EDPB recognises that the UK has mirrored, for the most part, the GDPR and LED in its data protection framework and when analysing its law and practice, the EDPB identified many aspects to be essentially equivalent. However, whilst laws can evolve, this alignment should be maintained. So we welcome the Commission’s decision to limit the granted adequacy in time and the intention to closely monitor developments in the UK.”

But the EDPB also highlights areas of concern that need to be further monitored by the EC:

1. The immigration exemption, which restricts the rights of those data subjects affected.

2. How the transfer of personal data from the EEA to the UK could undermine EU data protection rules, for example on basis of future UK adequacy decisions.

3. Access to personal data by public authorities is given a lot of space in the opinion. For example, the Opinion analyses in detail the Investigatory Powers Act 2016 and related case law. The EDPB welcomes the numerous oversight and redress mechanisms in the UK but identifies a number of issues that need “further clarification and/or oversight”, namely bulk searches, independent assessment and oversight of the use of automated processing tools, and the safeguards provided under UK law when it comes to disclosure abroad, particularly with regard to the application of national security exemptions.

In summary, this EDPB opinion does not put any obstacles in the way of an adequacy decision and recognises that there are many areas where the UK and EU regimes converge. Nevertheless, it highlights very clearly that there are deficiencies, particularly in the UK’s system for monitoring national security, which need to be reviewed and kept under observation.

As for the next steps, the draft UK adequacy decisions will now be assessed by representatives of the EU Member States under the “comitology procedure“. The Commission can then adopt the draft UK adequacy decisions. A bridging period during which free data transfer to the UK is permitted even without an adequacy decision ends in June 2021 (please see our blog post).

EDPB released a new Guidance on Virtual Voice Assistants

31. March 2021

In recent years, Virtual Voice Assistants (VVA) have enjoyed increased popularity among technophile consumers. VVAs are integrated in modern smartphones like Siri on Apple or Google Assistant on Android mobile devices, but can also be found in seperate terminal devices like Alexa on the Amazon Echo device. With Smart Homes trending, VVAs are finding their ways into many homes.

However, in light of their general mode of operation and their specific usage, VVAs potentially have access to a large amount of personal data. They furthermore use new technologies such as machine learning and artificial intelligence in order to improve their services.

As both private households and corporate businesses are increasingly using VVAs and questions on data protection arise, the European Data Protection Board (EDPB) sought to provide guidance to the relevant data controllers. Therefore, the EDPB published a guidance on Virtual Voice Assistants earlier this month.

In its guidance, the EDPB specifically addresses VVA providers and VVA application developers. It encourages them to take considerations of data protection into account when designing their VVA service, as layed out by the principle of data protection by design and default under Art. 25 GDPR. The EDPB suggests that, for example, controllers could fulfil their information obligations pursuant to Art. 13/14 GDPR using voice based notifications if the VVA works with a screenless terminal device. VVA designers could also enable users to initiate a data subject request though easy-to-follow voice commands.

Moreover, the EDPB states that in their opinion, providing VVA services will require a Data Protection Impact Assessment according to Art. 35 GDPR. The guidance also gives further advice on complying with general data protection principles and is still open for public consultation until 23 April 2021.

EDPB published Guideline on Data Breach Examples for Controllers

28. January 2021

On January 18th, 2021, the European Data Protection Board (EDPB) published their draft Guidelines 01/2021 on Examples regarding Data Breach Notification.

These Guidelines are supposed to give further support to Controllers alongside the initial Guidelines on Personal Data Breach Notification under the GDPR, adopted by the Article 29 Working Party in February 2018. These new Guidelines are meant to consider different types of situations that the Supervisory Authorities have come across in the last two and a half years since the implementation of the GDPR.

The EDPB’s intention is to assist Controllers in deciding how to handle data breaches, namely by identifying the factors that they must consider when conducting risk assessments to determine whether a breach must be reported to relevant Supervisory Authorities as well as if a notification to the affected Data Subjects is necessary.

The draft Guidelines present examples of common data breach scenarios, including:

• ransomware attacks, where a malicious code encrypts the personal data and the attacker subsequently asks the controller for a ransom in exchange for the decryption code
• data exfiltration attacks, which exploit vulnerabilities in online services offered by the controller and typically aim at copying, exfiltrating and abusing personal data for malicious purposes
• human errors resulting in data breaches that are fairly common and can be both intentional and unintentional
• lost or stolen devices and paper documents
• “mispostal” scenarios, that arise from human error without malicious intent
• social engineering, such as identity theft and email exfiltration

The draft Guidelines further emphasize key elements of data breach management and response that organizations should consider, namely:

• proactively identifying system vulnerabilities in order to prevent data breaches from happening in the first place
• assessing whether a breach is likely to result in a risk to the rights and freedoms of the Data Subject, the timing of this assessment and the importance of Controllers not delaying a notification because of unclear circumstances
• implementing plans, procedures and guidelines indicating how to handle data breaches that have clear reporting lines and persons responsible for the recovery process
• organizing regular trainings for employees to raise awareness on data breach management, and the latest developments in the area
• documenting breaches in each and every case, irrespective of the risk they pose

The Guidelines will be open for public consultation until March 2nd, 2021, during which the EDPB will gather feedback on the draft.

EDPB extends consultation period for suplementary measures drafts in 42nd Plenary Session

26. November 2020

On November 19th, the European Data Protection Board (EDPB) met for its 42nd plenary session. During the session, the EDPB presented two new Standard Contractual Clauses (SCCs) drafts, which have been developed after the Schrems II decision to give more legal certainty to data transfers, as well as extended the public consultation period on transfer mechanisms until the 21st of December 2020.

The drafts presented by the EDPB include one set of SCCs for contracts between controllers and processors, and another one for data transfers outside the EU.

The first are completely new, and have been developed by the Commission in accordance with Art. 28 (7) GDPR and Art. 29 (7) of Regulation 2018/1725. This set of SCCs is intended for EU-wide application, and the Commission drafted them with the aim to ensure full harmonisation and legal certainty across the EU for contracts between controllers and processors.

The second set of drafts is a new take on the SCCs as transfer mechanisms according to Art. 46 (2) (c) GDPR. These SCCs will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as with the CJEU’s ‘Schrems II’ ruling, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters.

The Commission requested a joint opinion from the EDPB and the EDPS on the implementation on both sets of SCCs.

During the plenary, the Members of the Board also decided to extend the deadline for the public consultation on the recommendations on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data from, originally, 30th November 2020 until 21st December 2020.

The EDPB further adopted a statement on the future ePrivacy Regulation and the future role of supervisory authorities and the EDPB in this context during the plenary. The EDPB underlines that many of the provisions of the future ePrivacy Regulation relate to the processing of personal data and that many provisions of the GDPR and the ePrivacy Regulation are closely intertwined. The most efficient way to have consistent interpretation and enforcement of both sets of rules would therefore be fulfilled if the enforcement of those parts of the ePrivacy Regulation and the GDPR would be entrusted to the same authority. The EDPB further underlined the necessity to adopt the new Regulation as soon as possible.

Microsoft reacts on EDPB’s data transfer recommendations

24. November 2020

Microsoft (“MS”) is among the first companies to react to the European Data Protection Board’s data transfer recommendations (please see our article), as the tech giant announced in a blog post on November 19th. MS calls these additional safeguards “Defending Your Data” and will immediately start implementing them in contracts with public sector and enterprise customers.

In light of the Schrems II ruling by the Court of Justice of the European Union (“CJEU”) on June 16th, the EDPB issued recommendations on how to transfer data into non-EEA countries in accordance with the GDPR on November 17th (please see our article). The recommendations lay out a six-step plan on how to assess whether a data transfer is up to GDPR standards or not. These steps include mapping all data transfer, assessing a third countries legislation, assessing the tool used for transferring data and adding supplementary measures to that tool. Among the latter is a list of technical, organizational, and contractual measures to be implemented to ensure the effectiveness of the tool.

Julie Brill, Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer at Microsoft, issued the statement in which she declares MS to be the first company responding to the EDPB’s guidance. These safeguards include an obligation for MS to challenge all government requests for public sector or enterprise customer data, where it has a lawful basis for doing so; to try and redirect data requests; and to notify the customer promptly if legally allowed, about any data request by an authority, concerning that customer. This was one of the main ETDB recommendations and also included in a draft for new Standard Contractual Clauses published by the European Commission on November 12th. MS announces to monetary compensate customers, whose personal data has to be disclosed in response to government requests.  These changes are additions to the SCC’s MS is using ever since Schrems II. Which include (as MS states) data encrypted to a high standard during transition and storage, transparency regarding government access requests to data (“U.S. National Security Orders Report” dating back to 2011; “Law Enforcement Requests Report“) .

Recently European authorities have been criticizing MS and especially its Microsoft 365 (“MS 365”) (formerly Office 365) tools for not being GDPR compliant. In July 2019 the Ministry of Justice in the Netherlands issued a Data Protection Impact Assessment (DPIA), warning authorities not to use Office 365 ProPlus, Windows 10 Enterprise, as well as Office Online and Mobile, since they do not comply with GDPR standards. The European Data Protection Supervisor issued a warning in July 2020 stating that the use of MS 365 by EU authorities and contracts between EU institutions and MS do not comply with the GDPR. Also, the German Data Security Congress (“GDSC”) issued a statement in October, in which it declared MS 365 as not being compliant with the GDPR. The GDSC is a board made up of the regional data security authorities of all 16 german states and the national data security authority. This declaration was reached by a narrow vote of 9 to 8. Some of the 8 regional authorities later even issued a press release explaining why they voted against the declaration. They criticized a missing involvement and hearing of MS during the process, the GDSC’s use of MS’ Online Service Terms and Data Processing Addendum dating back to January 2020 and the declaration for being too undifferentiated.

Some of the German data protection authorities opposing the GDSC’s statement were quick in welcoming the new developments in a joint press release. Although, they stress that the main issues in data transfer from the EU to the U.S. still were not solved. Especially the CJEU main reserves regarding the mass monitoring of data streams by U.S. intelligence agencies (such as the NSA) are hard to prevent and make up for. Still, they announced the GDSC would resume its talks with MS before the end of 2020.

This quick reaction to the EDPB recommendations should bring some ease into the discussion surrounding MS’ GDPR compliance. It will most likely help MS case, especially with the German authorities, and might even lead to a prompt resolution in a conflict regarding tools that are omnipresent at workplaces all over the globe.

EDPB adopts first decision under Art. 65 GDPR

20. November 2020

During its 41st plenary session, the European Data Protection Board (EDPB) adopted by a two-thirds majority of its members its first dispute resolution decision under Art. 65 GDPR regarding Twitter International Company. The binding decision aims to resolve a dispute arisen from a draft decision by the Irish supervisory authority, being the lead supervisory authority in that case, and subsequent relevant and reasoned objections raised by several authorities concerned.

The Irish supervisory authority prepared a draft decision following an own-initiative investigation into Twitter International Company, after the company had notified the Irish supervisory authority of a personal data breach on January 8th, 2019. According to Art. 60 (3) GDPR, the Irish supervisory authority submitted its draft decision to the other authorities concerned in May 2020, which had the opportunity to express their objections within a period of four weeks afterwards. They referred to, inter alia, violations of the GDPR identified by the lead supervisory authority, the role of Twitter International Company as the sole data controller, and the quantification of the proposed fine.

Due to the fact that the lead supervisory authority rejected the objections and/or considered them not to be “relevant and reasoned”, it submitted the matter to the EDPB pursuant to Art. 60 (4) GDPR, thus initiating the dispute resolution procedure.

Thereupon, the completeness of the file was evaluated, that led to the institution of legal proceedings stated in Art. 65 GDPR on September 8th, 2020. In accordance with Art. 65 (3) GDPR and in conjunction with Art. 11.4 of the EDPB Rules of Procedure, the default time period of one month was extended by a further month on account of the complexity of the subject-matter.

On November 9th, 2020, the EDPB adopted its binding decision and will shortly notify it to the Irish supervisory authority, which, on the other hand, will issue a final decision. It will be addressed to the data controller without undue delay and at the latest by one month after the EDPB has notified its decision. In compliance with the requirements of Art. 65 (6) GDPR, the lead supervisory authority shall inform the EDPB of the date when its final decision is notified respectively to the controller. After that, the EDPB decision will be published on its website.

Pages: 1 2 3 Next
1 2 3