Tag: European Data Protection Board
31. March 2021
In recent years, Virtual Voice Assistants (VVA) have enjoyed increased popularity among technophile consumers. VVAs are integrated in modern smartphones like Siri on Apple or Google Assistant on Android mobile devices, but can also be found in seperate terminal devices like Alexa on the Amazon Echo device. With Smart Homes trending, VVAs are finding their ways into many homes.
However, in light of their general mode of operation and their specific usage, VVAs potentially have access to a large amount of personal data. They furthermore use new technologies such as machine learning and artificial intelligence in order to improve their services.
As both private households and corporate businesses are increasingly using VVAs and questions on data protection arise, the European Data Protection Board (EDPB) sought to provide guidance to the relevant data controllers. Therefore, the EDPB published a guidance on Virtual Voice Assistants earlier this month.
In its guidance, the EDPB specifically addresses VVA providers and VVA application developers. It encourages them to take considerations of data protection into account when designing their VVA service, as layed out by the principle of data protection by design and default under Art. 25 GDPR. The EDPB suggests that, for example, controllers could fulfil their information obligations pursuant to Art. 13/14 GDPR using voice based notifications if the VVA works with a screenless terminal device. VVA designers could also enable users to initiate a data subject request though easy-to-follow voice commands.
Moreover, the EDPB states that in their opinion, providing VVA services will require a Data Protection Impact Assessment according to Art. 35 GDPR. The guidance also gives further advice on complying with general data protection principles and is still open for public consultation until 23 April 2021.
10. February 2021
In the two and a half years since the General Data Protection Regulation (GDPR) has come into effect, a lot of organizations have gotten used to the new laws and standards it has established. However, there are still a lot of unanswered questions in certain industries, one of those industries being life sciences, and more specifically clinical trials.
The GDPR and the guidance of the European Data Protection Board (EDPB) allow for a lot of speculation, due to the fact that they are unable to fully specify the reach and definitive approach to data protection in a lot of industries.
This short series aims to give an overview on the handling of clinical trials from a data protection point of view, as well as answers to important questions that come up in day to day business in the industry.
In general, clinical trials are a processing activity according to Art. 4 (2) GDPR, therefore the basic data protection obligations are to be applied to clinical trials, such as:
- Following the basic GDPR principles laid out in Art. 5 GDPR, namely lawfulness, fairness and transparency, purpose limitation, data minimisation, data accuracy, storage limitation, integrity, confidentiality and accountability
- Information obligations of the controller according to Art. 13, 14 GDPR
- Data Subjects Rights according to Art. 15 to Art. 21 GDPR
- Obligation to have a record of processing activities according to Art. 30 para. 1, 2 GDPR
- Security Measures need to be in place, in compliance with Art. 32 GDPR
- Data Breach Notifications to the supervisory authority as well as the data subjects according to Art. 33, 34 GDPR
- A Data Protection Impact Assessment has to be done prior to the start of the clinical trials, according to Art. 35 GDPR
However, the first and foremost important question regarding the processing of personal data for clinical trials is:
Which legal basis is applicable to the processing?
The EDPB addressed this issue in their Opinion on the Interplay between Clinical Trials and the GDPR, and has, in a first instance, differentiated between the processing of personal data for clinical trial protocols as primary purpose of the processing, and, on the other hand, clinical trials as a secondary purpose next to, for example, patient care.
According to the EDPB’s opinion, the applicable legal basis is to be determined by the controller on a case by case basis. However, the EDPB does give their own general assessment on the legal basis applicable for the different scenarios that have crystalized in the eyes of the EDPB:
- Primary use of the processed personal data for clinical trials
a. Processing activities related to reliability and safety
-> Legal obligations of the controller, Art. 6 para. 1 (c) GDPR in conjunction with Art. 9 para. 1 (i) GDPR
b. Processing activities purely related to research activities
-> Task carried out in the public interest, Art. 6 para. 1 (e) GDPR in conjunction with Art. 9 para. 2 (i) or (j) GDPR
-> Legitimate interest of the controller, Art. 6 para. 1 (f) GDPR in conjunction with Art. 9 para. 2 (j) GDPR
-> In specific circumstances, explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR - Secondary use of the clinical trial data outside the clinical trial protocol for scientific purposes
-> Explicit consent of the data subject, Art. 6 para. 1 (a) GDPR and Art. 9 para. 2 (a) GDPR
While the guidance in assessing the legal basis for the processing is helpful, the EDPB does not address any further open issues regarding clinical trials in their opinion. Nonetheless, there are further subjects that cause confusion.
However, some of these subjects will be treated in our next part of this series, where we will have a closer look at clinical trial sponsorship from outside the EEA as well as the questions revolving around controllership roles in clinical trials.
28. January 2021
On January 18th, 2021, the European Data Protection Board (EDPB) published their draft Guidelines 01/2021 on Examples regarding Data Breach Notification.
These Guidelines are supposed to give further support to Controllers alongside the initial Guidelines on Personal Data Breach Notification under the GDPR, adopted by the Article 29 Working Party in February 2018. These new Guidelines are meant to consider different types of situations that the Supervisory Authorities have come across in the last two and a half years since the implementation of the GDPR.
The EDPB’s intention is to assist Controllers in deciding how to handle data breaches, namely by identifying the factors that they must consider when conducting risk assessments to determine whether a breach must be reported to relevant Supervisory Authorities as well as if a notification to the affected Data Subjects is necessary.
The draft Guidelines present examples of common data breach scenarios, including:
• ransomware attacks, where a malicious code encrypts the personal data and the attacker subsequently asks the controller for a ransom in exchange for the decryption code
• data exfiltration attacks, which exploit vulnerabilities in online services offered by the controller and typically aim at copying, exfiltrating and abusing personal data for malicious purposes
• human errors resulting in data breaches that are fairly common and can be both intentional and unintentional
• lost or stolen devices and paper documents
• “mispostal” scenarios, that arise from human error without malicious intent
• social engineering, such as identity theft and email exfiltration
The draft Guidelines further emphasize key elements of data breach management and response that organizations should consider, namely:
• proactively identifying system vulnerabilities in order to prevent data breaches from happening in the first place
• assessing whether a breach is likely to result in a risk to the rights and freedoms of the Data Subject, the timing of this assessment and the importance of Controllers not delaying a notification because of unclear circumstances
• implementing plans, procedures and guidelines indicating how to handle data breaches that have clear reporting lines and persons responsible for the recovery process
• organizing regular trainings for employees to raise awareness on data breach management, and the latest developments in the area
• documenting breaches in each and every case, irrespective of the risk they pose
The Guidelines will be open for public consultation until March 2nd, 2021, during which the EDPB will gather feedback on the draft.
26. November 2020
On November 19th, the European Data Protection Board (EDPB) met for its 42nd plenary session. During the session, the EDPB presented two new Standard Contractual Clauses (SCCs) drafts, which have been developed after the Schrems II decision to give more legal certainty to data transfers, as well as extended the public consultation period on transfer mechanisms until the 21st of December 2020.
The drafts presented by the EDPB include one set of SCCs for contracts between controllers and processors, and another one for data transfers outside the EU.
The first are completely new, and have been developed by the Commission in accordance with Art. 28 (7) GDPR and Art. 29 (7) of Regulation 2018/1725. This set of SCCs is intended for EU-wide application, and the Commission drafted them with the aim to ensure full harmonisation and legal certainty across the EU for contracts between controllers and processors.
The second set of drafts is a new take on the SCCs as transfer mechanisms according to Art. 46 (2) (c) GDPR. These SCCs will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as with the CJEU’s ‘Schrems II’ ruling, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters.
The Commission requested a joint opinion from the EDPB and the EDPS on the implementation on both sets of SCCs.
During the plenary, the Members of the Board also decided to extend the deadline for the public consultation on the recommendations on measures that supplement transfer tools to ensure compliance with EU level of protection of personal data from, originally, 30th November 2020 until 21st December 2020.
The EDPB further adopted a statement on the future ePrivacy Regulation and the future role of supervisory authorities and the EDPB in this context during the plenary. The EDPB underlines that many of the provisions of the future ePrivacy Regulation relate to the processing of personal data and that many provisions of the GDPR and the ePrivacy Regulation are closely intertwined. The most efficient way to have consistent interpretation and enforcement of both sets of rules would therefore be fulfilled if the enforcement of those parts of the ePrivacy Regulation and the GDPR would be entrusted to the same authority. The EDPB further underlined the necessity to adopt the new Regulation as soon as possible.
20. November 2020
During its 41st plenary session, the European Data Protection Board (EDPB) adopted by a two-thirds majority of its members its first dispute resolution decision under Art. 65 GDPR regarding Twitter International Company. The binding decision aims to resolve a dispute arisen from a draft decision by the Irish supervisory authority, being the lead supervisory authority in that case, and subsequent relevant and reasoned objections raised by several authorities concerned.
The Irish supervisory authority prepared a draft decision following an own-initiative investigation into Twitter International Company, after the company had notified the Irish supervisory authority of a personal data breach on January 8th, 2019. According to Art. 60 (3) GDPR, the Irish supervisory authority submitted its draft decision to the other authorities concerned in May 2020, which had the opportunity to express their objections within a period of four weeks afterwards. They referred to, inter alia, violations of the GDPR identified by the lead supervisory authority, the role of Twitter International Company as the sole data controller, and the quantification of the proposed fine.
Due to the fact that the lead supervisory authority rejected the objections and/or considered them not to be “relevant and reasoned”, it submitted the matter to the EDPB pursuant to Art. 60 (4) GDPR, thus initiating the dispute resolution procedure.
Thereupon, the completeness of the file was evaluated, that led to the institution of legal proceedings stated in Art. 65 GDPR on September 8th, 2020. In accordance with Art. 65 (3) GDPR and in conjunction with Art. 11.4 of the EDPB Rules of Procedure, the default time period of one month was extended by a further month on account of the complexity of the subject-matter.
On November 9th, 2020, the EDPB adopted its binding decision and will shortly notify it to the Irish supervisory authority, which, on the other hand, will issue a final decision. It will be addressed to the data controller without undue delay and at the latest by one month after the EDPB has notified its decision. In compliance with the requirements of Art. 65 (6) GDPR, the lead supervisory authority shall inform the EDPB of the date when its final decision is notified respectively to the controller. After that, the EDPB decision will be published on its website.
17. November 2020
Following the recent judgment C-311/18 (Schrems II) by the Court of Justice of the European Union (CJEU), the European Data Protection Board (EDPB) published “Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” on November 11th. These measures are to be considered when assessing the transfer of personal data to countries outside of the European Economic Area (EEA), or so-called third countries. These recommendations are subject to public consultation until the end of November. Complementing these recommendations, the EDPB published “Recommendations on the European Essential Guarantees for surveillance measures”. Added together both recommendations are guidelines to assess sufficient measures to meet standards of the General Data Protection Regulation (GDPR), even if data is transferred to a country lacking protection comparable to that of the GDPR.
The EDPB highlights a six steps plan to follow when checking whether a data transfer to a third country meets the standards set forth by the GDPR.
The first step is to map all transfers of personal data undertaken, especially transfers into a third country. The transferred data must be adequate, relevant and limited to what is necessary in relation to the purpose. A major factor to consider is the storage of data in clouds. Furthermore, onwards transfer made by processors should be included. In a second step, the transfer tool used needs to be verified and matched to those listed in Chapter V of the GDPR. The third step is assessing if anything in the law or practice of the third country can impinge on the effectiveness of the safeguards of the transfer tool. The before mentioned Recommendations on European Essential Guarantees are supposed to help to evaluate a third countries laws, regarding the access of data by public authorities for the purpose of surveillance.
If the conclusion that follows the previous steps is that the third countries legislation impinges on the effectiveness of the Article 46 GDPR tool, the fourth step is identifying supplementary measures that are necessary to bring the level of protection of the data transfer up to EU Standards, or at least an equivalent, and adopting these. Recommendations for such measures are listed in Annex 2 of the EDPB Schrems II Recommendations. They may be of contractual, technical, or organizational nature. In Annex 2 the EDPB mentions seven technical cases they found and evaluates them. Five were deemed to be scenarios for which effective measures could be found. These are:
1. Data storage in a third country, that does not require access to the data in the clear.
2. Transfer of pseudonymized data.
3. Encrypted data merely transiting third countries.
4. Transfer of data to by law specially protected recipients.
5. Split or multi-party processing.
Maybe even more relevant are the two scenarios the EDPB found no effective measures for and therefore deemed to not be compliant with GDPR standards.:
6. Transfer of data in the clear (to cloud services or other processors)
7. Remote access (from third countries) to data in the clear, for business purposes, such as, for example, Human Resources.
These two scenarios are frequently used in practice. Still, the EDPB recommends not to execute these transfers in the upcoming future.
Examples of contractual measures are the obligation to implement necessary technical measures, measures regarding transparency of (requested) access by government authorities and measures to be taken against such requests. Accompanying this the European Commission published a draft regarding standard contractual clauses for transferring personal data to non-EU countries, as well as organizational measures such as internal policies and responsibilities regarding government interventions.
The last two steps are undertaking the formal procedural steps to adapt supplementary measures required and re-evaluating the former steps in appropriate intervals.
Even though these recommendations are not (yet) binding, companies should take a further look at the recommendations and check if their data transfers comply with the new situation.
16. July 2020
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper on Data Subject Rights (DSR) on July 8th, 2020, as input for the European Data Protection Board for future Guidelines on the subject.
The White Paper examines the effectiveness of the DSRs by keeping in mind the interpretation in the context of today’s data driven economy. It puts forth that the Guidelines should take into account new business models, data-driven processes and the data economy as well as the digitalisation of society.
In that aspect, the Paper offers suggestions for the EDPB to consider and reflect upon. Some few of the main subjects the Paper requests the Guidelines to touch on are:
- Clarification of the requirements governing verification of the identity of individuals submitting DSR requests
- Determination that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, additionally that extensions to the deadline may be justified in certain circumstances, e.g. where the controller receives an unusually high volume of DSR requests, etc.
- Recognition that compelling interests of the organization, third-parties or society may limit DSR requests;
- Limitations on excessive, unfounded or abusive requests from Data Subjects which are intended to disrupt the business;
- Declaration of a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.
Furthermore, the White Paper highlights the necessity to change the level of a DPO’s responsibility in regards to DSRs, dividing it across different team rather than making the DPO solely responsible for the DSR requests.
In addition, the Paper demands the EDPB to establish a better harmonization of the application of the DSRs across the European Union, which comes from differences in Guidelines made by the different Data Protection Authorities (DPAs). The EDPB should have in its interest to establish common ground for the handling of DSRs and the related requests, as well as the handling of infringements in the matter by DPAs.
The Paper stems from the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019, and was drafted to visualize certain issues on the matter to the EDPB which have crystalized themselves in the two years since the application of the GDPR.
29. June 2020
On 25 June 2020, the European Data Protection Board (“EDPB”) released a new register of final decisions by national European Data Protection Authorities (Supervisory Authorities) cooperating with one another pursuant to Art. 60 GDPR. The register provides access to the decisions themselves, summaries of the decisions in English, and information on the identity of the cooperating Lead Supervisory Authority and Concerned Supervisory Authorities.
The GDPR postulates that Supervisory Authorities have to cooperate in potential cases of GDPR violations that include cross-border data processing activities. During this cooperation, the Lead Supervisory Authority will be in charge of preparing the draft decision and involving the Concerned Supervisory Authorities, and will act as the sole interlocutor of the Controller or Processor (“One-Stop-Shop”-Principle), Art. 56 and Art. 60 GDPR.
To date, the new EDPB register contains 110 final decisions. The EDPB states in its announcement that ‘the register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice.’
25. May 2020
Today we are continuing our miniseries on contact tracing apps and data protection with Part 2 of the series: The EDPB Guideline on the Use of Contact Tracing Tools. As mentioned in Part 1 of our miniseries, many Member States of the European Union have started to discuss using modern technologies to combat the spread of the Coronavirus. Now, the European Data Protection Board (“EDPB”) has issued a new guideline on the use of contact tracing tools in order to give European policy makers guidance on Data Protection concerns before implementing these tools.
The Legal Basis for Processing
In its guideline, the EDPB proposes that the most relevant legal basis for the processing of personal data using contact tracing apps will probably be the necessity for the performance of a task in the public interest, i.e. Art. 6 para. 1 lit. e) GDPR. In this context, Art. 6 para. 3 GDPR clarifies that the basis for the processing referred to in Art. 6 para. 1 lit. e) GDPR shall be laid down by Union or Members State law.
Another possible legal basis for processing could be consent pursuant to Art. 6 para. 1 lit. a) GDPR. However, the controller will have to ensure that the strict requirements for consent to be valid are met.
If the contact tracing application is specifically processing sensitive data, like health data, processing could be based on Art. 9 para. 2 lit. i) GDPR for reasons of public interest in the area of public health or on Art. 9 para. 2 lit. h) GDPR for health care purposes. Otherwise, processing may also be based on explicit consent pursuant to Art. 9 para. 2 lit. a) GDPR.
Compliance with General Data Protection Principles
The guideline is a prime example of the EDPB upholding that any data processing technology must comply with the general data protection principles which are stipulated in Art. 5 GDPR. Contact tracing technology will not be an exeption to this general rule. Thus, the guideline contains recommendations on what national governments and health agencies will need to be aware of in order to observe the data protection principles.
Principle of Lawfulness, fairness and transparency, Art. 5 para. 1 lit. a) GDPR: First and foremost, the EDPB points out that the contact tracing technology must ensure compliance with GDPR and Directive 2002/58/EC (the “ePrivacy Directive”). Also, the application’s algorithms must be auditable and should be regularly reviewed by independent experts. The application’s source code should be made publicly available.
Principle of Purpose limitation, Art. 5 para. 1 lit. b) GDPR: The national authorities’ purposes of processing personal data must be specific enough to exclude further processing for purposes unrelated to the management of the COVID-19 health crisis.
Principles of Data minimisation and Data Protection by Design and by Default, Art. 5 para. 1 lit. c) and Art. 25 GDPR:
- Data processed should be reduced to the strict minimum. The application should not collect unrelated or unnecessary information, which may include civil status, communication identifiers, equipment directory items, messages, call logs, location data, device identifiers, etc.;
- Contact tracing apps do not require tracking the location of individual users. Instead, proximity data should be used;
- Appropriate measures should be put in place to prevent re-identification;
- The collected information should reside on the terminal equipment of the user and only the relevant information should be collected when absolutely necessary.
Principle of Accuracy, Art. 5 para. 1 lit. d) GDPR: The EDPB advises that procedures and processes including respective algorithms implemented by the contact tracing apps should work under the strict supervision of qualified personnel in order to limit the occurrence of any false positives and negatives. Moreover, the applications should include the ability to correct data and subsequent analysis results.
Principle of Storage limitation, Art. 5 para. 1 lit. e) GDPR: With regards to data retention mandates, personal data should be kept only for the duration of the COVID-19 crisis. The EDPB also recommends including, as soon as practicable, the criteria to determine when the application shall be dismantled and which entity shall be responsible and accountable for making that determination.
Principle of Integrity and confidentiality, Art. 5 para. 1 lit. f) GDPR: Contact tracing apps should incorporate appropriate technical and organisational measures to ensure the security of processing. The EDPB places special emphasis on state-of-the-art cryptographic techniques which should be implemented to secure the data stored in servers and applications.
Principle of Accountability, Art. 5 para. 2 GDPR: To ensure accountability, the controller of any contact tracing application should be clearly defined. The EDPB suggests that national health authorities could be the controllers. Because contact tracing technology involves different actors in order to work effectively, their roles and responsibilities must be clearly established from the outset and be explained to the users.
Functional Requirements and Implementation
The EDPB also makes mention of the fact that the implementations for contact tracing apps may follow a centralised or a decentralised approach. Generally, both systems use Bluetooth signals to log when smartphone owners are close to each other. If one owner was confirmed to have contracted COVID-19, an alert can be sent to other owners they may have infected. Under the centralised version, the anonymised data gathered by the app will be uploaded to a remote server where matches are made with other contacts. Under the decentralised version, the data is kept on the mobile device of the user, giving users more control over their data. The EDPB does not give a recommendation for using either approach. Instead, national authorities may consider both concepts and carefully weigh up the respective effects on privacy and the possible impacts on individuals rights.
Before implementing contact tracing apps, the EDPB also suggests that a Data Protection Impact Assessment (DPIA) must be carried out as the processing is considered likely high risk (health data, anticipated large-scale adoption, systematic monitoring, use of new technological solution). Furthermore, they strongly recommend the publication of DPIAs to ensure transparency.
Lastly, the EDPB proposes that the use of contact tracing applications should be voluntary and reiterates that it should not rely on tracing individual movements but rather on proximity information regarding users.
Outlook
The EDPB acknowledges that the systematic and large scale monitoring of contacts between natural persons is a grave intrusion into their privacy. Therefore, Data Protection is indispensable to build trust, create the conditions for social acceptability of any solution, and thereby guarantee the effectiveness of these measures. It further underlines that public authorities should not have to choose between an efficient response to the current pandemic and the protection of fundamental rights, but that both can be achieved at the same time.
In the third part of the series regarding COVID-19 contact tracing apps, we will take a closer look into the privacy issues that countries are facing when implementing contact tracing technologies.
16. March 2020
The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.
Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.
The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.
On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.
Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.
