Tag: GDPR

EU looking to increase Enforcement Powers over Tech Giants

24. September 2020

In an interview with The Financial Times on Sunday, EU-Commissioner Thierry Breton stated that the European Union is considering plans to increase its enforcement powers regarding tech giants.

This empowerment is supposed to include punitive measures such as forcing tech firms to break off and sell their EU operations if the dominance on the market becomes too large. It is further considered to enable the EU to be able to boot tech companies from the EU single market entirely. Breton stated these measures would of course only be used in extreme circumstances, but did not elaborate on what would qualify as extreme.

“There is a feeling from end-users of these platforms that they are too big to care,” Thierry Breton told The Financial Times. In the interview, he compared tech giants’ market power to the big banks before the financial crisis. “We need better supervision for these big platforms, as we had again in the banking system,” he stated.

In addition, the European Union is considering a rating system, in which companies would be given scores in different categories such as tax compliance, taking action against illegal content, etc. However, Breton said that it is not the intend to make companies liable for their users’ content.

Breton further said that the first drafts of the new law will be ready by the end of the year.

Once the final draft is in place, it will require approval both by the European Parliament as well as the European Council, before it can be enacted.

Apple to delay iOS 14 Ad Tracking Changes

9. September 2020

In an update from Apple on Thursday, 3rd of September 2020, it was announced that some of the plans that were supposed to be launched in the new iOS 14 update are being delayed. The new feature of iOS developers having to request permission from app users before collecting their data for ad tracking is being pushed back to the beginning of 2021.

This and other features are seen as a big step towards users’ privacy, which you can read up on in our previous blogpost, but they have been criticised by app developers and big tech giants alike.

The permission feature was supposed to change the way users’ privacy is being accessed, from the current opt-out method to an opt-in one. “When enabled, a system prompt will give users the ability to allow or reject that tracking on an app-by-app basis,” stated Apple.

However, this will be delayed until early next year, due to the fact that the changes would affect a large amount of the platforms’ publishers, which rely strongly on ad tracking revenue. Facebook criticized the changes and announced that some of their tools may lose efficiency, and hence cause problems for smaller app developers. To combat this issue, Apple said: “We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year.”

In recent years, Apple has taken its users’ privacy more seriously, launching new adjustments to ensure their right to privacy is being integrated in their devices.

„We believe technology should protect users’ fundamental right to privacy, and that means giving users tools to understand which apps and websites may be sharing their data with other companies for advertising or advertising measurement purposes, as well as the tools to revoke permission for this tracking,” Apple emphasized.

Category: EU · GDPR · General
Tags: , , ,

U.S. Commerce Department publishes FAQs on EU-US Privacy Shield

12. August 2020

The U.S. Commerce Department has released a frequently asked questions page (FAQ) with regards to the EU-US Privacy Shield, following the latest decision of the Court of Justice of the European Union (CJEU) in the Schrems II case.

The FAQ consists of five questions which revolve around the situation after the invalidation of the Privacy Shield by the CJEU, especially the status of companies already certified under the Privacy Shield.

The Commerce Department states in its FAQ that despite the invalidity of the Privacy Shield certification as a GDPR compliant transfer mechanism, the decision of the CJEU does not relieve companies certified under the Privacy Shield from their obligations. On July 21, 2020, the Federal Trade Commission (FTC) stated that they expect controllers to continue to follow the obligations laid out under the Privacy Shield Framework for transfers.

Further, the Commerce Department will continue to administer certification and re-certification under the Privacy Shield despite the new development. The Commerce Department emphasizes that the continued dedication to the Privacy Shield will show the commitment of the parties and the controllers certified under it to the Data Protection cause.

However, the Commerce Department also notes that the costs coming along with a Privacy Shield certification will remain, which could have an effect on the motivation for companies to get self- and re-certified.

CJEU judges the EU-US Privacy Shield invalid

16. July 2020

On June 16th, 2020, the Court of Justice of the European Union (CJEU) has declared the invalidity of Decision 2016/1250, therefore rendering protection granted to data transfers under the EU-US Privacy Shield inadequate.

The background

The case originated in a complaint of Mr. Max Schrems against Facebook Ireland regarding the transfer of his personal data as a Facebook user to Facebook Inc., situated in the USA, for further processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to the USA. That complaint was rejected on the ground that, in Decision 2000/5205, the Safe Harbour Decision, the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on October 6th, 2015, the CJEU, to which the High Court of Ireland had referred questions for a preliminary ruling, declared that decision invalid, resulting in the Schrems I judgment.

Today’s judgement in the Schrems II case came from the request of the Irish High Court to Mr. Schrems to reformulate his initial complaint, seeing as the Safe Harbour Agreement had been deemed inadequate. In the following, Mr. Schrems reformulated his complaint, and claimed that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the Standard Contractual Clauses (SCCs) set out in the Annex to Decision 2010/87. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the SCCs, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court of Ireland also raised the question of the validity of both decisions,  Decision 2010/87 and  Decision 2016/1250.

Judgement in regard to SCCs

In its judgements, the CJEU has stated that it had, after examination of the SCCs in light of the Charter of Fundamental Rights, found nothing that affected the validity of the SCCs and Decision 2010/87.

With regards to the transfer of personal data to third countries, the CJEU claims that the requirements for such purposes set out by the GDPR concerning appropriate safeguards, enforceable rights and effective legal measures must be interpreted in such a way that data subjects whose personal data is transferred into a third country must be afforded a level of protection essentially similar to the level of protection granted within the European Union by the GDPR.

Data Protection Authorities must, unless an adequacy decision has been ruled by the Commission, be required to suspend or prohibit a transfer of personal data to a third country which does not meet these requirements.

The CJEU holds that the SCCs are still effective mechanisms that make it possible to ensure compliance with a level of protection required by the European Union. In that regard the CJEU points out that this imposes an obligation on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned, and to suspend the transfer of the personal data if it is not.

Judgement in regard to the EU-US Privacy Shield

The CJEU, after thorough examination, concluded that the EU-US Privacy Shield is not adequate protection for transfers to the USA.

This result comes from the fact that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The USA limits most of its protections of personal data from governmental surveillance to US citizen, but does not extend that protection to the personal data of citizens of other countries.

In essence, the limitations on the protection of personal data arising from the domestic law of the USA on the access and use by US public authorities of such data transferred from the European Union are not restricted in a way that satisfies requirements that are equivalent to those required under EU law, which were mentioned in regards to SCCs above. By the principle of proportionality, the surveillance programmes based on those provisions are not limited to what is strictly necessary.

Unless an empowerment and independence of the Ombudsperson takes place, which would give the competence to adopt decisions which are binding on US intelligence services, there are no substantial cause of actions for data subjects before a body which gives legal guarantees in the way that is required by European law for transfers to be equivalent in protection.

Assessment

Overall, the CJEU states that necessary data transfers are still able to continue under Article 49 of the GDPR. However, the provision’s interpretation is restrictive, leaving most companies with data transfers to the USA which are now considered illegal.

Due to the requirements of adequate protection even when relying on the validated SCCs, transfers under such circumstances may also be found unlawful due to the local intelligence laws in the USA, which do not uphold the requirements necessary by European law.

Overall, it is a clear statement of the necessity of reforms of the US intelligence laws, which have to create adequate protections to be able to guarantee the same level of data protection as the European Union, if they want to continue data trades and data transfers necessary for processing.

What does this mean for you?

  • If your business has a EU-US Privacy Shield certification, and uses such for legitimization of data transfers within a group of companies, you should push towards the use of the European Standard Contractual Clauses within that corporate group.
  • If you are employing service providers which rely on the EU-US Privacy Shield certification, you should also push for the use of Standard Contractual Clauses, or base the data transfer on a different solution for an adequate level of data protection.

Transatlantic Data Transfers in light of the Two Year Anniversary of GDPR Application

7. July 2020

In the last two years since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, it has received an overall positive feedback and structured the data protection culture not only in the European Union, but has set an example for international privacy standards.

However, especially from the American side of the world, criticism has been constant. Different principles are a prerequisite for different opinions and priorities, and the effort to bring European data protection standards and American personal data business together has been a challenge on both sides.

One of the main criticisms coming from the US government is the increasing obstacles the GDPR poses in case of cybercrime investigations and law enforcement. Not only the restrictive implications of the GDPR are an issue, but also the divergent interpretations due to national adaptations of the GDPR are seen as a problem by government officials.

In the cases of cybercrime, the main issue for the US critics is the now less effective database of domain name owners, WHOIS. The online directory, which was created in the 1970s, is an important tool for law enforcement combatting cybercrime. Before the GDPR came into effect in 2018, the request for information on domain owners was straightforward. Now, due to the restrictions of the GDPR, this process has been made long and tedious.

But fighting cybercrime is not the only tension between the EU and the USA concerning data protection. In a judgement in the Schrems II case, expected for July 16, 2020, the European Court of Justice (ECJ) is expected to take a stance on transatlantic data transfers and the current Privacy Shield, which is the basis for the EU-US dataflows under adequate data protection standards. If the Privacy Shield is deemed insufficient protection, it will have a major effect on EU-US business transactions.

However, these are issues that the European Commission (EC) is very aware of. In their communication concerning the two-year review of the GDPR, the Commission stated that they are planning to balance out diverging and fragmented interpretations of the GDPR on national levels and find a common data protection culture within Europe.

In addition, the restrictions the GDPR poses to law enforcement are another point the European Commission knows it needs to fix. The plan for the future is a bilateral and multilateral framework that can allow for simple requests to share data for law enforcement purposes and avoid conflicts of law, while keeping data protection safeguards intact.

The upcoming judgement of the ECJ is seen with watchful eyes by the Commission, and will be incorporated in their upcoming adequacy decisions and re-evaluations, as well as their development of a modern international transfer toolbox, which includes a modernized version of the standard contractual clauses.

Overall, the two-year mark of the existence of the GDPR is seen more as a success, despite the clear areas for future improvement. One of the big challenges in transatlantic data transfers ahead is without a doubt the outcome of the judgement in the Schrems case in mid-July, the implications of which are, at this point in time, not yet able to be defined.

Dutch DPA administers record €725 000 fine for GDPR violation

6. May 2020

The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.

As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.

According to the Dutch DPA, none of the two exceptions apply.

In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.

The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.

As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.

Belgian DPA releases Guidance and FAQs on Cookies and Trackers

23. April 2020

On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.

The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.

The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.

Specifically, these cookie policies need to include and inform about:

  • identification of the cookies used;
  • their purposes and duration;
  • whether third-parties have access to such cookies;
  • information about how to delete cookies;
  • the legal basis relied upon for the use of cookies;
  • information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
  • information about any automated decision making, including profiling.

In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.

The consent especially needs to be:

  • obtained for the use of all non-essential cookies, as well as all social media plugins;
  • informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes,  the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
  • granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
  • unambiguous and provided through a clear affirmative action.

Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.

The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.

Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.

CNIL announces focus for Control Procedures in 2020

16. March 2020

The french Commission Nationale de l’Informatique et des Libertés (CNIL) has announced their focus in regards to the Control Procedures they intend to take in 2020.

Out of 300 Control Procedures done in one year, in 2020 at least 50 of those are going to be focused on three prioritized themes: health data security, geolocation and cookies compliance. The CNIL decided on prioritizing these areas because of the high relevance all of them have on the daily life of the french citizens.

Especially in regards to health data because of the sensitive nature of the data collected, as well as geological data, due to the never ending new solutions to transportation or enhancements to daily life, it is important to keep an eye on the scope of the data processing and the private sphere which is affected.

Regarding cookies and other tracers, CNIL continues to underline the importance in regards to profiled advertisement. On top of the planned Control Procedures, the CNIL intends to publish a recommendation in the spring of 2020 with regards to cookies. It will keep an eye on the implementation of the recommendation, and give companies a 6 months period to adjust and implement them.

The CNIL also stated that in addition they will continue to work together with other national Data Protection Authorities, in order to ensure the regulation of transnational data processing.

Greek Data Protection Authority releases Guidance on Cookies

On 25 February 2020, the Hellenic Data Protection Authority (DPA) published a guidance on Cookies and other tracking tools. Previously, the Authority had found that Greek websites and service providers have been largely failing to comply with the rules on the use of Cookies and other trackers set out by the ePrivacy Directive and the GDPR, and reaffirmed by the European Court of Justice’s ruling on Planet 49.

The guidance states that it will be relevant to HTTP/S Cookies, Flash Cookies, local storage applying to HTML 5, device fingerprinting, OS identifiers, and material identifiers.

The Greek DPA reiterated that, generally, providers are obliged to obtain the user’s consent if they are using any tracking tools – irrespective of whether the processing of personal data is taking place. It also outlined that technically necessary trackers are exempt from the obligation to consent. Furthermore, the guidance goes into detail on how information and consent can be made available on websites specifically.

Lastly, the Authority has given Greek website providers a grace period of two months to implement the provisions of this guidance and thereby become compliant with the European rules on tracking tools.

EDPB publishes GDPR Implementation Review

The European Data Protection Board (EDPB) released a review dated from February 18th, in a contribution to the evaluation of the General Data Protection Regulation (GDPR), which has reached its 20th month of being in effect.

Overall, the EDPB stated that it has a positive view of the implementation of the legislation in the different European Countries over the past 20 months. Furthermore, it deems a revision of the legislative text as likely, but not yet necessary in the near future.

The EDPB praised the Data Protection Authorities and their work up til now, saying it hopes that the cooperation between them will create a common data protection culture and consistent monitoring practices. But the report also mentioned that Supervisory Authorities in the countries face restrictions due to different national procedures and practices, which can hinder the cooperation. Furthermore, the EDPB sees a need to increase the funding for Supervisory Authorities to improve and support their duties.

On another note, the EDPB has acknowledged the challenges of implementation for Small to Medium sized Enterprises (SMEs). It says it is aware of these challenges, and works together with Supervisory Authorities to facilitate the supporting tools they have put out in order to support SMEs.

Lastly, it raised concerns about the timeframe of the new ePrivacy Regulation, and urged lawmakers to bundle their focus and efforts to carry on with its development.

Pages: 1 2 3 4 5 6 7 Next
1 2 3 7