Tag: GDPR
28. October 2020
On 3 November 2020, the day of the US Presidential Election, Californian citizens will also be able to vote on the California Privacy Rights Act of 2020 (“CPRA”) in a state ballot. The CPRA shall expand Califonian consumers’ privacy rights given by the California Consumer Privacy Act of 2018 (“CCPA”) which only came into effect on 2 January 2020.
The NGO “Californians for Consumer Privacy”, led by privacy activist Alastair Mactaggart, initiated the upcoming state ballot on the CPRA. Mactaggart’s NGO already qualified for a state ballot on the adoption of the CCPA by collecting over 629,000 signatures of California citizens in 2018. However, the NGO dropped the proposal in 2018 after California state legislators persuaded the intitiators that they will pass the CCPA through the legislative process. But because several significant amendments to the original proposal were passed during the legislative process, the NGO created the new CPRA initiative in 2020. This time, the group submitted more than 900,000 signatures. The CPRA is supposed to expand on the provisions of the CCPA. In case the CPRA is approved by California voters on November 3rd, it could not be easily amended and would require further direct voter action. Most provisions of the CPRA would become effective on 1 January 2023 and would only apply to information collected from 1 January 2022.
Some of the key provisions of the newly proposed CPRA seem to draw inspiration from the provisions of the European General Data Protection Regulations (“GDPR”) and include the establishment of an enforcement agency (the “California Privacy Protections Agency”), explicitly protecting “Sensitive Personal Information” of consumers and granting the right to rectify inaccurate personal information. The CPRA would furthermore require businesses to abide to information obligations comparable to those required by Art. 12-14 GDPR.
As the day of the state ballot is fast approaching, recent polls suggest that the CPRA will likely pass and complement the already existing CCPA, forming the US’ strictest privacy rules to date.
23. October 2020
The Norwegian Data Protection Authority (Datatilsynet) has issued the Norwegian Public Roads Administration (Statens vegvesen) a fine of EUR 37.400 (NOK 400.000) for improprieties related to the use of the monitoring system installed on toll ways in Norway. They concerned processing personal data for purposes that were noncompliant with the originally stated and for not erasing video recordings after 7 days from their registration.
The penalized entity is the controller of a system processing personal data obtained from the area of toll roads in Norway. This system records personal data which especially enable the identification of vehicles (and hence their owners) that pass through public toll stations. The primary purpose of processing these personal data was to ensure safety on public roads and to optimize the operation of the tunnel and drawbridges in the county Østfold. The Norwegian Public Roads Administration however, used the recordings particularly in order to document improper fulfilments of concluded contracts by certain subjects. According to the Norwegian Data Protection Authority, such procedure is unlawful and not compliant with the originally stated purposes.
The Norwegian Public Roads Administration was also accused of infringements related to deletion of personal data in due time. In accordance with Norwegian regulations, recordings from monitoring (and thus personal data) may be stored until the reason for its storage ceases, but no longer than 7 days from recording the material. In the course of proceedings it turned out that the monitoring system did not have the function of deleting personal data at all. Therefore, the Norwegian Public Roads Administration was not able to fulfil its obligation according to Art. 17 GDPR. The lack of this functionality additionally indicates that the controller, while implementing the monitoring system, also omitted the requirements specified in Art. 25 GDPR.
Taking into account these circumstances, the Norwegian Data Protection Authority stated a violation of the mentioned GDPR regulations.
21. October 2020
In the beginning of October, the Hamburg Data Protection Commissioner (“HmbBfDI”) imposed a record-breaking 35,258,707.95 Euro GDPR fine on the German branch of the Swedish clothing-retail giant H&M. It is the highest fine, based on a GDPR violation, a German Data Protection Authority has ever issued.
Since 2014, the management of the H&M service centre in Nuremberg extensively monitored the private lives of their employees in various ways. Following holidays and sick leaves of employees, team leaders would conduct so-called “Welcome Back Talks” in which they recorded employees’ holiday experiences, symptoms of illnesses and medical diagnoses. Some H&M supervisors gathered a broad data base of their employees’ private lives as they recorded details on family issues and religious beliefs from one-on-one talks and even corridor conversations. The recordings had a high level of detail and were updated over time and in some cases were shared with up to 50 other managers throughout the whole company. The H&M supervisors also used this Personal Data to create profiles of their employees and to base future employment decisions and measures on this information. The clandestine data collection only became known as a result of a configuration error in 2019 when the notes were accessible company-wide for a few hours.
After the discovery, the H&M executives presented the HmbBfDI a comprehensive concept on improving Data Protection at their Nuremberg sub-branch. This includes newly appointing a Data Protection coordinator, monthly Data Protection status updates, more strongly communicated whistleblower protection and a consistent process for granting data subject rights. Furthermore, H&M has apologised to their employees and paid the affected people a considerable compensation.
With their secret monitoring system at the service centre in Nuremberg, H&M severely violated the GDPR principles of lawfulness, fairness, and transparency of processing pursuant to Art. 5 no. 1 lit. a) and Art. 6 GDPR because they did not have a legal basis for collecting these Personal Data from their employees. The HmbBfDI commented in his statement on the magnitude of the fine saying that “the size of the fine imposed is appropriate and suitable to deter companies from violating the privacy of their employees”.
24. September 2020
In an interview with The Financial Times on Sunday, EU-Commissioner Thierry Breton stated that the European Union is considering plans to increase its enforcement powers regarding tech giants.
This empowerment is supposed to include punitive measures such as forcing tech firms to break off and sell their EU operations if the dominance on the market becomes too large. It is further considered to enable the EU to be able to boot tech companies from the EU single market entirely. Breton stated these measures would of course only be used in extreme circumstances, but did not elaborate on what would qualify as extreme.
“There is a feeling from end-users of these platforms that they are too big to care,” Thierry Breton told The Financial Times. In the interview, he compared tech giants’ market power to the big banks before the financial crisis. “We need better supervision for these big platforms, as we had again in the banking system,” he stated.
In addition, the European Union is considering a rating system, in which companies would be given scores in different categories such as tax compliance, taking action against illegal content, etc. However, Breton said that it is not the intend to make companies liable for their users’ content.
Breton further said that the first drafts of the new law will be ready by the end of the year.
Once the final draft is in place, it will require approval both by the European Parliament as well as the European Council, before it can be enacted.
9. September 2020
In an update from Apple on Thursday, 3rd of September 2020, it was announced that some of the plans that were supposed to be launched in the new iOS 14 update are being delayed. The new feature of iOS developers having to request permission from app users before collecting their data for ad tracking is being pushed back to the beginning of 2021.
This and other features are seen as a big step towards users’ privacy, which you can read up on in our previous blogpost, but they have been criticised by app developers and big tech giants alike.
The permission feature was supposed to change the way users’ privacy is being accessed, from the current opt-out method to an opt-in one. “When enabled, a system prompt will give users the ability to allow or reject that tracking on an app-by-app basis,” stated Apple.
However, this will be delayed until early next year, due to the fact that the changes would affect a large amount of the platforms’ publishers, which rely strongly on ad tracking revenue. Facebook criticized the changes and announced that some of their tools may lose efficiency, and hence cause problems for smaller app developers. To combat this issue, Apple said: “We want to give developers the time they need to make the necessary changes, and as a result, the requirement to use this tracking permission will go into effect early next year.”
In recent years, Apple has taken its users’ privacy more seriously, launching new adjustments to ensure their right to privacy is being integrated in their devices.
„We believe technology should protect users’ fundamental right to privacy, and that means giving users tools to understand which apps and websites may be sharing their data with other companies for advertising or advertising measurement purposes, as well as the tools to revoke permission for this tracking,” Apple emphasized.
12. August 2020
The U.S. Commerce Department has released a frequently asked questions page (FAQ) with regards to the EU-US Privacy Shield, following the latest decision of the Court of Justice of the European Union (CJEU) in the Schrems II case.
The FAQ consists of five questions which revolve around the situation after the invalidation of the Privacy Shield by the CJEU, especially the status of companies already certified under the Privacy Shield.
The Commerce Department states in its FAQ that despite the invalidity of the Privacy Shield certification as a GDPR compliant transfer mechanism, the decision of the CJEU does not relieve companies certified under the Privacy Shield from their obligations. On July 21, 2020, the Federal Trade Commission (FTC) stated that they expect controllers to continue to follow the obligations laid out under the Privacy Shield Framework for transfers.
Further, the Commerce Department will continue to administer certification and re-certification under the Privacy Shield despite the new development. The Commerce Department emphasizes that the continued dedication to the Privacy Shield will show the commitment of the parties and the controllers certified under it to the Data Protection cause.
However, the Commerce Department also notes that the costs coming along with a Privacy Shield certification will remain, which could have an effect on the motivation for companies to get self- and re-certified.
16. July 2020
On June 16th, 2020, the Court of Justice of the European Union (CJEU) has declared the invalidity of Decision 2016/1250, therefore rendering protection granted to data transfers under the EU-US Privacy Shield inadequate.
The background
The case originated in a complaint of Mr. Max Schrems against Facebook Ireland regarding the transfer of his personal data as a Facebook user to Facebook Inc., situated in the USA, for further processing. Mr. Schrems lodged a complaint with the Irish supervisory authority seeking to prohibit those transfers. He claimed that the law and practices in the United States do not offer sufficient protection against access by the public authorities to the data transferred to the USA. That complaint was rejected on the ground that, in Decision 2000/5205, the Safe Harbour Decision, the Commission had found that the United States ensured an adequate level of protection. In a judgment delivered on October 6th, 2015, the CJEU, to which the High Court of Ireland had referred questions for a preliminary ruling, declared that decision invalid, resulting in the Schrems I judgment.
Today’s judgement in the Schrems II case came from the request of the Irish High Court to Mr. Schrems to reformulate his initial complaint, seeing as the Safe Harbour Agreement had been deemed inadequate. In the following, Mr. Schrems reformulated his complaint, and claimed that the United States does not offer sufficient protection of data transferred to that country. He seeks the suspension of future transfers of his personal data from the EU to the United States, which Facebook Ireland now carries out pursuant to the Standard Contractual Clauses (SCCs) set out in the Annex to Decision 2010/87. After the initiation of those proceedings, the Commission adopted Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
In its request for a preliminary ruling, the referring court asked the CJEU whether the GDPR applies to transfers of personal data pursuant to the SCCs, what level of protection is required by the GDPR in connection with such a transfer, and what obligations are incumbent on supervisory authorities in those circumstances. The High Court of Ireland also raised the question of the validity of both decisions, Decision 2010/87 and Decision 2016/1250.
Judgement in regard to SCCs
In its judgements, the CJEU has stated that it had, after examination of the SCCs in light of the Charter of Fundamental Rights, found nothing that affected the validity of the SCCs and Decision 2010/87.
With regards to the transfer of personal data to third countries, the CJEU claims that the requirements for such purposes set out by the GDPR concerning appropriate safeguards, enforceable rights and effective legal measures must be interpreted in such a way that data subjects whose personal data is transferred into a third country must be afforded a level of protection essentially similar to the level of protection granted within the European Union by the GDPR.
Data Protection Authorities must, unless an adequacy decision has been ruled by the Commission, be required to suspend or prohibit a transfer of personal data to a third country which does not meet these requirements.
The CJEU holds that the SCCs are still effective mechanisms that make it possible to ensure compliance with a level of protection required by the European Union. In that regard the CJEU points out that this imposes an obligation on the data exporter and the recipient of the data to verify, prior to any transfer, whether that level of protection is respected in the third country concerned, and to suspend the transfer of the personal data if it is not.
Judgement in regard to the EU-US Privacy Shield
The CJEU, after thorough examination, concluded that the EU-US Privacy Shield is not adequate protection for transfers to the USA.
This result comes from the fact that the far-reaching US surveillance laws are in conflict with EU fundamental rights. The USA limits most of its protections of personal data from governmental surveillance to US citizen, but does not extend that protection to the personal data of citizens of other countries.
In essence, the limitations on the protection of personal data arising from the domestic law of the USA on the access and use by US public authorities of such data transferred from the European Union are not restricted in a way that satisfies requirements that are equivalent to those required under EU law, which were mentioned in regards to SCCs above. By the principle of proportionality, the surveillance programmes based on those provisions are not limited to what is strictly necessary.
Unless an empowerment and independence of the Ombudsperson takes place, which would give the competence to adopt decisions which are binding on US intelligence services, there are no substantial cause of actions for data subjects before a body which gives legal guarantees in the way that is required by European law for transfers to be equivalent in protection.
Assessment
Overall, the CJEU states that necessary data transfers are still able to continue under Article 49 of the GDPR. However, the provision’s interpretation is restrictive, leaving most companies with data transfers to the USA which are now considered illegal.
Due to the requirements of adequate protection even when relying on the validated SCCs, transfers under such circumstances may also be found unlawful due to the local intelligence laws in the USA, which do not uphold the requirements necessary by European law.
Overall, it is a clear statement of the necessity of reforms of the US intelligence laws, which have to create adequate protections to be able to guarantee the same level of data protection as the European Union, if they want to continue data trades and data transfers necessary for processing.
What does this mean for you?
- If your business has a EU-US Privacy Shield certification, and uses such for legitimization of data transfers within a group of companies, you should push towards the use of the European Standard Contractual Clauses within that corporate group.
- If you are employing service providers which rely on the EU-US Privacy Shield certification, you should also push for the use of Standard Contractual Clauses, or base the data transfer on a different solution for an adequate level of data protection.
7. July 2020
In the last two years since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, it has received an overall positive feedback and structured the data protection culture not only in the European Union, but has set an example for international privacy standards.
However, especially from the American side of the world, criticism has been constant. Different principles are a prerequisite for different opinions and priorities, and the effort to bring European data protection standards and American personal data business together has been a challenge on both sides.
One of the main criticisms coming from the US government is the increasing obstacles the GDPR poses in case of cybercrime investigations and law enforcement. Not only the restrictive implications of the GDPR are an issue, but also the divergent interpretations due to national adaptations of the GDPR are seen as a problem by government officials.
In the cases of cybercrime, the main issue for the US critics is the now less effective database of domain name owners, WHOIS. The online directory, which was created in the 1970s, is an important tool for law enforcement combatting cybercrime. Before the GDPR came into effect in 2018, the request for information on domain owners was straightforward. Now, due to the restrictions of the GDPR, this process has been made long and tedious.
But fighting cybercrime is not the only tension between the EU and the USA concerning data protection. In a judgement in the Schrems II case, expected for July 16, 2020, the European Court of Justice (ECJ) is expected to take a stance on transatlantic data transfers and the current Privacy Shield, which is the basis for the EU-US dataflows under adequate data protection standards. If the Privacy Shield is deemed insufficient protection, it will have a major effect on EU-US business transactions.
However, these are issues that the European Commission (EC) is very aware of. In their communication concerning the two-year review of the GDPR, the Commission stated that they are planning to balance out diverging and fragmented interpretations of the GDPR on national levels and find a common data protection culture within Europe.
In addition, the restrictions the GDPR poses to law enforcement are another point the European Commission knows it needs to fix. The plan for the future is a bilateral and multilateral framework that can allow for simple requests to share data for law enforcement purposes and avoid conflicts of law, while keeping data protection safeguards intact.
The upcoming judgement of the ECJ is seen with watchful eyes by the Commission, and will be incorporated in their upcoming adequacy decisions and re-evaluations, as well as their development of a modern international transfer toolbox, which includes a modernized version of the standard contractual clauses.
Overall, the two-year mark of the existence of the GDPR is seen more as a success, despite the clear areas for future improvement. One of the big challenges in transatlantic data transfers ahead is without a doubt the outcome of the judgement in the Schrems case in mid-July, the implications of which are, at this point in time, not yet able to be defined.
6. May 2020
The Dutch Data Protection Authority, Autoriteit Persoonsgegevens (Dutch DPA), has issued a EUR 725 000 fine on April 30th to a company for scanning the fingerprints of its employees in order to record attendance.
As fingerprints fall under sensitive data according to Art. 9 GDPR, by being biometric data and therefore can easily identify a data subject, the Dutch DPA has addressed two exceptions in the present case: explicit consent according to Art. 9 II a GDPR, and the necessity of the processing for security reasons, which are related back to Art.9 II g GDPR.
According to the Dutch DPA, none of the two exceptions apply.
In the first case, the Dutch DPA states that the employer has shown no proof of valid explicit consent of the employees. Rather, the Dutch DPA is of the opinion that in an employment relationship, consent cannot be given freely. While it is tricky to ensure freely given consent in situations where one side is dependant on the other, it is possible to ensure such a freely given consent by the means of offering an alternative form of processing, allowing the employee to choose from two options according to their own judgement. In the case brought to the Dutch DPA, this had not been the case. Rather, employees felt obligated to give their consent, especially since the denial resulted in a personal meeting with the director. An alternative option to scanning their fingerprints was not given by the company.
The second exception of the necessity of the processing for security reasons was also dismantled by the Dutch DPA. It reasoned with the fact that such an exception only applies in cases where the security of the systems or the building depend on biometric data, and cannot be done by a less invasive method. While the activities of the company remain confidential, the Dutch DPA has denied them to be of that level of importance that security can only be done through biometrics. Therefore, the fingerprint scanning in the matter was unnecessary and disproportionate to the invasion of the employees’ privacy.
As this case shows, it is recommendable to be careful with the processing of biometric data. In particular, companies should ensure to have valid consent before progressing with the processing of sensitive data to mitigate the risks of a fine.
23. April 2020
On Thursday, April 9th 2020, the Belgian Data Protection Authority (Belgian DPA) has issued a guidance along with frequently asked question on the subject of cookies and other tracking technologies.
The key points presented by the guidance revolve around the definitions of cookies, what needs to be presented in a cookie policy, how the consent of data subjects needs to be obtained and which requirements it needs to fulfill, as well as the storage period of a cookie on a user’s device.
The Belgian DPA made it clear that of the utmost importance is the transparency of the cookie usage. That entails that the users need to be informed about the scope of each individual cookie used. This should be done through a cookie policy on the website. The cookie policy needs to be written in a language the targeted users of the website can understand, as well as be easily accessible, e.g. through a hyperlink.
Specifically, these cookie policies need to include and inform about:
- identification of the cookies used;
- their purposes and duration;
- whether third-parties have access to such cookies;
- information about how to delete cookies;
- the legal basis relied upon for the use of cookies;
- information about individuals’ data protection rights and the ability to lodge a complaint to the competent data protection authority;
- information about any automated decision making, including profiling.
In order to be able to use cookies, the consent of the user needs to be obtained. The Belgian DPA stated in their guidance that the consent has to be obtained for the use of all non-essential cookies, which means all cookies that are not necessary for a user requested function of the website. A necessary cookie would be, for example, the cookie to remember the item in a user’s cart, or cookies that enable booking communication with a user.
The consent especially needs to be:
- obtained for the use of all non-essential cookies, as well as all social media plugins;
- informed, specifically, prior to giving their consent to the use of cookies, users must be provided with information regarding the use of cookies: The information that needs to be given to the data subjects are the entity responsible for the use of cookies, the cookies’ purposes, the data collected through the use of cookies, and their expiration. Users must also be informed about their rights with respect to cookies, including the right to withdraw their consent;
- granulated, whereas in a first instance, users need to decide between what types of cookies they want to give consent to, and in a second instance, users can decide exactly which cookies they want to give consent to;
- unambiguous and provided through a clear affirmative action.
Further, it is also important to keep in mind that the Belgian DPA has confirmed that cookie walls are unlawful, and that companies must show proof of obtained consent through keeping logs.
The Belgian DPA has also given guidance on the lifespan of cookies. Cookies should not have unlimited lifespans, but rather follow basic data protection rules: once a cookie is no longer necessary for the purpose or it has fulfilled its determined purpose, it needs to be removed. If the cookie cannot be deleted from the controller’s side, it is important to give the users the information on how to do it themselves.
Overall, the Belgian DPA’s guidance has given controllers a clear way to maneuvering their cookie usage, and has provided a new list of FAQs in case of further questions. In this regard, the Belgian DPA has made sure that cookies and their use are easy to comprehend and handle, hopefully helping data protection compliance within the subject.
Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next