Tag: General Data Protection Regulation

European Commission and United States agree in principle on Trans-Atlantic Data Privacy Framework

29. March 2022

On March 25th, 2022, the United States and the European Commission have committed to a new Trans-Atlantic Data Privacy Framework that aims at taking the place of the previous Privacy Shield framework.

The White House stated that the Trans-Atlantic Data Privacy Framework “will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union when it struck down in 2020 the Commission’s adequacy decision underlying the EU-US Privacy Shield framework”.

According to the joint statement of the US and the European Commission, “under the Trans-Atlantic Data Privacy Framework, the United States is to put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives, establish a two-level independent redress mechanism with binding authority to direct remedial measures, and enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance activities”.

This new Trans-Atlantic Data Privacy Framework has been a strenuous work in the making and reflects more than a year of detailed negotiations between the US and EU led by Secretary of Commerce Gina Raimondo and Commissioner for Justice Didier Reynders.

It is hoped that this new framework will provide a durable basis for the data flows between the EU and the US, and underscores the shared commitment to privacy, data protection, the rule of law, and the collective security.

Like the Privacy Shield before, this new framework will represent a self-certification with the US Department of Commerce. Therefore, it will be crucial for data exporters in the EU to ensure that their data importers are certified under the new framework.

The establishment of a new “Data Protection Review Court” will be the responsible department in cases of the new two-tier redress system that will allow EU citizens to raise complaints in cases of access of their data by US intelligence authorities, aiming at investigating and resolving the complaints.

The US’ commitments will be concluded by an Executive Order, which will form the basis of the adequacy decision by the European Commission to put the new framework in place. While this represents a quicker solution to reach the goal, it also means that Executive Orders can be easily repealed by the next government of the US. Therefore, it remains to be seen if this new framework, so far only agreed upon in principle, will bring the much hoped closure on the topic of trans-Atlantic data flows that is intended to bring.

Belgian DPA declares technical standard used for cookie banner for consent requests illegal

28. March 2022

In a long-awaited decision on the Transparency and Consent Framework (TCF), the Belgian data protection authority APD concludes that this technical standard, which advertisers use to collect consent for targeted advertising on the Internet, does not comply with the principles of legality and fairness. Accordingly, it violates the GDPR.

The ADP’s decision is aligned with other European data protection authorities and has consequences for cookie banners and behavioral online advertising in the EU. The advertising association IAB Europe, which develops and operates the TCF system, must now delete the personal data collected in this way and pay a fine of 250,000 euros. In addition, conditions have been determined for the advertising industry under which the TCF may continue to be used at all.

Almost all companies, including advertising companies such as Google or Amazon, use the mechanism to pass on users’ presumed consent to the processing of their personal data for personalized advertising purposes. This decision will have a major impact on the protection of users’ personal data. This is also confirmed by Hielke Hijmans from APD.

The basic structure of the targeted advertising system is that each visit to a participating website triggers an auction among the providers of advertisements. Based on the desired prices and the user’s data profile, among other things, a decision is made in milliseconds as to which advertisements she will see. For this real-time bidding (RTB) to work, the advertising companies collect data to compile target groups for ads.

If users accept cookies or do not object that the use of their data is in the legitimate interest of the provider, the TCF generates a so-called TC string, which contains information about consent decisions. This identifier forms the basis for the creation of individual profiles and for the auctions in which advertising spaces and, with them, the attention of the desired target group are auctioned off, and is forwarded to partners in the OpenRTB system.

According to the authority, the TC strings already constitute personal data because they enable users to be identified with the IP address and the cookies set by the TCF. In addition, IAB Europe is said to be jointly legally responsible for any data processing via the framework, although IAB Europe has not positioned itself as a data processor, only as a provider of a standard.
The TCF envisions advertising providers invoking a “legitimate interest” in data collection in cookie banners that pop up all the time, rather than asking for consent. This would have to be prohibited, for example, for it to be lawful. The principles of privacy by design and by default are also violated, since consent is literally tricked by design tricks, the data flows are not manageable, and revocation of consent is hardly possible.

EDPB publishes draft Guidelines regarding data transfer clarifications

25. November 2021

On November 19th, 2021, the European Data Protection Board (EDPB) published a new set of draft Guidelines 05/2021 on the interplay between the EU General Data Protection Regulation’s (GDPR) territorial scope, and the GDPR’s provisions on international data transfers.

The EDPB stated in their press release that “by clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.”

The Guidelines set forth three cumulative criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR, namely:

  • the exporting controller or processor is subject to the GDPR for the given processing activity,
  • the exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller, or a processor and
  • the data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR.

If all three requirements are met, the processing activity is to be considered an international data transfer under the GDPR, which results in the requirements of Chapter V of the GDPR to be applicable.

The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. In an example, the EDPB indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such a case, the transfer tool should focus on the elements and principles that are specific to the importing jurisdiction. This includes particularly conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.

The EDPB offers its support in developing a transfer tool that would cover the above-mentioned situation.

The Guidelines are open for public consultation until January, 31st, 2022.

The EU Whistleblowing Directive – An Overview

29. September 2021

The EU Whistleblower Directive was published in December 2019 and introduces minimum standards for the protection of individuals reporting breaches of EU law governing different areas of public interest, which are specified in the annex to the EU Whistleblower Directive. These include inter alia privacy and personal data protection as well as security of network information systems. The Directive aims to protect individuals who have become aware of such breaches in a work-related context, irrespective of their status from an employment law prospective. Employees, civil servants, self-employed service providers, freelance workers as well as volunteers and trainees and even shareholders will now be protected under the Whistleblower Directive.

Status of implementation in the EU Member states

EU member states are obliged to adapt the Whistleblower Directive into national law until December 17th, 2021. So far, the implementation is in process for at least 21 Member States.

Legislative proposals have been drafted in the following member states, and are up for discussion in their respective parliaments:

  • Belgium,
  • the Czech Republic,
  • Denmark,
  • France,
  • Romania,
  • the Netherlands.

First legislative steps have been taken in the following member states, where drafts are currently being planned or prepared:

  • Bulgaria,
  • Croatia,
  • Estonia,
  • Finland,
  • Greece,
  • Ireland,
  • Latvia,
  • Lithuania,
  • Poland,
  • Portugal.

Slovakia and Slovenia have enacted laws in first reaction to the Directive, however new laws for a full implementation are underway. In Germany, there is currently no comprehensive law that implements the Whistleblower Directive. At the time of this writing, a number of proposals are in development. The concrete implementation of the Directive in Germany has remained controversial between the governing parties. A draft bill of the Whistleblower Protection Act (Hinweisgeberschutzgesetz) submitted by the Federal Ministry of Justice was rejected within the government at the end of April 2021 because it provided for stricter regulations than the EU Directive.  A new draft is yet to be passed on to the next stage.

Naturally, operating channels and procedures for internal reporting of EU law breaches will inevitably involve the processing of personal data, and the EU legislators were clearly aware of the consequences, as the Whistleblower Directive generally states that any processing of personal data pursuant to the Whistleblower Directive must be carried out in accordance with EU data protection law and the General Data Protection Regulation (GDPR) in particular.

What this means for companies in the EU

In order for companies to understand how to comply with the EU Whistleblower Directive, it is important for businesses to keep the following data protection elements in mind:

  • Handle reports and the personal data of the reporter/whistleblower according to the principles of Art. 5 GDPR: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability;
  • Have a legal basis for the processing of personal data and whistleblower reports (in this case Art. 6 para. 1 lit. c GDPR plus if applicable national data protection law in conjunction with the EU Whistleblower Directive);
  • Purpose limitation and data minimization for reports through Privacy by Design and Default (configuration of the reporting tool in a way that allows only data relevant to the report to be collected, irrelevant data should be deleted without undue delay);
  • Limit access to the reports by responsible employees only based on a strict and detailed authorization concept (Need-to-Know basis);
  • Ensure that the identity of the reporter/whistleblower remains confidential;
  • Inform all (potential) reporters/whistleblowers about the data processing activity in relation to the report and the following investigation process according to Art. 13 GDPR and the protection of their identity (preferably implemented in the reporting tools, so that the reporter/whistleblower is properly informed);
  • Documentation of the processing activity in a Record of Processing Activities according to Art. 30 GDPR;
  • Enter into GDPR compliant Data Processing Agreements with relevant service providers, if applicable;
  • Have applicable and GDPR compliant Technical and Organizational Measures in place;
  • Have a Retention Schedule in place (recommended deletion of personal data within two months after completion of the investigation unless legal proceedings follow);
  • Keep reports local unless necessary to disclose to other group entities due to the reports affecting other locations.

To date, there is very little official guidance available from EU data protection regulators. Sooner or later, EU data protection regulators will have to either issue updated guidance before the transposition laws at EU Member State level kick in or will encourage industry stakeholders to draw up a code of conduct for whistleblower reporting.

On the business side, successful implementation can protect your business and promote a better workplace culture. The Directive establishes three options for the reporting of information by whistleblowers:

  • Internal reporting channel within the business which are mandatory according to the Directive for businesses with 50 or more employees,
  • External reporting Channels facilitated through relevant authorities on a national or EU-level,
  • Under certain circumstances, the whistleblower can decide to publicly report the information, e.g. via social media.

These channels can either be:

  • Written – online reporting platform, email or post,
  • Verbal – phone hotline with messaging system or in-person.

We recommend staying updated on the developments on the EU Whistleblower Directive and the status of implementation within the EU member states. In the meantime, if you have questions on how the EU Whistleblower Directive might impact your business in Germany and the EU, do not hesitate to contact us.

European Commission Adopts UK Adequacy Decisions

5. July 2021

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.

This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.

The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.

The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.

In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“

The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.

Belgian DPA planning to suspend websites that infringe GDPR

8. December 2020

The Belgian Data Protection Authority (DPA) signed a Cooperation Agreement on November 26, 2020, with DNS Belgium, the organization behind the management of the “.be” country-code domain name. The background is to allow DNS Belgium to suspend “.be” websites that are infringing the GDPR. The Agreement builds up a two-tier cooperation system, which aims at identifying infringements and suspending the websites if no action is taken.

The first step is a cooperative investigation, for which DNS Belgium has to support the Belgian DPA by providing all information necessary for the investigation.

The second step is the “Notice and Action” procedure, during which, if the Belgian DPA’s Investigation Service considers a data processing activity conducted via a website with a “.be” domain name to infringe one of the data protection principles under the GDPR, and the responsible data controller or data processor does not comply with the DPA’s order to suspend, limit, freeze or end the data processing activity, the Investigation Service is authorized to send a “Notice and Action” notification to DNS Belgium. Once DNS Belgium receives the “Notice and Action” notification, they will proceed to inform the website owner about the infringement and re-direct the relevant domain name to a warning page of the Belgian DPA.

The website owner can take remedial measures within 14 days to remedy the infringement, upon which he can indicate it to the Belgian DPA. If the Belgian DPA does not contest the measures taken, the relevant domain name will be restored. However, if the infringement is not remediated during the 14-day period, the website will continuously to be re-directed to the Belgian DPA’s warning page for a period of six months. After this time the website will be cancelled and placed in quarantine for 40 days before becoming available for registration once again.

Due to the heavy penalty in cases of a controller not taking any action to remedy the infringement, this action by the Belgian DPA is only possible in cases of infringements that cause very serious harm and are committed by natural or legal persons who deliberately infringe the law, or continue a data processing activity despite a prior order by the Investigation Service of the Belgian DPA to suspend, limit, freeze or end the processing activity.

It is to note that the Inspector General of the Belgian DPA can provide extra time to a website owner to comply with the relevant data protection requirements at the Inspector General’s discretion. However, this will depend on a case by case basis and on the cooperation of the website owner.

Experian to appeal ICO’s decision regarding handling of personal data

29. October 2020

On October 27th, 2020 the Information Commissioner’s Office (ICO) issued an enforcement notice against the credit reference agency Experian Limited, ordering it to make fundamental changes to how it handles personal data related to its direct marketing services in the United Kingdom.

An ICO investigation found that at the three largest credit reference agencies (CRAs) in the UK significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. Experian, Equifax and TransUnion, were ‘trading, enriching and enhancing’ people’s personal data without their knowledge to provide direct marketing services. The data was used by commercial organisations, political parties for political campaigning, or charities for their fundraising campaigns. Some of the CRAs were also using profiling to generate new or previously unknown information about people.

While Equifax and TransUnion made adequate improvements to their marketing practices, the ICO found Experian’s efforts to be insufficient and the processing of personal data to remain non-compliant with the data protection law. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or it will face financial penalties under the GDPR.

Experian is going to appeal the decision by the ICO regarding the notice over data protection failures. In a statement, the Chief Executive Officer Brian Cassin said:

We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.

We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.

 

 

CIPL submits DSR “White Paper” to the EDPB as input for future Guidelines

16. July 2020

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper on Data Subject Rights (DSR) on July 8th, 2020, as input for the European Data Protection Board for future Guidelines on the subject.

The White Paper examines the effectiveness of the DSRs by keeping in mind the interpretation in the context of today’s data driven economy. It puts forth that the Guidelines should take into account new business models, data-driven processes and the data economy as well as the digitalisation of society.

In that aspect, the Paper offers suggestions for the EDPB to consider and reflect upon. Some few of the main subjects the Paper requests the Guidelines to touch on are:

  • Clarification of the requirements governing verification of the identity of individuals submitting DSR requests
  • Determination that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, additionally that extensions to the deadline may be justified in certain circumstances, e.g. where the controller receives an unusually high volume of DSR requests, etc.
  • Recognition that compelling interests of the organization, third-parties or society may limit DSR requests;
  • Limitations on excessive, unfounded or abusive requests from Data Subjects which are intended to disrupt the business;
  • Declaration of a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.

Furthermore, the White Paper highlights the necessity to change the level of a DPO’s responsibility in regards to DSRs, dividing it across different team rather than making the DPO solely responsible for the DSR requests.

In addition, the Paper demands the EDPB to establish a better harmonization of the application of the DSRs across the European Union, which comes from differences in Guidelines made by the different Data Protection Authorities (DPAs). The EDPB should have in its interest to establish common ground for the handling of DSRs and the related requests, as well as the handling of infringements in the matter by DPAs.

The Paper stems from the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019, and was drafted to visualize certain issues on the matter to the EDPB which have crystalized themselves in the two years since the application of the GDPR.

EU Commission highlights necessary preparations for end of Brexit transitioning period

14. July 2020

The European Commission has published a communication on July 9th, 2020, in order to highlight the main areas of change in view of the upcoming end of the transitional Brexit period before January 1st, 2021.

The communication aims to facilitate readiness and preparations for citizens, businesses and stockholders once the UK leaves the European Union. The European Commission states that readiness for these broad and far reaching changes is key, especially since they will take place regardless of the outcome of the negotiations between the UK and the EU.

The communication breaches subjects such as trade in goods, trade in services, energy, travelling and tourism, mobility and social security coordination, company law and civil law, intellectual property, data transfers and protection and international agreements of the EU.

The communication also includes advice in each of those areas and subjects for businesses to be able to start preparations in order to cope with the changes ahead.

With a view on data protection, the European Commission’s communication states that data transfers can continue after January 1st, 2021, however they will have to comply with EU rules and regulations for Third Country Transfers as put forth by the General Data Protection Regulation (GDPR). The Commission specifies the tools set out in Chapter V of the GDPR, which include Binding Corporate Rules, Standard Contractual Clauses, as well as an Adequacy Decision by the European Commission. The communication states that the EU will try its best to conclude the assessment of the UK regime by the end of 2020, in order to give at least some form of security for data transfers after the transitional period ends. On sides of the United Kingdom, the Adequacy of the European union is guaranteed until 2024.

The advice of the European Commission emphasizes compliancy with the GDPR as the best preparation for the Brexit, but lacks security as to what will happen on January 1st, 2021, especially with regards to the future applicable laws.

Belgian DPA releases Direct Marketing Recommendation

4. March 2020

On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.

In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.

In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:

  • The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
  • It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
  • The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
  • Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.

The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.

Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.

Pages: 1 2 3 Next
1 2 3