Tag: General Data Protection Regulation

CNIL publishes model regulation on access control through biometric authentication at the workplace

9. April 2019

The French data protection authority CNIL has published a model regulation which regulates under which conditions devices for access control through biometric authentication may be introduced at the workplace.

Pursuant to Article 4 paragraph 14 of the General Data Protection Regulation (GDPR), biometric data are personal data relating to the physical, physiological or behavioural characteristics of a natural person, obtained by means of specific technical processes, which enable or confirm the unambiguous identification of that natural person. According to Article 9 paragraph 4 GDPR, the member states of the European Union may introduce or maintain additional conditions, including restrictions, as far as the processing of biometric data is concerned.

The basic requirement under the model regulation is that the controller proves that biometric data processing is necessary. To this end, the controller must explain why the use of other means of identification or organisational and technical safeguards is not appropriate to achieve the required level of security.

Moreover, the choice of biometric types must be specifically explained and documented by the employer. This also includes the justification for the choice of one biometric feature over another. Processing must be carried out for the purpose of controlling access to premises classified by the company as restricted or of controlling access to computer devices and applications.

Furthermore, the model regulation of the CNIL describes which types of personal data may be collected, which storage periods and conditions apply and which specific technical and organisational measures must be taken to guarantee the security of personal data. In addition, CNIL states that before implementing data processing, the controller must always carry out an impact assessment and a risk assessment of the rights and freedoms of the individual. This risk assessment must be repeated every three years for updating purposes.

The data protection authority also points out that the model regulation does not exempt from compliance with the regulations of the GDPR, since it is not intended to replace its regulations, but to supplement or specify them.

Advocate General: No Valid Cookie Consent When Checkbox Is Pre-ticked

25. March 2019

On 21 of March Maciej Szpunar, Advocate General of the European Court of Justice, delivered his Opinion in the case of Planet24 GmbH against Bundesverband Verbraucherzentralen und Vebraucherverbände – Verbaucherzentrale Bundesverband e.V. (Federal Association of Consumer Organisations). In the Opinion, Szpunar explains how to obtain valid consent for the use of cookies.

In the case in question, Planet24 GmbH has organised a lottery campaign on the internet. When registering to participate in the action lottery, two checkboxes appeared. The first checkbox, which did not contain a pre-selected tick, concerned permission for sponsors and cooperation partners to contact the participant in order to inform him of their offers. The second checkbox, which was already ticked off, concerned the consent to the setting of cookies, which evaluate the user’s surfing and usage behaviour.

The Federal Association held that the clauses used infringed german law, in particular Article 307 of the BGB, Article 7(2), point 2, of the UWG and Article 12 et seq. of the TMG and filed a lawsuit in 2014 after an unsuccessful warning.

In the course of the instances, the case ended up at the German Federal Supreme Court in 2017. The German Federal Court considers that the success of the case depends on the interpretation of Articles 5(3) and 2(f) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46, and of Article 6(1)(a) of Regulation 2016/679. For that reason, it asked the European Court of Justice the following questions for a preliminary ruling:

(1) Does consent given on the basis of a pre-ticked box meet the requirements for valid consent under the ePrivacy Directive, the EU Data Protection Directive and the EU General Data Protection Regulation (the GDPR)?

(2) What information does the service provider have to provide to the user and does this include the duration of the use of cookies and whether third parties have access to the cookies?

According to the Advocate General, there is no valid consent if the checkbox is already ticked. In such case, the user must remove the tick, i.e. become active if he/she does not agree to the use of cookies. However, this would contradict the requirement of an active act of consent by the user. It is necessary for the user to explicitly consent to the use of cookies. Therefore, it is also not sufficient if one checkbox is used to deal with both the use of cookies and participation in the action lottery. Consent must be given separately. Otherwise the user is not in the position to freely give a separate consent.

In addition, Szpunar explains that the user must be provided with clear and comprehensive information that enables the user to easily assess the consequences of his consent. This requires that the information provided is unambiguous and cannot be interpreted. For this purpose, the information must contain details such as the duration of the operation of cookies, as well as whether third parties have access to the cookies.

Dutch DPA: Cookie walls do not comply with GDPR

11. March 2019

The Dutch data protection authority, Autoriteit Persoonsgegevens, clarified on 7th of March 2019 that the use of websites must remain accessible when tracking cookies are not accepted. Websites that allow users to access only if they agree to the use of tracking cookies or other similar means to track and record their behavior do not comply with the General Data Protection Regulation, GDPR.

The Dutch DPA’s decision was prompted by numerous complaints from website users who no longer had access to the websites after refusing the usage of tracking cookies.

The Dutch DPA noted that the use of tracking software is generally allowed. Tracking the behaviour of website users, however, must be based on sufficient consent. In order to be compliant with the GDPR, permission must be given freely. In the case of so-called cookie walls the user has no access to the website if he does not agree to the setting of cookies. In this way, pressure is exerted on the user to disclose his personal data. Nevertheless, according to the GDPR a consent has not been given voluntarily if no free or no real choice exists.

With publication of the explanation the Dutch DPA demands organizations to make their practice compliant with the GDPR. The DPA has already written to those organisations about which the users have complained the most. In addition, it announced that it would intensify its monitoring in the near future in order to examine whether the standard is applied correctly in the interest of data protection.

EDPB publishes information note on data transfer in the event of a no-deal Brexit

25. February 2019

The European Data Protection Board has published an information note to explain data transfer to organisations and facilitate preparation in the event that no agreement is reached between the EEA and the UK. In case of a no-deal Brexit, the UK becomes a third country for which – as things stand at present – no adequacy decision exists.

EDPB recommends that organisations transferring data to the UK carry out the following five preparation steps:

• Identify what processing activities will imply a personal data transfer to the UK
• Determine the appropriate data transfer instrument for your situation
• Implement the chosen data transfer instrument to be ready for 30 March 2019
• Indicate in your internal documentation that transfers will be made to the UK
• Update your privacy notice accordingly to inform individuals

In addition, EDPB explains which instruments can be used to transfer data to the UK:
– Standard or ad hoc Data Protection Clauses approved by the European Commission can be used.
– Binding Corporate Rules for data processing can be defined.
– A code of conduct or certification mechanism can be established.

Derogations are possible in the cases mentioned by article 49 GDPR. However, they are interpreted very restrictively and mainly relate to processing activities that are occasional and non-repetitive. Further explanations on available derogations and how to apply them can be found in the EDPB Guidelines on Article 49 of GDPR.

The French data protection authority CNIL has published an FAQ based on the information note of the EDPB, explaining the consequences of a no-deal Brexit for the data transfer to the UK and which preparations should be made.

European Commission adopts adequacy decision on Japan

28. January 2019

The European Commission adopted an adequacy decision for Japan on the 23rd of January 2019, enabling data flows to take place freely and safely. The exchange of personal data is based on strong safeguards that Japan has put in place in advance of the adequacy decision to ensure that the transfer of data complies with EU standards.

The additional safeguards include:

– A set of rules (Supplementary Rules), which will cover the differences between the two data protection systems. This should strengthen the protection of sensitive data, the exercise of personal rights and the conditions under which EU data can be further transferred to another third country. These additional rules are binding in particular on Japanese companies importing data from the EU. They can also be enforced by the independent Japanese data protection authority (PPC) as well as by courts.

– Also, safeguards have been established concerning access by Japanese authorities for law enforcement and national security purposes. In this regard, the Japanese Government has given assurances to the Commission and has ensured that the use of personal data is limited to what is necessary and proportionate and is subject to independent supervision and redress.

– A complaint handling mechanism to investigate and resolve complaints from Europeans regarding Japanese authorities’ access to their data. This new mechanism will be managed and monitored by Japan’s independent data protection authority.

The adequacy decision has been in force since 23rd of January 2019. After two years, the functioning of the framework will be reviewed for the first time. The subsequent reviews will take place at least every four years.

The adequacy decision also complements the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019. European companies will benefit from free data flows as well as privileged access to the 127 million Japanese consumers.

 

CNIL fines Google for violation of GDPR

25. January 2019

On 21st of January 2019, the French Data Protection Authority CNIL imposed a fine of € 50 Million on Google for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25th and 28th of May 2018, CNIL received complaints from the associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The associations accused Google of not having a valid legal basis to process the personal data of the users of its services.

CNIL carried out online inspections in September 2018, analysing a user’s browsing pattern and the documents he could access.

The committee first noted that the information provided by Google is not easily accessible to a user. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are spread across multiple documents. The user receives relevant information only after carrying out several steps, sometimes up to six are required. According to this, the scheme selected by Google is not compatible with the General Data Protection Regulation (GDPR). In addition, the committee noted that some information was unclear and not comprehensive. It does not allow the user to fully understand the extent of the processing done by Google. Moreover, the purposes of the processing are described too generally and vaguely, as are the categories of data processed for these purposes. Finally, the user is not informed about the storage periods of some data.

Google has stated that it always seeks the consent of users, in particular for the processing of data to personalise advertisements. However, CNIL declared that the consent was not valid. On the one hand, the consent was based on insufficient information. On the other hand, the consent obtained was neither specific nor unambiguous, as the user gives his or her consent for all the processing operations purposes at once, although the GDPR provides that the consent has to be given specifically for each purpose.

This is the first time CNIL has imposed a penalty under the GDPR. The authority justified the amount of the fine with the gravity of the violations against the essential principles of the GDPR: transparency, information and consent. Furthermore, the infringement was not a one-off, time-limited incident, but a continuous breach of the Regulation. In this regard, according to CNIL, the application of the new GDPR sanction limits is appropriate.

Update: Meanwhile, Google has appealed, due to this a court must decide on the fine in the near future.

Privacy International accuses seven companies of violating the GDPR

13. November 2018

On November 8th, Privacy International – a British non-governmental organisation – has filed complaints against seven data brokers (Axiom, Oracle), ad-tech companies (Criteo, Quandcast, Tapad) and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland and the UK.

Privacy International accuses those companies of violating the GDPR: They all collect personal data from a wide variety of sources and merge them into individual profiles. Therefore, information from different areas of an individual’s life flow together to create a comprehensive picture e.g. online and offline shopping behaviour, hobbies, health, social life, income situation.

According to Privacy International, the companies not only deal with the collected data, but also with the conclusions they draw about their data subjects: Life situation, personality, creditworthiness. Among their customers are other companies, individuals and governments. Privacy International accuses them to violate data protection principals such as transparency, purpose limitation, data minimisation, integrity and confidentiality.

Furthermore, the companies have no valid legal basis for the processing of personal data, in particular for the purpose of profiling. According to Privacy International, where those companies claim to have the consent of the data subjects, they cannot prove how this consent was given, nor that the data subjects voluntarily provided it after sufficient and clear information.

“Without urgent and continuous action, data will be used in ways that people cannot now even imagine, to define and manipulate our lives without us being to understand why or being able to effectively fight back,” Frederike Kaltheuner, Privacy International’s data exploitation programme lead, said.

With its complaint, Privacy International takes advantage of a new possibility for collective enforcement of data protection created by the GDPR. The Regulation allows non-profit organisations or associations to use supervisory procedures to represent data subjects (Art. 80 GDPR).

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

Ten relevant practical consequences of the upcoming General Data Protection Regulation

22. January 2016

After several negotiations, the European Parliament, the European Council and the European Commission finally reached a consensus in December 2015 on the final version of the General Data Protection Regulation (GDPR), which is expected to be approved by the European Parliament in April 2016. The consolidated text of the GDPR involves the following practical consequences:

1) Age of data subject´s consent: although a specific, freely-given, informed and unambiguous consent was also required according to the Data Protection Directive (95/46 EC), the GDPR determines that the minimum age for providing a legal consent for the processing of personal data is 16 years. Nevertheless, each EU Member State can determine a different age to provide consent for the processing of personal data, which should not be below 13 years (Arts. 7 and 8 GDPR).

2) Appointment of a Data Protection Officer (DPO): the appointment of a DPO will be mandatory for public authorities and for data controllers whose main activity involves a regular monitoring of data subjects on a large scale or the processing of sensitive personal data (religion, health matters, origin, race, etc.). The DPO should have expert knowledge in data protection in order to ensure compliance, to be able to give advice and to cooperate with the DPA. In a group of subsidiaries, it will be possible to appoint a single DPO, if he/she is accessible from each establishment (Art. 35 ff. GDPR).

3) Cross-border data transfers: personal data transfers outside the EU may only take place if a Commission decision is in place, if the third country ensures an adequate level of protection and guarantees regarding the protection of personal data (for example by signing Standard Contractual Clauses) or if binding corporate rules have been approved by the respective Data Protection Authority (Art. 41 ff. GDPR).

4) Data security: the data controller should recognize any existing risks regarding the processing of personal data and implement adequate technical and organizational security measures accordingly (Art. 23 GDPR). The GDPR imposes strict standards related to data security and the responsibility of both data controller and data processor. Security measures should be implemented according to the state of the art and the costs involved (Art. 30 GDPR). Some examples of security measures are pseudonymization and encryption, confidentiality, data access and data availability, data integrity, etc.

5) Notification of personal data breaches: data breaches are defined and regulated for the first time in the GDPR (Arts. 31 and 32). If a data breach occurs, data controllers are obliged notify the breach to the corresponding Data Protection Authority within 72 hours after having become aware of it. In some cases, an additional notification to the affected data subjects may be mandatory, for example if sensitive data is involved.

6) One-stop-shop: if a company has several establishments across the EU, the competent Data Protection Authority, will be the one where the controller or processor’s main establishment is located. If an issue affects only to a certain establishment, the competent DPA, is the one where this establishment is located.

7) Risk-based approach: several compliance obligations are only applicable to data processing activities that involve a risk for data subjects.

8) The role of the Data Protection Authorities (DPA): the role of the DPA will be enforced. They will be empowered to impose fines for incompliances. Also, the cooperation between the DPA of the different Member States will be reinforced.

9) Right to be forgotten: after the sentence of the ECJ from May 2014, the right to be forgotten has been consolidated in Art. 17 of the GDPR. The data subject has the right to request from the data controller the erasure of his/her personal data if certain requirements are fulfilled.

10) Data Protection Impact Assesment (PIA): this assessment should be conducted by the organization with support of the DPO. Such an assessment should belong to every organization’s strategy. A PIA should be carried out before starting any data processing operations (Art. 33 GDPR).