Tag: General Data Protection Regulation

European Commission Adopts UK Adequacy Decisions

5. July 2021

On June 28, 2021, the European Commission adopted two adequacy decisions for the United Kingdom, one under the General Data Protection Regulation (GDPR) and another under the Law Enforcement Directive.

This means that organizations in the EU can continue to transfer personal data to organizations in the UK without restriction and fear of repercussions. Thus, there is no need to rely upon data transfer mechanisms, such as the EU Standard Contractual Clauses, to ensure an adequate level of protection while transferring personal data, which represents a relief as the bridging mechanism of the interim period decided on after Brexit set out to expire by the end of June 2021.

The European Commission found the U.K.’s data protection system has continued to incorporate to the same rules that were applicable when it was an EU member state, as it had “fully incorporated” the principles, rights and obligations of the GDPR and Law Enforcement Directive into its post-Brexit legal system.

The Commission also noted the U.K. system provides strong safeguards in regards to how it handles personal data access by public authorities, particularly for issues of national security.

In regards to criticism of potential changes in the UK’s legal system concerning personal data, Věra Jourová, Vice-President for Values and Transparency stated that: „We have listened very carefully to the concerns expressed by the Parliament, the Members States and the European Data Protection Board, in particular on the possibility of future divergence from our standards in the UK’s privacy framework. We are talking here about a fundamental right of EU citizens that we have a duty to protect. This is why we have significant safeguards and if anything changes on the UK side, we will intervene.“

The Commission highlighted that the collection of data by UK intelligence authorities is legally subject to prior authorization by an independent judicial body and that any access to data needs to be necessary and proportionate to the purpose pursued. Individuals also have the ability to seek redress in the UK Investigatory Powers Tribunal.

Belgian DPA planning to suspend websites that infringe GDPR

8. December 2020

The Belgian Data Protection Authority (DPA) signed a Cooperation Agreement on November 26, 2020, with DNS Belgium, the organization behind the management of the “.be” country-code domain name. The background is to allow DNS Belgium to suspend “.be” websites that are infringing the GDPR. The Agreement builds up a two-tier cooperation system, which aims at identifying infringements and suspending the websites if no action is taken.

The first step is a cooperative investigation, for which DNS Belgium has to support the Belgian DPA by providing all information necessary for the investigation.

The second step is the “Notice and Action” procedure, during which, if the Belgian DPA’s Investigation Service considers a data processing activity conducted via a website with a “.be” domain name to infringe one of the data protection principles under the GDPR, and the responsible data controller or data processor does not comply with the DPA’s order to suspend, limit, freeze or end the data processing activity, the Investigation Service is authorized to send a “Notice and Action” notification to DNS Belgium. Once DNS Belgium receives the “Notice and Action” notification, they will proceed to inform the website owner about the infringement and re-direct the relevant domain name to a warning page of the Belgian DPA.

The website owner can take remedial measures within 14 days to remedy the infringement, upon which he can indicate it to the Belgian DPA. If the Belgian DPA does not contest the measures taken, the relevant domain name will be restored. However, if the infringement is not remediated during the 14-day period, the website will continuously to be re-directed to the Belgian DPA’s warning page for a period of six months. After this time the website will be cancelled and placed in quarantine for 40 days before becoming available for registration once again.

Due to the heavy penalty in cases of a controller not taking any action to remedy the infringement, this action by the Belgian DPA is only possible in cases of infringements that cause very serious harm and are committed by natural or legal persons who deliberately infringe the law, or continue a data processing activity despite a prior order by the Investigation Service of the Belgian DPA to suspend, limit, freeze or end the processing activity.

It is to note that the Inspector General of the Belgian DPA can provide extra time to a website owner to comply with the relevant data protection requirements at the Inspector General’s discretion. However, this will depend on a case by case basis and on the cooperation of the website owner.

Experian to appeal ICO’s decision regarding handling of personal data

29. October 2020

On October 27th, 2020 the Information Commissioner’s Office (ICO) issued an enforcement notice against the credit reference agency Experian Limited, ordering it to make fundamental changes to how it handles personal data related to its direct marketing services in the United Kingdom.

An ICO investigation found that at the three largest credit reference agencies (CRAs) in the UK significant ‘invisible’ processing took place, likely affecting millions of adults in the UK. Experian, Equifax and TransUnion, were ‘trading, enriching and enhancing’ people’s personal data without their knowledge to provide direct marketing services. The data was used by commercial organisations, political parties for political campaigning, or charities for their fundraising campaigns. Some of the CRAs were also using profiling to generate new or previously unknown information about people.

While Equifax and TransUnion made adequate improvements to their marketing practices, the ICO found Experian’s efforts to be insufficient and the processing of personal data to remain non-compliant with the data protection law. As a result, Experian has been given an enforcement notice compelling it to make changes within nine months or it will face financial penalties under the GDPR.

Experian is going to appeal the decision by the ICO regarding the notice over data protection failures. In a statement, the Chief Executive Officer Brian Cassin said:

We disagree with the ICO’s decision today and we intend to appeal. At heart this is about the interpretation of GDPR and we believe the ICO’s view goes beyond the legal requirements. This interpretation also risks damaging the services that help consumers, thousands of small businesses and charities, particularly as they try to recover from the COVID-19 crisis.

We share the ICO’s goals on the need to provide transparency, maintain privacy and ensure consumers are in control of their data. The Experian Consumer Information Portal makes it very easy for consumers to fully understand the ways we work with data and to opt out of having their data processed if they wish.

 

 

CIPL submits DSR “White Paper” to the EDPB as input for future Guidelines

16. July 2020

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its White Paper on Data Subject Rights (DSR) on July 8th, 2020, as input for the European Data Protection Board for future Guidelines on the subject.

The White Paper examines the effectiveness of the DSRs by keeping in mind the interpretation in the context of today’s data driven economy. It puts forth that the Guidelines should take into account new business models, data-driven processes and the data economy as well as the digitalisation of society.

In that aspect, the Paper offers suggestions for the EDPB to consider and reflect upon. Some few of the main subjects the Paper requests the Guidelines to touch on are:

  • Clarification of the requirements governing verification of the identity of individuals submitting DSR requests
  • Determination that the one-month deadline for responding to a DSR request will run from the point at which the request’s scope is clear and the identity of the requestor has been verified, additionally that extensions to the deadline may be justified in certain circumstances, e.g. where the controller receives an unusually high volume of DSR requests, etc.
  • Recognition that compelling interests of the organization, third-parties or society may limit DSR requests;
  • Limitations on excessive, unfounded or abusive requests from Data Subjects which are intended to disrupt the business;
  • Declaration of a proportionate approach in responding to DSR requests, particularly with regards to the cost to the organization.

Furthermore, the White Paper highlights the necessity to change the level of a DPO’s responsibility in regards to DSRs, dividing it across different team rather than making the DPO solely responsible for the DSR requests.

In addition, the Paper demands the EDPB to establish a better harmonization of the application of the DSRs across the European Union, which comes from differences in Guidelines made by the different Data Protection Authorities (DPAs). The EDPB should have in its interest to establish common ground for the handling of DSRs and the related requests, as well as the handling of infringements in the matter by DPAs.

The Paper stems from the EDPB stakeholders’ event on DSR in Brussels on November 4, 2019, and was drafted to visualize certain issues on the matter to the EDPB which have crystalized themselves in the two years since the application of the GDPR.

EU Commission highlights necessary preparations for end of Brexit transitioning period

14. July 2020

The European Commission has published a communication on July 9th, 2020, in order to highlight the main areas of change in view of the upcoming end of the transitional Brexit period before January 1st, 2021.

The communication aims to facilitate readiness and preparations for citizens, businesses and stockholders once the UK leaves the European Union. The European Commission states that readiness for these broad and far reaching changes is key, especially since they will take place regardless of the outcome of the negotiations between the UK and the EU.

The communication breaches subjects such as trade in goods, trade in services, energy, travelling and tourism, mobility and social security coordination, company law and civil law, intellectual property, data transfers and protection and international agreements of the EU.

The communication also includes advice in each of those areas and subjects for businesses to be able to start preparations in order to cope with the changes ahead.

With a view on data protection, the European Commission’s communication states that data transfers can continue after January 1st, 2021, however they will have to comply with EU rules and regulations for Third Country Transfers as put forth by the General Data Protection Regulation (GDPR). The Commission specifies the tools set out in Chapter V of the GDPR, which include Binding Corporate Rules, Standard Contractual Clauses, as well as an Adequacy Decision by the European Commission. The communication states that the EU will try its best to conclude the assessment of the UK regime by the end of 2020, in order to give at least some form of security for data transfers after the transitional period ends. On sides of the United Kingdom, the Adequacy of the European union is guaranteed until 2024.

The advice of the European Commission emphasizes compliancy with the GDPR as the best preparation for the Brexit, but lacks security as to what will happen on January 1st, 2021, especially with regards to the future applicable laws.

Belgian DPA releases Direct Marketing Recommendation

4. March 2020

On February 10, 2020, Belgium’s Data Protection Authority (the Belgian DPA) has released their first recommendation of 2020 in relation to data processing activities for direct marketing purposes.

In the recommendation the Belgian DPA addressed issues and action proposals in regards to the handling of direct marketing and the personal data which is used in the process. It emphasized the importance of direct marketing subjects in the upcoming years, and stated that the DPA will have a special priority in regards to issues on the matter.

In particular, the recommendation elaborates on the following points, in order to help controllers navigate through the different processes:

  • The processing purposes must be specific and detailed. A simple mention of “marketing purposes” is not deemed sufficient in light of Art. 13 GDPR.
  • It is important to guarantee data minimization, as the profiling that accompanies direct marketing purposes calls for a careful handling of personal data.
  • The right to object does not only affect the direct marketing activities, but also the profiling which takes places through them. Furthermore, a simple “Unsubscribe” button at the end of a marketing E-Mail is not sufficient to withdraw consent, it is rather recommended to give the data subject the opportunity to a granular selection of which direct marketing activities they object to.
  • Consent cannot be given singularly for all channels of direct marketing. A declaration for each channel has to be obtained to ensure specification towards content and means used for direct marketing.

The Belgian DPA also stated that there are direct marketing activities which require special attention in the future, namely purchasing, renting and enriching personal data, e.g. via data brokers. In such cases, it is necessary to directly provide appropriate information to the data subject in regards to the handling of their data.

Further topics have been brought forth in the recommendation, which overall represents a thorough proposal on the handling of direct marketing activities for controller entities.

Austrian data protection authority imposes 18 million euro fine

22. November 2019

The Austrian Data Protection Authority (DPA) has imposed a fine of 18 million euros on Österreichische Post AG (Austrian Postal Service) for violations of the GDPR.

The company had among other things collected data on the “political affinity” from 2.2 million customers, and thus violated the GDPR. Parties should be able to send purposeful election advertising to the Austrian inhabitants with this information.

In addition, they also collected data on the frequency of parcel deliveries and the relocation probability of customers, so that these can be used for direct marketing.

The penalty is not yet final. Österreichische Post AG, half of which belongs to the Austrian state, can appeal the decision before the Federal Administrative Court. The company has already announced its intention to take legal action.

CNIL updates its FAQs for case of a No-Deal Brexit

24. September 2019

The French data protection authority “CNIL” updated its existing catalogue of questions and answers (“FAQs”) to inform about the impact of a no-deal brexit and how controllers should prepare for the transfer of data from the EU to the UK.

As things stand, the United Kingdom will leave the European Union on 1st of November 2019. The UK will then be considered a third country for the purposes of the European General Data Protection Regulation (“GDPR”). For this reason, after the exit, data transfer mechanisms become necessary to transfer personal data from the EU to the UK.

The FAQs recommend five steps that entities should take when transferring data to a controller or processor in the UK to ensure compliance with GDPR:

1. Identify processing activities that involve the transfer of personal data to the United Kingdom.
2. Determine the most appropriate transfer mechanism to implement for these processing activities.
3. Implement the chosen transfer mechanism so that it is applicable and effective as of November 1, 2019.
4. Update your internal documents to include transfers to the United Kingdom as of November 1, 2019.
5. If necessary, update relevant privacy notices to indicate the existence of transfers of data outside the EU and EEA where the United Kingdom is concerned.

CNIL also discusses the GDPR-compliant data transfer mechanisms (e.g., standard contractual clauses, binding corporate rules, codes of conduct) and points out that, whichever one is chosen, it must take effect on 1st of November. If controllers should choose a derogation admissible according to GDPR, CNIL stresses that this must strictly comply with the requirements of Art. 49 GDPR.

Study shows behavior patterns of internet users regarding cookies

15. August 2019

Research has been carried out to see how European consumers interact with the cookie consent mechanisms online.

The study focused in particular on how consumers react to different designs of cookie pop-ups and how different design choices can influence users’ data protection choices. The researchers collected around 5000 cookie notices from leading websites to get an idea of how different cookie consent mechanisms are currently being implemented. They also worked with a German e-commerce site over a period of four months to investigate how more than 82,000 users of the site interacted with the different cookie consent designs. The designs were adapted by the researchers to analyse how different preferences and designs affect the individual’s decision.

Their research showed that the majority of cookie consent notices are placed at the bottom of the screen (58%), do not block interaction with the site (93%) and offer no other option than the confirmation button (86%), leaving the user no choice.

The majority (57%) also tries to get users consent through the design, for example by highlighting the “Agreed” button with a color, while the link to “more options” is made less visible.

The research showed that interaction with consent notices varied widely, between 5-55%, depending on where they were positioned or what preferences were set. More users clicked the “Accept” button when it was highlighted by color (50.8% on mobile, 26.9% on desktop). In contrast, only 39.2% on mobile and 21.1% on desktop clicked the “Accept” button if it was displayed as a text link. As for third parties, around 30% of mobile users and 10% of desktop users accepted all third parties if the checkboxes were preselected. On the other hand, only a small fraction (< 0.1%) allowed all third parties when given the opt-in choice.

They also found that the more choices are given in a cookie notice, the more likely it is that the visitor will refuse the use of cookies. In fact, they concluded that with GDPR-compliant cookie notices, where the website user is free to choose which cookie categories to activate, only 0.1% of users would allow all cookie categories to be set.

CNIL and ICO publish revised cookie guidelines

6. August 2019

The French data protection authority CNIL as well as the British data protection authority ICO have revised and published their guidelines on cookies.

The guidelines contain several similarities, but also differ in some respects.

Both France and the UK consider rules that apply to cookies to be also applicable to any device that stores or accesses information. In addition, both authorities stress that users must give specific, free and unambiguous consent before cookies are placed. Further scrolling of the website cannot be considered as consent. Likewise, obtaining consent from T&Cs is not lawful. This procedure violates Art. 7 (2) of the General Data Protection Regulation (GDPR), according to which the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. In addition, all parties who place cookies must be named so that informed consent can be obtained. Finally, both authorities point out that browser settings alone are not a sufficient basis for valid consent.

With regard to the territorial scope, CNIL clarifies that the cookie rules apply only to the processing of cookies within the activities of an establishment of a controller or processor in France, regardless of whether the processing takes place in France. The English guideline does not comment on this.

Cookie walls are considered non-compliant with GDPR by the French data protection authority due to the negative consequences for the user in case of refusal. ICO, on the other hand, is of the opinion that a consent forced on the basis of a cookie wall is probably not valid. Nevertheless GDPR must be balanced with other rights. Insofar ICO has not yet delivered a clear position.

Regarding analytic cookies, CNIL explains that a consent is not always necessary, namely not if they correspond to a list of cumulative requirements created by CNIL. ICO, on the other hand, does not exempt cookies from the consent requirement even in the case of analytic cookies.

Finally, CNIL notes that companies have six months to comply with the rules. However, this period will only be set in motion by the publication of a statement by the CNIL, which is still pending. CNIL expects this statement to be finalised during the first quarter of 2020. The ICO does not foresee such a time limit.

Pages: 1 2 3 Next
1 2 3