One of the things we learnt yesterday is that the potential new data transfer agreement between the US and the EU is to win time and not to solve the true problem regarding international data transfers from the EU to the US, according to Max Schrems.
Our colleagues Jelmer and Dounia attended the PrivSec Amsterdam event that included a range of speakers from world renowned companies and industries to allow privacy professionals from across different fields to share case studies and their experiences. It included keynote speeches, presentations, panel discussions, and enough time to meet up with other privacy professionals.
Topics of yesterday’s program included Google Analytics, the cooperation between data protection and security teams, data retention, consumer trust and transparency, and DPIAs amongst others. Furthermore, Max Schrems provided a presentation on The Future of Online Privacy, GDPR Enforcement and The Battle Against Surveillance.
In his keynote speech Schrems elaborated on how he believes that even though they are planning on introducing a new Executive Order that includes a proportionality assessment, that the new international data transfer agreement would not change anything and is meant to win time, because of the fact that FISA and the PRISM program would still apply. The best solution in his eyes would be to level data protection in the US by the introduction of a federal privacy law amongst other things.
Furthermore, he also warned organizations of the risk of lawsuits by individuals when continuing their data transfers in violation of the GDPR, which could ultimately lead to higher costs than the fines opposed by data protection authorities.
For us, especially the Schrems keynote was very interesting, because it confirmed that we should continue with helping out our clients with all the needed work regarding Standard Contractual Clauses (SCCs) and Transfer Impact Assessments (TIAs). Chances are likely that a new standard will again be invalidated and your organization should be able to fall back on at least a GDPR compliant TIA in case SCCs are used as an international data transfer mechanism.
Will the next data transfer agreement smoothen cross-border data flows?
G-7 leaders have gathered just recently in June to discuss legal deals underpinning bilateral data flows that exist among most of G-7’s members. G-7 consists of the United States, United Kingdom, Germany, France, Italy, Japan, and Canada.
The goal of the meeting was to align with the regulators’ approaches to privacy and to be able to better understand the domestic rules in each jurisdiction. Methods were discussed to move data and to create options for businesses to choose cross-border transfer tools that are suitable for their business needs. One can think of techniques to properly anonymize data, to strip information of details that identify and individual, and the trend toward the closer cooperation between antitrust and privacy regulars.
An important conclusion after the meeting was that countries need legislation that agrees that an individuals’ personal data is only accessed in case it is strictly necessary for national security purposes. However, that is easier said than done, especially after the Schrems II ruling and European lawmakers that criticized the United States’ intelligence practices. Also, the lack of federal privacy law that guarantees privacy rights is playing a big role in this discussion.
The wish of regulators of the G-7 countries is to smoothen international business for many companies. To enable this, it is imperative to create better understanding on how domestic rules currently affect some kinds of information, and how it can be used and sold. Mr. Wiewiórowski, the European Data Protection Supervisor, does not believe the G-7 countries are ready to create such a market for cross-border data flows.
All in all, the next solution to smoothen cross-border data flows should address these complex points addressed above to make sure that the next data transfer agreement will not be invalidated just like Safe Harbor and the Privacy Shield. There is a lot of work to be done. Until then, it is mandatory to fall back on the GDPR’s international data transfer mechanisms, including Standard Contractual Clauses (SCCs) and by performing Transfer Impact Assessments (TIAs).
The European Data Protection Board (EDPB) has announced that its next coordinated enforcement action will focus on the data protection officer (DPO) designations.
The 22 Supervisory Authorities across the European Economic Area, along with the European Data Protection Supervisor, will launch investigations into the yet-to-be-determined aspects of DPO requirements under the General Data Protection Regulation.
In a co-ordinated action, the EDPB prioritises a certain topic for data protection authorities to work on at a national level. The EDPB has further said that the individual actions will be “bundled and analysed, generating deeper insight into the topic and allowing for targeted follow-up on both national and EU level.”
What this will entail for the designation of DPOs is still unclear but upon further information been made available, we will provide an update. If you have any questions about the designation of a DPO and the advantages of DPO-as-a-Service, contact us: firstname.lastname@example.org
Interpretation of special categories of personal data extended by CJEU
In August this year, the Court of Justice of the European Union (CJEU) issued a preliminary ruling in OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania) (Case C-184/20), which was referred by the Regional Administrative Court of Lithuania. In this ruling, the CJEU elected to interpret the GDPR very broadly.
The CJEU clarified that the indirect disclosure of sexual orientation data is protected under Article 9 of the General Data Protection Regulation (GDPR). Therefore, such disclosures falls under the special categories of personal data.
This case arose from a question concerning the application of Lithuanian law, which required people in receipt of public funds to file declarations of interest. The declarations, which included information about the interests of the individual’s “spouse, cohabitee or partner” were published online. The applicant failed to file a declaration and was sanctioned therefore. The CJEU found that the underlying law did not strike a proper balance between the public interest in preventing corruption and the rights of affected individuals.
The CJEU went on to note that because it is possible to deduce information about an individual’s sex life or sexual orientation from the name of their partner, publishing that information online involves processing special categories of personal data as defined in Article 9 GDPR.
It was found by the CJEU that the processing of any personal data that are “liable indirectly to reveal sensitive information concerning a natural person”, for instance, any information that may reveal a person’s racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation, is subject to the prohibition from processing under Article 9(1) GDPR unless an exception under Article 9(2) applies.
The implications of this ruling could be significant. It is possible that common processing operations, such as publishing a photograph on a corporate social media page, could reveal some information that is protected under Article 9. Controllers may need to review their processing operations through a contextual lens to assess whether the data being processed and the manner of processing is liable or able to reveal any sensitive information.
It has even been suggested that this ruling could have implications in all contexts where Article 9 is applicable, including online advertising, dating apps, location data indicating places of worship or clinics visited, food choices for airplane flights amongst others.
The way forward?
The judgment is not clear how far controllers need to go to make this assessment. One option that may be possible is to argue that if the controller does not make personal data public, and it implements policies that prohibits employees from making inferences, then information is not liable to reveal special category data. An alternative option would be for regulatory guidance to be issued indicating how controllers can comply with the ruling and the existing guidelines.
€405 million: second highest fine ever issued under the GDPR
Ireland’s Data Protection Authority has fined Instagram €405 million over the lack of protection of children’s data. This fine was issued after an investigation found that Instagram, the social media platform, has mishandled teenagers’ personal information in violation of the strict European Union data privacy laws.
The investigation, which commenced in 2020, focused on how Instagram displayed the personal details of users in the age range of 13 – 17 years, including email addresses and phone numbers. The investigation began after a data scientist found that users, including those under the age of 18 years, were switching to business accounts and had their contact information displayed on their profiles. It is alleged that users were doing this to see statistics on how many likes their posts were getting after Instagram starting removing the feature from personal accounts in some countries to help with mental health.
Instagram said it updated its settings over a year ago and has since released new features to keep teenagers safe and their information private. Instagram disagrees with the calculation of the fine and plans to appeal this decision.
This investigation forms part of over a dozen investigations into Meta companies, including Facebook and WhatsApp, as opened by Ireland’s Data Protection Authority. Will the largest (or third largest) fine be issued against a Meta company in the near future? All we can do is to watch this space…
EU plans to cut unneeded medical tests with data health plan
Being enabled to easily access your patient health records under strict rules to protect your privacy?
If it were up to the European Commission (EC), this is arranged in 2025 for patients, medics, regulators and researchers. The EC believes this will improve diagnosis, boost medicine research, and cut unnecessary costs from duplication of medical tests.The EC offered a binding proposal to EU governments and lawmakers, and includes the EU’s executive’s plans for an improved health data space, which would lead to savings and economic gains of over 10 billion euros in 10 years.
Webinar: what does effective vendor risk management look like?
How do you ensure that you include all aspects of the GDPR in your vendor risk management? In this webinar, you’ll learn about the specific privacy management activities you need to perform with a vendor at each stage to comply with the GDPR.
Class-Action Lawsuit Targets Company that Harvests Location Data from 50 Million Cars
Data that is being sold revealing your whereabouts, for example where you live, work or where you go to church? This happened to more than 50 million car owners around the world.
A California-based data broker is involved in a class-action lawsuit because it has been accused of secretly collecting and selling real-time GPS location information from more than 50 million cars around the world, including California-based consumers. The claim in the lawsuit is that the company never requests consent from drivers before tracking their location.
This is what your organization needs to know this about the Digital Services Act (DSA)
The EU legislators reached an agreement on the DSA, which will govern the digital sphere and increase the fight against illegal content and disinformation. It builds on the eCommerce Directive and provides clear rules for content moderation, platform accountability, illegal products and systemic risks.
Announcement on New Trans-Atlantic Data Privacy Framework
16 July 2020 is a very significant date in the world of privacy and data protection. The reason for this is that on this date, the Court of Justice of the European Union (CJEU) handed down the judgment invalidating the Privacy Shield framework. This ruling has become known as the Schrems II ruling.
To provide the best experience, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.