For some time now, the Dutch government has made an app available (Android / iOS) with one purpose: to take a photo of your ID or passport and then mask certain information on the photo before you save it or send it along. The reason is that very often these a copy of photo of your passport or ID is requested, even when only some of the information on the ID or passport is relevant. This app makes it easier to avoid discussions and provide a copy of your ID, but without giving out information (such as a person’s national number) that is not relevant or proportionate for the request.
20 October 16, the Bavarian State Office for Data Security Supervision (Bayerische Landesamt für Datenschutzaufsicht (BayLDA)) fined a company because of the combination of the roles of Data Protection Officer (DPO) and IT Manager that results in a conflict of interest.
Under German law, companies that process personal data are legally obligated to appoint an intern or an extern DPO if at least ten employees are involved in the automated processing of personal data. The role of the internal DPO cannot be exercised by a person who has tasks in the company, which are in a relationship of tension with the independent, effective internal supervision of data protection.
This week marks a very special anniversary; last year, on the 6th of October, Max Schrems blew up the Safe Harbour Framework. It was the bitter end of the much contested instrument that allowed organizations to send personal data over to the US. The cause of its demise? Well, it was the whistle blown on mass surveillance programmes run by US authorities of course. After all, what would be the point of awarding our personal data with such a high level of protection, if a foreign government freely snoops around in our most private of affairs?
However, the valiant protection of our privacy did not come without a cost. It shouldn’t surprise anyone that international data traffic has become big business. Every second tens of thousands of gigabytes are sent on their way to support economic activities worth hundreds of billions of euro’s (or dollars, depending on which side of the pond you’re on). Think about the countless online purchases made each day, the cloud services we’ve come to embrace or just plain old email communication. Now imagine how cumbersome these services become if, all of a sudden, personal data such as names and (physical or email) adresses are not allowed to enter the US.
That was the case until about two months ago. Since the first of August, US organizations are able to self-certify once again. This time, the EU-US Privacy Shield ought to make data traffic economically viable, while keeping our privacy intact. But, the question needs to be asked: is this brand new framework worth its salt?
The Working Party 29, for one, has already expressed its doubts (for the second time since April). The Party, which combines all of Europe’s privacy watchdogs, acknowledged the improvements compared to Safe Harbor. Nevertheless, it has also indicated a few vulnerabilities that may put the Shield on shaky ground:
- The Party regrets that the rules concerning automated decision making and the general right to object have not survived negotiations.
- It remains unclear how the Shield will apply to data processors, a particularly important point because of the greater emphasis on the processor’s responsibility in the GDPR.
- The Shield grants little assurance that government surveillance will not take place as before.
- The Party questions the independence of the Ombudsperson who whill be appointed by the American government to follow up on complaints of EU individuals.
It is unfortunate that the framework designed to provide a solution for international data traffic is still riddled with uncertainty. Organizations might be hesitant to commit to a system that does not put them on solid ground. It is advisable that these organizations look into alternative means, such as Binding Corporate Rules or Standard Contractual Clauses, in order to strengthen their position.
For the time being, the Working Party will let events run their course. In one year’s time, however, the Privacy Shield will be up for review and we’ll hopefully get a better view on what works and what doesn’t. In particular, the Working Party will take a look at access by public authorities, based on all the information they deem necessary. Nevertheless, in the meantime the Privacy Shield is open to legal challenges and it is by no means unthinkable that the European Court of Justice will strike as it has done before.