On the 13th of December, the Article 29 Working Party issued its guidelines for identifying a controller’s or processor’s lead supervisory authority (LSA). The aim is to assist organizations in determining who is their LSA when carrying out cross-border processing activities. This relates to the one-stop-shop principle intended to simplify the way in which organizations operating in several European countries interact with the European supervisory authorities. Correctly identifying the LSA is important as it determines with which authority an organization will have to deal regarding many of the GDPR compliance requirements such as registering a data protection officer; notifying a risky processing activity or notifying a data security breach.
Op 25 mei 2018 is het zover. Dan zal de nieuwe Europese General Data Protection Regulation (GDPR) de huidige Richtlijn Gegevensbescherming vervangen. De nieuwe verordening moet een betere gegevensbescherming bieden aan betrokkenen en noodzaakt heel wat bedrijven die persoonsgegevens verwerken tot ingrijpende veranderingen. Vanaf 2018 zal het immers mogelijk zijn om aan bedrijven boetes op te leggen tot 20 miljoen euro of 4% van hun wereldwijde omzet in geval van strijdigheid met de GDPR. Maar ook voor individuen luidt de GDPR een nieuw tijdperk in. De verordening bevat een reeks nieuwe beschermingsmaatregelen die ervoor zorgen dat de burger nog nooit zo sterk in zijn schoenen stond wat betreft zijn persoonsgegevens. Toch heerst er nog veel onwetendheid en onverschilligheid omtrent het thema. Dit artikel somt de rechten van betrokkenen op die de GDPR voorschrijft.
With the GDPR, profiling is one of the provisions that will have the most significant impact on businesses that rely on profiling and processing large quantities of data, and you as a customer and data subject. For the first time a European law defines what profiling means. Shortly, profiling is composed of three elements: automated form of processing; carried out on personal data and the purpose is to evaluate personal aspects about a person.
To put some practice into the theory, this blogpost will give 3 examples to show what the impact of profiling is or can be on your life as a consumer of all the goodies in the world.
Today on the 8th of December 2016, the Belgian Privacy Law celebrates its 24th birthday. Even though we celebrate its birthday, the countdown for the replacement of the Belgian Privacy Law continues as only 368 working days (532 days) are left before the General Data Protection Regulation (GDPR) enters into force. But what are the consequences of this change that has become such a hot topic? Time for some reflection to look at the highlights.
When looking at the GDPR, one will notice that certain provisions have been expanded and that new elements have been added.
One very crucial element is the scope of the GDPR, which will apply directly in all 28 member states. This means that the organisations and companies no longer have to take into account 28 different national laws, but will, in principle, only have to look at the regulation to know what they should or should not do. Importantly, organisations and companies that are not based in the EU must comply with the GDPR when they are directly involved with personal data in the EU.
With regard to individuals, the EU has listened to their demand of being more in control of their personal data and what happens to it, by expanding their rights. For example, the GDPR has added the right to data portability and now explicitly mentions the right to be forgotten (right to erasure), which was previously based on jurisprudence of the Court of Justice. Also, more attention is given to transparency, which will make the idea of data protection and being in control of the personal data more accessible to individuals.
For some time now, the Dutch government has made an app available (Android / iOS) with one purpose: to take a photo of your ID or passport and then mask certain information on the photo before you save it or send it along. The reason is that very often these a copy of photo of your passport or ID is requested, even when only some of the information on the ID or passport is relevant. This app makes it easier to avoid discussions and provide a copy of your ID, but without giving out information (such as a person’s national number) that is not relevant or proportionate for the request.
20 October 16, the Bavarian State Office for Data Security Supervision (Bayerische Landesamt für Datenschutzaufsicht (BayLDA)) fined a company because of the combination of the roles of Data Protection Officer (DPO) and IT Manager that results in a conflict of interest.
Under German law, companies that process personal data are legally obligated to appoint an intern or an extern DPO if at least ten employees are involved in the automated processing of personal data. The role of the internal DPO cannot be exercised by a person who has tasks in the company, which are in a relationship of tension with the independent, effective internal supervision of data protection.
This week marks a very special anniversary; last year, on the 6th of October, Max Schrems blew up the Safe Harbour Framework. It was the bitter end of the much contested instrument that allowed organizations to send personal data over to the US. The cause of its demise? Well, it was the whistle blown on mass surveillance programmes run by US authorities of course. After all, what would be the point of awarding our personal data with such a high level of protection, if a foreign government freely snoops around in our most private of affairs?
However, the valiant protection of our privacy did not come without a cost. It shouldn’t surprise anyone that international data traffic has become big business. Every second tens of thousands of gigabytes are sent on their way to support economic activities worth hundreds of billions of euro’s (or dollars, depending on which side of the pond you’re on). Think about the countless online purchases made each day, the cloud services we’ve come to embrace or just plain old email communication. Now imagine how cumbersome these services become if, all of a sudden, personal data such as names and (physical or email) adresses are not allowed to enter the US.
That was the case until about two months ago. Since the first of August, US organizations are able to self-certify once again. This time, the EU-US Privacy Shield ought to make data traffic economically viable, while keeping our privacy intact. But, the question needs to be asked: is this brand new framework worth its salt?
The Working Party 29, for one, has already expressed its doubts (for the second time since April). The Party, which combines all of Europe’s privacy watchdogs, acknowledged the improvements compared to Safe Harbor. Nevertheless, it has also indicated a few vulnerabilities that may put the Shield on shaky ground:
- The Party regrets that the rules concerning automated decision making and the general right to object have not survived negotiations.
- It remains unclear how the Shield will apply to data processors, a particularly important point because of the greater emphasis on the processor’s responsibility in the GDPR.
- The Shield grants little assurance that government surveillance will not take place as before.
- The Party questions the independence of the Ombudsperson who whill be appointed by the American government to follow up on complaints of EU individuals.
It is unfortunate that the framework designed to provide a solution for international data traffic is still riddled with uncertainty. Organizations might be hesitant to commit to a system that does not put them on solid ground. It is advisable that these organizations look into alternative means, such as Binding Corporate Rules or Standard Contractual Clauses, in order to strengthen their position.
For the time being, the Working Party will let events run their course. In one year’s time, however, the Privacy Shield will be up for review and we’ll hopefully get a better view on what works and what doesn’t. In particular, the Working Party will take a look at access by public authorities, based on all the information they deem necessary. Nevertheless, in the meantime the Privacy Shield is open to legal challenges and it is by no means unthinkable that the European Court of Justice will strike as it has done before.