Tag Archive: Privacy
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/dla-piper-italy-and-aigi-event-on-the-general-data-protection-regulation/
The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:
- the right to Data Portability;
- Data Protection Officers (DPO); and
- the Lead Supervisory Authority.
Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.
Guidelines on the right to Data Portability
In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.
From this opinion it appears for example that:
- this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
- this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
- data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
- data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.
The WP29 Guidelines on Data Portability can be found here.
Guidelines on Data Protection Officers
Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.
WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR) refers to the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).
Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.
WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.
In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.
The WP29 guidelines on the DPO can be found here.
Guidelines on the Lead Supervisory Authority
In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.
In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.
In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.
Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.
The WP29 Guidelines on the Lead Supervisory Authority can be found here.
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/
GERMANY: Cloud Computing and trans-border transfers of personal data under review of German DPAs
While Cloud Computing and other types of trans-border transfers are nowadays vitally important for data processing, the transfer of personal data to third countries (i.e. non-EU/EEA countries) is subject to specific requirements under European data protection law. The data controller, e.g. the company transferring personal data to its affiliates or service providers, must ensure an adequate level of data protection, according to the EU Data Protection Directive (Directive 95/46/EC). Trans-border flows of personal data are now reviewed by German Data Protection Agencies (DPAs).
Enquiry of the DPAs
On 3 November 2016, ten German DPAs made a statement to the press (available here – in German only), explaining that the transfer of personal data has increased strongly over the last years. In order to raise awareness of the legal frame regarding cross-border data transfers, a questionnaire (available here – in German only) will be send to 500 German companies of all size and with various fields of activity. Both management and companies´ data protection officer shall sign the questionnaire. The companies are expected to specify which services and products used by them require cross-border data transfer. The questionnaire contains in particular inquiries relating to marketing, recruiting, cloud storage, internal communication systems, and intra-group data transfer. The legal ground for each data transfer must be communicated.
The EU Data Protection Directive provides for several options to ensure an adequate level of data protection: Standard Contractual Clauses, Binding Corporate Rules, a special agreement, especially the US-EU-privacy Shield or a decision of the European Commission, stating that a certain country ensures such level of data protection. German DPAs notice an unsatisfying level of sensibility regarding data protection in cross-border scenarios. Their aim is to evaluate if and to what extent companies comply with European Data Protection law.
- Companies using Cloud Computing should be alarmed.
- DPAs expressed that the questionnaires and the corresponding answers may constitute a reason to conduct a “more thorough investigation”.
- Such investigations could lead to administrative fines up to EU 300,000.
- Therefore, the questionnaire has to be considered thoroughly and reviewed carefully. If German DPAs are not satisfied with the answers, following measures will probably be taken.
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-cloud-computing-and-trans-border-transfers-of-personal-data-under-review-of-german-dpas/
By Jan Pohle and Jan Spittka
In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.
The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.
Ruling of the ECJ
The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if the identification of the data subject was
- prohibited by law or
- practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.
The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.
The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.
Jan Spittka and Jan Pohle
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/internet-of-things-devices-are-not-privacy-compliant/
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/how-the-new-privacy-portability-right-will-change-your-industry/
On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15 (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.
The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.
The Advocate General’s Conclusions
According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.
The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.
The Right to be Forgotten is not Absolute
The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.
In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.
Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.
For further information on this opinion, see also here from Cristina Ulessi. It will no doubt be very interesting to review the ECJ’s final position.
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/
By: Dr. Thomas Jansen and Mari Martin
On September 1, 2016, the Bavarian Data Protection Authority (BayLDA) issued a brief paper outlining the basic principles of the future sanction regime under the European General Data Protection Regulation (GDPR). The document is available at the following link: https://www.lda.bayern.de/media/baylda_ds-gvo_7_sanctions.pdf (German-language only).
The GDPR will become effective on May 25, 2018, after a transition period of two years. European supervisory authorities are currently working to achieve a more uniform view of the new basis and requirements for data protection at the European level. In the meantime, the BayLDA plans to periodically publish papers such as this one on selected topics. The BayLDA explicitly notes that is not a binding interpretation of the regulation.
Amount and Scope of Administrative Violations and Fines Increased
According to the GDPR, administrative fines shall be effective, proportionate and dissuasive. Some infringements are subject to administrative fines of up to 20 million EUR or 4% of the organization’s total annual global turnover.
Further, as explained with reference to the “economic enterprise concept” in the explanatory memorandum of the Treaty on the Functioning of the European Union (recital 150), if the sanctioned entity is part of an “undertaking,” the total annual turnover of the entire undertaking is the relevant amount from which the 4% fine will be deducted, not just the annual turnover of the specific sanctioned entity (i.e. the individual controller or processor). Please see our post of July 26, 2016 titled “EU: GDPR – Group revenues at risk of fines” for more information on the meaning of an “undertaking.”
The GDPR provides for a significantly wider range of offences than does the current German Federal Data Protection Law (BDSG). Under the GDPR, violation of the vast majority of provisions regulating data controllers and processors is subject to a fine. The GDPR provisions regarding administrative fines demonstrate the European Commission’s (EC’s) intention to provide for financial sanctions for data protection infringements and to enable severe sanctions if necessary. Exceptions should exist only for minor infringements and when a fine would be disproportionately burdensome.
The GDPR imposes fines on both controllers and processors. In addition, accredited certification bodies under Article 43 of the GDPR, which are responsible for properly assessing and certifying compliance by data controllers and processors with data protection regulation and organizational codes of conduct, may be subject to administrative fines due to breach of their obligations.
According to the BayLDA, it can be assumed that organizations may be held responsible for violations committed by their employees. However, the GDPR does not regulate the extent to which fines may be imposed on employees themselves. This issue remains unclear.
Fines Imposed for Violations of Technical and Organizational Measures
In an important change from the BDSG, the GDPR provides that violations of the duty to take appropriate and adequate technical and organizational measures to protect personal data are an administrative offense subject to fines. Also significant is the fact that the GDPR sets out fines for violations of the obligation to ensure implementation of the principles of privacy by design and privacy by default. These changes underscore the great value the EC places on the importance of technical and organizational measures and the principles of privacy by design and privacy by default for effective data protection.
Factors Influencing the Amount of Fines
According to the EC, a number of factors must be considered when determining the amount of fines. Previous breaches of data protection law should be considered an aggravating factor. The extent to which the controller or processor cooperated with the supervisory data protection authority should be considered. Further, if the controller or processor gives the supervisory authority incomplete or inaccurate information during the course of an investigation, this should be considered an aggravating factor, as recognized by the European Court of Justice in the field of competition law.
As stated by the EC, the GDPR is intended to lead to a uniform application of sanctions in Europe In the future, the European Data Protection Board may develop relevant guidelines.
All organizations operating as either a data controller or processor in any EU member state should be aware of the significant increase in both the amount and scope of potential fines under the GDPR. In particular, administrative fines under the GDPR may be up to 4% of the total worldwide annual turnover of the preceding financial year in the case of an “undertaking.” Such enhanced financial penalties for data protection violations are intended to prevent organizations from incurring any profit in the event of a data protection breach.
In addition, organizations should carefully note the imposition of fines due to violations regarding technical and organizational measures and the principles of privacy by design and privacy by default. Organizations should ensure that that appropriate technical and organizational measures are in place and that they have appropriately implemented the principles of privacy by design and privacy by default before the GDPR becomes effective in 2018.
If you would like to discuss how we can help your organisation, please get in touch with your usual DLA Piper contact or email us at email@example.com.
For further information on the GDPR please visit our dedicated GDPR microsite.
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/
EUROPE: European Data Protection Supervisor Calls for “Significant” Improvements to EU-U.S. Privacy Shield
By: Dr. Thomas Jansen and Mari Martin
On May 30, 2016, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued his Opinion on the EU-U.S. Privacy Shield, calling for “significant” improvements to the EU-U.S. Privacy Shield before it can be adopted by the European Commission (EC). According to the EDPS Opinion:
“The draft Privacy Shield may be a step in the right direction, but as currently formulated it does not adequately include, in our view, all appropriate safeguards to protect the EU rights of the individual to privacy and data protection also with regard to judicial redress. Significant improvements are needed should the European Commission wish to adopt an adequacy decision.”
The Opinion stated that in order for the Privacy Shield to be effective, it must provide adequate protection against indiscriminate surveillance by U.S. intelligence agencies and improve existing obligations regarding oversight, transparency, redress and data protection rights. In particular, the EDPS Opinion called on the EC to negotiate improvements to Privacy Shield in three main areas:
- integrating all key EU data protection principles so that the Privacy Shield will offer essential equivalence between EU and U.S. law;
- limiting derogations from the Privacy Shield’s provisions; and
- improving redress and oversight mechanisms contained in the Privacy Shield.
The Opinion also urged the negotiating parties to be unhurried in finding an adequate, long term solution, as it is essential for international organizations supplying goods and services in the EU to be absolutely clear about all the rules with which they must comply.
The EC began negotiating the Privacy Shield in October 2015, after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Safe Harbor data transfer agreement. The Privacy Shield is intended to replace Safe Harbor. The EDPS opinion follows and supports the concerns expressed in the European Parliament’s May 25, 2016 resolution (2016/2727 (RSP)), which called for the EC to reopen negotiations with the U.S. in order to improve perceived “deficiencies” in the EU-U.S. Privacy Shield.
After the CJEU invalidated the EU-U.S. Safe Harbor Agreement, the Article 29 Working Party assured organizations and individuals wanting to transfer data from the EU to the United States that they could rely on other mechanisms provided for in the 1995 Data Protection Directive, such as standard model clauses and binding corporate rules, to continue legally exporting data.
However, these alternative mechanisms suffer from some of the same deficiencies as did Safe Harbor, in particular the lack of restrictions on access to personal data by U.S. intelligence agencies. Last week, the Irish Data Protection Commissioner announced that it would refer the question of the legality of the use of standard model clauses as a basis of data transfer to the CJEU, thus calling into question their continued use in the long term.
Should the CJEU also invalidate the use of standard model clauses, which is by no means certain, approval of a final version of the Privacy Shield implementing the recommendations and addressing the concerns expressed in the Opinion of the EDPS and the Resolution of the European Parliament on the adequacy of the Privacy Shield will be critical for uninterrupted data flow between the EU and United States.
Like the recent Resolution passed by the European Parliament, the EDPS Opinion should contribute to the essential clarity for international organizations supplying goods and services in the EU regarding the precise rules with which they must comply in order to lawfully transfer personal data between the U.S. and EU.
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-european-data-protection-supervisor-calls-for-significant-improvements-to-eu-u-s-privacy-shield/
Permanent link to this article: http://blogs.dlapiper.com/privacymatters/webinar-what-changes-for-internet-of-things-technologies-with-the-eu-privacy-regulation/