Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.
Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.
This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.
Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.
Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.
We talked about compliance challenges, expectations for 2021 and beyond, career in privacy & data protection, and how expertise in both EEA and Russian jurisdictions may streamline the work in a global company.
Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).
Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂
Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.
However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.
So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.
It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.
I was most delighted when this case popped up in my feed today.
“The court noted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg company AWS Sarl, the data is hosted in data centers located in France and in Germany, and the contract concluded between Doctolib and AWS Sarl does not provide for the transfer of data to the U.S. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. “
Even so the court decided there were sufficient legal and technical safeguards to protect the data, and this was related to covid-19.
It may occasionally seem that the EU laws look like a chicken with its head cut-off.
It’s been more than half year since Schrem-II substantially changed privacy world, with succinct EDPB FAQ issued a week later and controversial Recommendations 01/2020 still stuck at the stage of public consultations and leaving more questions than answers, especially for businesses operating globally.
A recent agreement (after how many reiterations?) on ePrivacy Regulation resembles a Christmas that does not really make happy as it raised clear concerns among privacy community and received a plenty of negative feedbacks, with this from the German Federal Commissioner probably being the most rampant. Surely, the deadlock has been broken, and this is undoubtedly a huge progress and achievement that should not be underestimated (regardless of any criticism voiced). At the same time, there is obviously a long way to go to reach true reconciliation.
Going back to Schrem-II stalemate, my impression is that many companies took a ‘wait and see’ approach, while taking careful first steps and probably nervously waiting for possible first cases of detected non-compliance in the industry. If you want to briefly recap on what’s happened in this realm since July 2020, here it is from IAPP.
If you are new to #cybersecurity in a EU environment, this relatively concise article might become a good starting reading. Get to know basic documents and standards, main #NIS Directive provisions, industry best practices of responding to breaches.
This blog has got a resurrection. It was closed down in November last year because of non-compliance concerning the amount of cookies that the blog was using (WordPress was a cloud service based in US), and Schrems II ruling and that all cookie consent banners were too expensive, after all this is a private blog, its just there were quite a few visitors each month. I guess if this blog had been about my dog, or anything else, maybe I wouldn’t have bothered with all the GDPR stuff, but even so I am professionally a ‘privacy guy’, so the blog had to go.
So what happened to my blog was something I call ‘GDPR paralysis’, everything comes to a stop, and GDPR is the cause. I remember when my business (Privasee) which I founded in 2015 came into a state of GDPR paralysis in 2017, the privacy purists versus myself as CEO, in that ‘business has to function’. There needs to be a compromise, otherwise Privasee would cease to exist, making money for the business is necessary for survival, and for my business to achieve what it set out to do, i.e. ‘make privacy compliance accessible’.
One could claim that a blog comes under ‘household exemption’, which was how I was thinking, maybe misguided, but you know how we can be, human beings, believing in what is easiest, and anyhow what harm can it do to the ‘rights and freedoms of the natural person’? It’s just all those cookies made it a privacy risk to visitors, and today something popped up in my LinkedIn feed that the Danish Data protection authority have passed a ruling that a so called ‘private website’ was not exempt under Article 2(1). I can’t find the case now.
When reading this blogpost, you should only have 7 cookies downloaded, and they are all session cookies, except one with a life of a single day. The WordPress site is based in the EU, so no international transfers.