We talked about compliance challenges, expectations for 2021 and beyond, career in privacy & data protection, and how expertise in both EEA and Russian jurisdictions may streamline the work in a global company.
Happy reading!
Author: Konstantin Tiazhelnikov
Consistent application of GDPR is just a half of the problem
Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.
Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.
Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?
Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).
Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂
Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.
France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).
Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.
However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.
So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.
It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.
#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2
Schrems-II and ePrivacy Regulation: beautiful mess?
It may occasionally seem that the EU laws look like a chicken with its head cut-off.
It’s been more than half year since Schrem-II substantially changed privacy world, with succinct EDPB FAQ issued a week later and controversial Recommendations 01/2020 still stuck at the stage of public consultations and leaving more questions than answers, especially for businesses operating globally.
A recent agreement (after how many reiterations?) on ePrivacy Regulation resembles a Christmas that does not really make happy as it raised clear concerns among privacy community and received a plenty of negative feedbacks, with this from the German Federal Commissioner probably being the most rampant. Surely, the deadlock has been broken, and this is undoubtedly a huge progress and achievement that should not be underestimated (regardless of any criticism voiced). At the same time, there is obviously a long way to go to reach true reconciliation.
Going back to Schrem-II stalemate, my impression is that many companies took a ‘wait and see’ approach, while taking careful first steps and probably nervously waiting for possible first cases of detected non-compliance in the industry. If you want to briefly recap on what’s happened in this realm since July 2020, here it is from IAPP.
#dataprotection #privacy #gdprcompliance #privacylaws #edpb #gdpr #privacylaw #privacyissues #dataprivacy #privacymatters #privacyprotection #compliance #law #politicsandlaw
New to cybersecurity? Don’t feel helpless!
If you are new to #cybersecurity in a EU environment, this relatively concise article might become a good starting reading. Get to know basic documents and standards, main #NIS Directive provisions, industry best practices of responding to breaches.
https://www.lexology.com/gtdt/tool/workareas/report/cybersecurity/chapter/european-unionShift from a territory-based to jurisdiction-based approach to international data transfers.
Shift from a territory-based to jurisdiction-based approach to international data transfers.
The European Commission’s draft decision implementing renewed SCCs (‘draft’) seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to ‘the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679’.
There are at least two (maybe more?) conceivable implications of the above:
1) the #GDPR data transfer rules will not be applicable where data is transferred from a EU-based company to a non-EU based company subject to the GDPR pursuant to Article 3(2).
2) if a non-EU based company subject to the GDPR pursuant to Article 3(2) transfers data to another non-EU based company not subject to the GDPR – then this is considered international data transfers which triggers the applicability of the GDPR International data transfer rules (so, such companies may choose to enter into #SCC as a safeguard for such transfer).
Interestingly, the first sentence of the Recital 7 of the draft contradicts to this new thinking and still reproduces a traditional territory-based approach.
The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation
The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation.
And this is to briefly share 3 key thoughts and conclusions from the Guidelines which might seem to be not so obvious at first sight.
1. Be sure to understand not only literal and contextual meaning of the GDPR provisions, but also their spirit. Yes, EDPB directly speaks about spirit, and this is new compared to the version for public consultations. See Example 1 in paragraph 70.
2. The notion of ‘necessity’ is understood not only in the context of achievement of purposes of the processing, but also with regard to the ways of how personal data are obtained. This serves the purpose to keep data subjects involved in the processing of their personal data to the highest degree possible. See Example in paragraph 68.
And finally, probably the most important.
3. The EDPB writes that processing options cannot be presented “in such a manner that makes it difficult for data subjects to abstain from sharing their data, or make it difficult for the data subjects to adjust their privacy settings and limit the processing” and “in a way that nudges the data subject in the direction of allowing the controller to collect more personal data than if the options were presented in an equal and neutral way» (Example 1 in paragraph 70). Personally for me, it conjures up images of some cookie banners offering just options «Accept all» and «Settings», thus nudging a user to press the ‘right’ button desirable for controller.
Some DPAs (e.g. Danish #Datatilsynet) has previously stated such type of ‘nudging’ is not allowed.
7 practical takeaways from the EDPB Guidelines 07/2020 (by Herbert Smith Freehills)
I remember myself criticising new EDPB Guidelines 07/2020 for obvious mistakes in choosing an approach for giving explanations:
https://virtualshadows.wordpress.com/2020/09/13/do-new-guidelines-07-2020-on-the-concepts-of-controller-and-processor-in-the-gdpr-guidelines-really-help-to-identify-joint-controllership/
Today I came across an article from Herbert Smith Freehills (see the link below) and, ironically, found the same thought I had a month ago: “the guidelines do not appear to add much clarity with respect to the concept of joint controllers and when such a relationship will arise” and “tests will only serve to complicate matters further by requiring additional layers of analysis”.
Exactly! So obvious! Why there hasn’t been any talks on this before?! EDPB often does great things, but sometimes (like all humans, I believe) it may produce shit.
Authors of the article tried to outline 7 practical takeaways from the guidelines. An attempt to squeeze (at least) something useful out? You decide. My point here is that the guidelines partly add little new to the landscape we saw and learnt before, partly – create misunderstanding and ambiguity and, indeed, “complicate matters further”, thus making a step backward from ‘old’ WP29 Opinion 1/2010.
Swedish DPA has updated its guidance for employment sector.
Swedish DPA #datainspektionen has updated its guidance as to how personal data should be processed in employment relationships. The information is primarily addressed to employers in both the private and public sectors. It can also help workers, job seekers, trade unions and trade associations.
Original text is in Swedish but can be easily translated into English via online translators.
https://www.datainspektionen.se/vagledningar/arbetsliv/
CNIL partners with Order of Chartered Accountants to help SME to improve their compliance with the GDPR.
While many transnational companies continue to feel headache after ‘Schrems II’ hit in July, the problem for SMEs looks simpler and more trivial: they seem to be unable to meet even more general and clear data protection requirements without external help.
This can return us to early talks (they are sometimes heard now, though) that the GDPR may be too burdensome for many business actors. And we see it can really be like this.