Author: Konstantin Tiazhelnikov

CoC for Cloud Service Providers is now underway

by

23 September 2020

19:32

Leave a comment on CoC for Cloud Service Providers is now underway

Uncategorized

It’s been announced last week that the EU Data Protection Code of Conduct (CoC) for Cloud Service Providers is now underway.

Designed as a safeguard for the international data transfers under the GDPR Article 46(2) in a post-‘Schrems II’ world, the CoC might become an interesting one by itself. At the same time, it still leaves us with the same question like SCC upheld by the CJEU: how a formal legal mechanism can remediate inadequate privacy practices in a third country?

After the Privacy Shield (PS) invalidation, a suggestion to migrate to the SCC to continue EU-US data transfers looks weird because a formal change of an underlying legal mechanism actually change nothing in defective privacy practices of the US intelligence. If we replace USA with another random third country with similar practices and/or take CoC instead of SCC – the conclusion will remain the same.

To that end, it is highly questionable that a CoC is able to become a ‘window’ to America (as currently expected). At the same time, let us see how this will work in real life. Indeed, if SCC can factually be deemed as a proper safeguard instead of PS (despite the conflict with common sense), why CoC cannot?

Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

by

13 September 2020

18:27

2 Comments on Do new Guidelines 07/2020 ‘on the concepts of controller and processor in the GDPR’ (‘Guidelines’) really help to identify joint controllership?

Uncategorized

Allocating roles within a group of different actors might often become very difficult, in particular when drawing a line between joint decisions and separate ones gets tricky.

Say that a parent company offers its subsidiaries to use a new uniform online platform for the processing of orders placed by customers entering into a supply contract with a subsidiary. There are at least two actors here, so how to properly allocate roles here?

‘Guidelines’ intend to provide for some new tips helping to spot a joint controllerships in paragraphs 3.2.2.1, 3.2.2.2, but all of them still revolve around what has always been clear from Article 26: finding out how means and purposes of processing are defined requires careful case-by-case assessment. To that end, ‘Guidelines’ are more likely to be expected to outline a clear methodology of how this assessment should be performed.

Referring to the question above, e.g., it might revolve around questions like: does the parent company make it mandatory for the subsidiary to use the online platform (and thus it solely defines means and purposes)?; or can the platform only be used in case of a common decision of the parent company and the subsidiary to do so?

Instead of the methodology, we can (not only but mostly) see examples. Examples are always good but they are rarely helpful when factual picture in practice differs (even slightly) from that described in the example. In other words, examples contain an analysis of very specific facts alone, while a privacy pro needs an understanding (method, checklist, etc.) of how to properly approach every possible set of facts.

Good job, EDPB, but could you please try again?

International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

by

20 August 2020

22:16

1 Comment on International companies transferring personal data to multiple 3rd countries are unlikely to soon find a 100% workable approach to address ‘Schrems II’ implications.

Uncategorized

Why I think so? It stems from a superb article written by the IAPP authors who skilfully and clearly explain (for the first time ever?) how to tackle the issues raised in the CJEU’s decision and to continue data transfer to USA based on supplemented SCC (see the link below).

Just take a deeper look and see how many details of the US laws are taken into account and analysed, based on which practical recommendations are given. At the same time, the CJEU factually introduced the requirement to evaluate legal landscape in every third country that imports data flows.

The above means that the same exercise should be conducted in relation to each third country. In many of them the laws may not even be translated in English and be publicly available, case law may indeed be unclear or even absent. Such analysis will almost definitely require a great deal of time and money amid the absence of grace period. 

Where to get help:

  1. See my short article on how to start with the assessment without spending budget: https://www.linkedin.com/posts/tiazhelnikov_two-money-saving-starting-points-on-how-to-activity-6696105568085561344-qJFl
  2. See Essential Guarantees Guide (https://www.essentialguarantees.com) which can help you analyse surveillance practices in different countries across the globe.
  3. Expect more from me on that issue in the following weeks as we at Carlsberg HQ are launching «Schrems II Working Group» to share thoughts and develop action plan.
  4. Remember that ‘wait and see’ approach is not an option here; complexity is not an excuse for doing nothing in the hope that Supervisory Authority will wait too. 

Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

by

3 August 2020

18:23

2 Comments on Two money-saving starting points on how to meet the requirement to assess the level of protection in third countries.

Uncategorized

It’s been more than two weeks since CJEU announced its ‘Schrems II’ decision, introducing the requirement to evaluate legal landscape in third countries (those of data importers) and put additional safeguards in place, as necessary, – even if the data are transferred to other than USA third countries based on SCC or BCR. FAQ issued by EDPB on 23 July probably left more questions then answers.

Since then, media space has been overwhelmed with various guidances, legal digests and discussions about how to make assessment and what safeguards can be put in place.

The truth is, as of now, nobody really knows 100% workable answers. From FAQ issued by EDPB we know that “it is the responsibility of the data exporter and the data importer to assess whether the level of protection required by EU law is respected in the third country concerned in order to determine if the guarantees provided by the SCCs or the BCRs can be complied with in practice”. 

However, below are two tips on how begin with the assessment without engaging reputable law firms with exorbitant prices.

1. It comes from the EDPB FAQ itself – contact your data importer and ask for collaboration with regard to the assessment. E.g. require data importers to state whether public authorities in their countries are entitled to have an access to personal data and on which conditions; whether the data importers are under a legal obligation to make personal data available to public authorities for any purposes.

2. Conduct your own assessment using WP237 (‘Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees)’) issued by Working Party 29.

In this document, WP29 identified 4 Essential Guarantees to be taken into account for all data transfers to third countries:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued must be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

At least two of them were used by CJEU when invalidating Privacy Shield. Are all of them respected in the country of your data importer?

Will the above work? Not really a fact. As they say, the answers are hopefully yet to come soon. At least, this can help you understand a general landscape prior to signing a legal service supply contract with a law firm. 

European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

by

28 July 2020

17:04

1 Comment on European Essential Guarantees Guide (‘EEGG’) is now LIVE! with myself being one of the contributors thereto.

Uncategorized

EEGG focuses on governmental measures aimed at surveillance, interception of communications, access to personal data and storage thereof by public authorities in different countries.

EEGG provides non-binding assessment by expert contributors worldwide of compliance with ‘European Essential Guaranties’ (summarized by the Working Party 29, the European Data Protection Board predecessor) and subsequent European Court of Human Rights case law.

The link is below:

https://www.essentialguarantees.com

As you may note, some countries are still waiting for their expert contributors, so feel free to join the project and contribute!

DPAs’ guidances to survive in the post-‘Schrems II’ world

by

22 July 2020

20:12

Leave a comment on DPAs’ guidances to survive in the post-‘Schrems II’ world

Uncategorized

, , , , ,

IAPP has set up a valuable resource collecting together guidances and statements issued by national DPAs in response to the recent CJEU ruling on the so-called ‘Schrems II’ case. The IAPP will aim to update the register on an ongoing basis.

The link is below:

https://iapp.org/resources/article/dpa-and-government-guidance-on-schrems-ii-2/

While privacy pros advise to seek to put in place SCC as a substitution for the invalidated Privacy Shield, it should, however, be noted that SCC are by itself a safeguard with a limited scope of application as: (i) it still does not cover many processing scenarios (e.g., processor-to-controller, processor-to-sub-processor); (ii) it is quite outdated (issued in 2001, 2004 and 2010 in the pre-GDPR world); (iii) its validity has been put on several conditions by the ‘Schrems II’ decision.

Ambiguous status of SCC under the ‘Schrems II’ decision

by

16 July 2020

23:52

3 Comments on Ambiguous status of SCC under the ‘Schrems II’ decision

Uncategorized

, , , , ,

As all privacy community already know, the CJEU has today struck down EU-US Privacy Shield scheme, while confirming the validity of SCC.

Arguments against Privacy Shield has changed little since the ‘Schrems I’ decision that invalidated Safe Harbour – governmental intrusion, lack of proportionality, ineffective role of ombudsperson.

What is really new is that a EU-based data controller relying upon SCC is now expected to assess how public authorities in third countries obtain access to personal data and how legal system in those countries works.

Two questions still remain:

1. How such controllers in question are expected to conduct such evaluation? Any methodology in this regard? It may seem somewhat similar to what we have in Article 45(2) – which factors Commission shall evaluate when issuing adequacy decisions. However, a private entity living with SCC is not a EU body and often does not have sufficient resources and understanding as to how to conduct the research and put necessary safeguards in place.

2. Enforcement. Amid DPAs facing lack of financial resources and manpower, the CJEU’s decision puts even extra burden on them. Thus, a newly invented (by CJEU) requirement may easily end up becoming unviable with no practical effect due to insufficient oversight.

Bonus question: taking into account the ‘accountability’ principle, how exporting controllers should demonstrate their compliance with the new obligation?

Hopefully, answers are yet to come.

On a crucial importance of TOMs under GDPR Article 32

by

13 July 2020

21:44

1 Comment on On a crucial importance of TOMs under GDPR Article 32

Uncategorized

, , , ,

DPA of Baden-Württemberg (Germany) fined a health insurance company 1’240’000 EUR for insufficient implementation of TOMs resulted in personal data of app. 500 individuals being accidentally processed for advertising purposes without due consent. 

The fine is quite high, especially given that there have been some mitigating factors in this case:

  • not too many data subjects concerned
  • cooperation with DPA
  • TOMs were not absent at all, the level of implementation thereof was just insufficient

Besides, no data breaches or other factors posing a (high) risk to data subjects were identified.

The investigation resulted in one of the highest fines issued under Article 32 (if not highest). This can be explained, in particular, by the adoption of the German model for calculating fines under the GDPR.

Anyway, this is another one reminder for controllers and processors about the importance of putting TOMs in place appropriate to the risk as ‘somewhat good’ TOMs will unlikely be enough.

More to read – see below.

https://digital.freshfields.com/post/102garn/1-2m-fine-in-germany-for-failure-to-implement-appropriate-toms

Tiktok moves under control of Irish DPC

by

4 July 2020

09:00

4 Comments on Tiktok moves under control of Irish DPC

Uncategorized

, , ,

From 29 July 2020 onwards, Tiktok Ireland will control the data of all users in the EEA and Switzerland.

Nothing specific, just another smart move of a non-EEA company (parental company Tiktok Inc incorporated in the US) in an attempt to use one-stop-shop mechanism via its EEA subsidiaries.

Except for one thing. The recent French scenario where CNIL issued an administrative fine directly to Google LLC (US) instead of its EU subsidiary (and this was upheld by the Conseil D’Etat) may become a real problem in case of receiving a support from Irish authorities.

The decision of Conseil D’Etat, probably, ended the era of so-called ‘delegated controllership’. If supported by other DPAs, this will affect all non-EU ‘factual’ controllers willing to use one-stop-shop mechanism. Think about it, TikTok.