Category: Countries

Sensitive employee data made public in Finland

by

8 June 2021

12:50

Leave a comment on Sensitive employee data made public in Finland

Breaches, Finland

Okay, there were only 7 employees, and this personal data breach which was investigated by the Finnish DPA was concerning a single employee who was on sick-leave.

What is super interesting about this case is that the employer (a family business) put the fact that the employee was on sick leave on the company website. It seems that because the employee was sending an automated response to emails that he/she was on sick leave, gave the idea that this data was now public data.

It then digs into the employment act and secrecy concerning employee data, and the decision was that sanctions would be placed on this business, i.e. it was a personal data breach which has an impact on ‘rights and freedoms’.

Clearly I’ve cut out a load of details here… but what is important is that even the small family businesses are not immune to GDPR sanctions.

A US update on the TikTok saga

by

4 June 2021

12:51

Leave a comment on A US update on the TikTok saga

Children, China, U.S.

As you know Trump tried to ban TikTok from the US, and a compromise was reached with TikTok that US user data would only be stored in US data-centers. Sounds a bit similar to the Irish ruling in 2020. What I am thinking is that US intelligence have the power/mandate to access data of EU data subjects under FISA 702, so what if China have something similar?

Anyhow despite my speculations, there is a new development. It seems that biometric data may or will be collected by TikTok, as it stands now, only US TikTok users, although consent will be required. Apparently it seems that now all US states require consent for the collection of biometric data!

But what about all the underage users? There is a law which mandates parental consent (of minors) in the US. A significant number of TikTok users are minors, and the mind boggles when it comes to the collection of biometric data of minors…..how aware are the parents. More and more I am coming to the view that TikTok should be banned…. even though my daughter is a user, and the fun and benefits are boundless.

Mailchimp is out, even if…..

by

21 April 2021

09:21

Leave a comment on Mailchimp is out, even if…..

Germany, International transfers, U.S.

, , ,

I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.

Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.

However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?

I am wondering which monkey was behind this decision, or am I missing something?

Data Breach or not Data Breach?

by

29 March 2021

09:09

2 Comments on Data Breach or not Data Breach?

Belgium, European Union, Information Security

Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.

Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.

This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.

Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.

Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.

#dataprotection #privacy #datasecurity #databreach #cybersecurity #edpb #dataprivacy #gdprcompliance #databreaches #security #privacyprotection #informationsecurity #infosec #privacyissues #compliance #privacylaw

Consistent application of GDPR is just a half of the problem

by

19 March 2021

14:44

2 Comments on Consistent application of GDPR is just a half of the problem

European Union, Germany

Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.

Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.

Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?

Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).

Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂

Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

by

16 March 2021

16:08

Leave a comment on Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

European Union, France, International transfers

France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).

Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.

However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.

So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.

It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.

#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2

Digital online rights for children

by

12 October 2020

17:57

1 Comment on Digital online rights for children

Children, Sweden

,

Sweden is ahead of the rest of the world when it comes to children’s rights, even in the digital/online world. Read more here.

To say I felt an excitement deep in me is an understatement. It was children’s safety online which brought me into privacy. My master thesis for my MSc Information Security was on protecting children online, which led to the publication of my first book “Virtual Shadows” in 2009. This was 8 months before the birth of my daughter.

But what triggered me, was long before this, was my son who was 18 by the time I had published my first book. I often had computers at home, normally open as I was twiddling with them, and so was he since he was 10 years old.

I saw his fascination in Sim City and other highly educational games which transported him into worlds of logistics and consequences. The theme of conversation amongst the boys was which level they are reached, e.g. how a famine had broken out, bad decisions on arming, etc. Gaming was not multi-player, it was single player, and installed on a PC in those days.

What Sweden has triggered is awesome. Beyond what any country has done when it comes to human rights, not surprising considering they were the first country globally to give equal rights to children in 1971. Now in 2020, it has reached the digital world.

H&M have invaded employee privacy

by

4 October 2020

09:35

1 Comment on H&M have invaded employee privacy

Employees, Germany

,

So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.

Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.

It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.

It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.

Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!

BCRs and Tetra Pak has just got them approved in Sweden

by

20 August 2020

07:57

1 Comment on BCRs and Tetra Pak has just got them approved in Sweden

Sweden

, , , , ,

An extremely interesting development considering the recent Schrems II decision and that Tetra Pak has US operations.

This is a first for the Swedish Data Protection Authority with BCRs. OneTrust has a good summary of the decision, etc., in English. Here is the decision in Swedish.

Now, there is much discussions on the legality of Binding Corporate Rules since Schrems II, after all surveillance in the U.S. is omnipresent, over which we have no control over here in the E.U., but in reality what this decision means is that the we need to be realistic, business must go on.

My take on the transfer of data is to dive into the potential risks to rights and freedoms of the natural person. If there are none, e.g. you are only transferring email address and name of the individual, and maybe they are adding business activities into a log, e.g. financial records. I find it difficult to really force myself to change an established business practice, especially now with coronavirus times, and many businesses are in survival mode, and many close to bankruptcy. If HR data is being transferred then this must change clearly.

I am, even as a privacy professional sceptical of all the fuss and hype there is on blocking all personal data transfers out of the EU to a country such as the U.S. (lacking adequacy decision now with Privacy Shield gone), because of Schrems II.

I guess if I wasn’t a small startup myself, serving small-medium businesses, I would think differently. But if this is all too complex, the SMB will do nothing, they have too much to lose, and when it happens it can go quick, money spent must be prioritised. For the SMB Schrems II is like double-dutch, all this legal speak, it’s out of their boundaries of business operations, and and the Data Protection Authorities get this, and are not normally targeting the small actors selling consulting, car repairs, chickens, or a pair of shoes, they are after the biggies.

An open letter to the CJEU from L

by

23 July 2020

09:56

1 Comment on An open letter to the CJEU from L

Canada, European Union, U.K., U.S.

, , ,

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.

Sincerely,

L