Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).

Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.

However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.

So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.

It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.

#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2

CNIL DPO accreditation

Well I was pretty impressed that France seemed to be the first on the block to get some kind of official recognition for the DPO role. Organisations which train and certify DPOs can apply to be on their list of accredited organisations.

Great I think. We need to apply… in ‘we‘ I mean Privasee of course!

Privasee has DPO training which is accredited at 5 ECTs* on exam completion (Scottish Credit and Qualifications Framework which equals Level 6 Certification *EQF (European Qualifications Framework))

But Privasee will not apply, and why? Well because it requires (1) inclusion of the French Data Protection Act in the training content, and (2) candidate for CNIL accreditation must first be accredited by an accreditation body pursuant to standard ISO/CEI 17024:2012.

There is absolutely no inclusion of academic accreditation to which the Privasee CPP/EU-DPO has earned. The ISO standard mentioned above is purely that the certification conforms to a specific schedule. The academic accreditation that Privasee has earned for their DPO training has both content and structure assessed.

Why are academic qualifications not included here? And why exclude all DPO training/certification organisations which are not French?

Flashback to when I was a security guy and the proud owner of the MSc in Information Security from the Royal Holloway University of London (RHUL, 2006), renowned best globally in Infosec/cybersecurity education with gurus such as Prof. Fred Piper. I was nonetheless continually frustrated by the need for CISSP certification which required an individual to read a book, memorise and regurgitate in multiple choice test questions. Whereas with the Master Degree which many of us studied part-time or distance in addition to a full-time job over 2-4 years was completely ignored. The headhunters had a search algorithm which searched for CISSP and NOT MSc. This hurts, as those of us who have completed the MSc will acknowledge it is expensive, and then just because of an automated decision engine we are excluded from potential jobs.

Fast forward to now. I realise that with GDPR that those recruiting may have a challenge with these kind of automated decisions. I wonder when the job applicants will cotton on to this?

And then back to the CNIL as a DPO certification accreditation body. As you’ve probably realised by now, I’m just a little bit peeved that again… maybe I’m taking this personally… being excluded.

On the bright side. Even IAPP with the combined CIPP/E and CIPM (to be the DPO) will not be able to fulfil this requirement. The CIPP/E has nothing on French data protection.

Taking a practical approach. Privasee could theoretically get the ISO thingy, and if you are a French privacy/legal guy/girl with a French business, who would like to give this a bash. Contact me and become a Privasee OWL Partner. The adaptation of the CPP/EU-DPO training to a CPP/Fr-DPO training would be minimal… IMHO

hActivists – Je suis Charlie!

I am sure it is no news to any of us that Anonymous the infamous hacktivists movement are taking up cyber arms against extreme militants following the horrific attack on Charlie Hebdo

Love them or hate them they are here to stay and cannot be ignored.

In fact the more I read on this the more I imagesstart to speculate on the place of cyber activists in the future of our global digital verbose and connected world that we are all a part of today?

And you know you don’t even need to be a hacker to be a part of their attacks on institutions or/and people that restrict the human right of freedom of speech. All you need to do to be a part become a sympathiser and become a part of their movement is visit their chat rooms, see what is the latest target, click on the appropriate icon, and lo-behold you will be one of the millions of PCs to launch a DDOS attack. See how Geoffrey ‘Jake’ Commander a 66-year-old British rock guitarist who’s worked with George Harrison, Elton John and Electric Light Orchestra, who participated in the December 2010 Operation Payback, an Anonymous campaign that brought down many financial websites including VISA, MasterCard and PayPal by launching massive distributed denial-of-service (DDoS) attack.

Crowdsourcing, crowdfunding, the crowd movement enabled by todays connecting technologies is bringing a new energy to the people, and experienced world-wide power, bottom up with the Arab Spring. There have always been activists fighting for what is right, fighting against greed and corruption, what has changed now is that it has not only become a force in the digital world with cyber activism with hacktivists on the forefront, but the linkage with the empowering capabilities of social media, such as Twitter, Facebook, Instagram, and Google Maps to bring people together to protest on the streets coordinated across the world.

Power to the People‘ is taking on a new guise, and this is for real!

Privacy commissioners vs. Google

Oh dear, Google is in trouble…. they have been -surprise, surprise- criticized by privacy commissioners around the world on their privacy, or lack of privacy practices 😉

Read more at The New York Times. btw. I need to thank Jack for his tweet on this 🙂

France’s three strikes law not striking yet!

The French legislature has passed its controversial anti-P2P “three strikes and you’re off the Internet” law for a second time, after a constitutional court found the first version unacceptable. France’s long talked-out law to kick repeat copyright infringers off the Internet. However the French government department that examines the data privacy implications of new legislation is refusing to sign off on the country’s tough new “three strikes” law until it gets more information about what data will be retained… and how. Read more here…