I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.
Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.
However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to “indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “
My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?
I am wondering which monkey was behind this decision, or am I missing something?
Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.
Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.
Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?
Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).
Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂
So hot of the press is that H&M (a Swedish business), although the fine of €41,4m was due to practices in one of their German outlets which were not compliant with GDPR.
Clearly as an employer it is difficult to avoid the collection of sensitive data from employees, i.e. when they are sick, just the notification is in itself sensitive and a DPIA must be conducted on how the notification and following process is done in order to any identify privacy risks, and remediations necessary in order to minimise the risk of harm to the rights and freedoms of each employee.
It seems that H&M were in conducting a “welcome back to work” after sick/vacation interview, recording the contents of the conversation, and storing it somewhere, which badly for them became exposed, which meant they got found out because they were reported to the German DPA.
It seems a bit of a pity, as the purpose of the interview seems to be positive, and a nice way to return to the workplace, especially after one has been unwell. However, storage of this conversation is processing outside of the specific purpose of the conversation, and indications -from what I read- are that this personal data was in fact used beyond purely storage, in that 50 managers had access.
Bad news for H&M. Great news for privacy and GDPR. Great work Germany, as per usual at the front of data protection and privacy of each and every data subject!
This is an interesting case, and not only for the reasons mentioned in the press. It doesn’t give us much to work with but…
What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject…. although of course you knew that 😉
What seems to be common with dissatisfied customers applies to unhappy ex-employees (in this case) they exercise their rights under GDPR. This guy wanted to be forgotten and access (on what couldn’t be deleted one can assume). This means that even if your organisation is a role of processor in the delivery of services to your customers, who are the controller, you are still regardless the controller to your employees.
What was used for the transfer of employee data over to China is contractual clauses. However, the award of the fine, a meagre €5k was for not responding to the ex-employee as per his rights, not on the use of contractual clauses…. would be interesting to know more on this.
I missed this, progress on the new EU directive on data protection and implications on Safe Habor on the excellent Panopticon blog.
To summarize seems they need to trash what has already been created and start again. Germany in the driving seat now, I think, which means there should be some action. Nevertheless excepted completion is this year, 2014. Concerns about the alignment of Safe Harbor with this directive, particularly considering the amount of personal data from EU citizens, e.g. Facebook, etc., that is held in the U.S.
I really like this. It came out last week just when I was mentally preparing to travel up to Mora for Tjejvasan on Tuesday 😉
Angela wants to try and keep EU data in the EU boundaries, especially personal data.
Concerns voiced by experts talk about the amount of work involved to redo all the router configuration tables, after all networks are configured to get packets from A2B as quickly as possible, it may not always be the most direct route. For example when it is often faster to take the motorway bypass when driving your car, than it is to take the small roads. Packet routing is working exactly the same, depending on traffic congestion, fastest routes are calculated. A redo of router configuration tables would be like removing option to take a faster route if one route is congested.
Cryptography expert states that it would be much more effective to encrypt packets, that way it would not matter where they go, even over hostile territory. Some issues here are that: 1) Cryptography has some overhead cost, this is like adding additional packaging for post, it makes the package larger and heavier; 2) How does a non-technical person know when to encrypt? After all it doesn’t make sense to send everything encrypted? 3) I love the evolutions with quantum computing, as it can solves many problems simultaneously, although each quantum processor must be designed with a purpose in mine…e.g. for security it could be the decryption of a specific algorithm. It’s extremely expensive, but imagine when NSA or criminal networks that have this kind of money start using quantum computing for intelligence and data-mining purposes?
I believe that we have enough networks in EU to route packets within the EU before they are sent outside of the EU. This also prepares us for the future when it will be much easier to decrypt even the most secure algorithms used today. So yes, it requires some work, but just as we in the EU would like to keep our cloud services in the EU, so would we like to keep our personal information, encrypted or not!
Wow, Germany courts have done it again! They are so good at protecting the personal privacy of their citizens! Read on, it connects to an individual’s ‘right to be forgotten’.
Google have been been over-ruled concerning how the ‘autocomplete’ function in the search dialog works. Basically this is generated by what other users have been searching for. The reason why this has become a case for personal integrity, and also a person’s reputation is because words associated with a particular person, either by rumor or otherwise, and thus searched by users impacts that person’s reputation.
The case in question was when the complainants’ names were typed into Google’s search bar, the autocomplete function added the ensuing words “Scientology” and “fraud”.The continuing association of their names with these terms infringed their rights to personality and reputation as protected by German law (Articles 823(1) and 1004 of the German Civil Code).
What does this mean for Google? Well once Google has been alerted to the fact that an autocomplete suggestion links someone to libellous words, it must remove that suggestion.
According to Panopticon blog this German ruling is extending the “frontiers of legal protection for personal integrity and how we allocate responsibility for harm. Google says that, in these contexts, it is a facilitator not a generator. It says it should not liable for what people write (scroll down to “Google and the ‘right to be forgotten’” here, in Spain a previous case), not for what they search for (the recent German case). Not for the first time, courts in Europe have allocated responsibility differently.”
Now this is a really interesting legal case. Facebook has a marketing and advertising business established as a separate legal entity in Germany. In December 2012, the Schleswig DPA issued orders against Facebook Inc. in the U.S. and Facebook Ltd. in Ireland, in which the DPA demanded that Facebook allow its German users to use pseudonyms.
So which law applies? Germany, Ireland, or US? In the end Germany lost. It was decided that the Irish DPU laws applied. The ruling stated that it was not considered a sufficient presence to warrant the application of German data protection law.
This is the dilemma, to increase surveillance in the name of personal safety or to not do this as it violates our right to personal privacy?
Remember what happened after the terror attacks on the twin towers in New York? A whole host of privacy invading legislation was passed in the U.S., that now requires visitors to go through the inconvenience and indignity of being fingerprinted like criminals and having our faces scanned. And there is no road back, it is a one-way street. Once a practice starts it becomes accepted over time as the norm.
The UK has dragged through legislation on the mandatory issue of ID cards. Although they have not succeeded in getting this through for all UK citizens, they will… they have started with all UK immigrants who today have no choice. Most youngsters need ID in order to get accepted in most bars, so it has become a norm among this age group. All in the name of personal safety, trying to control, and control something that is not controllable.
So now officials from Finland, Estonia and Germany have called for expanded monitoring powers on the Internet in wake of the Oslo tragedy. Apparently the guilty party for this attack published a Twitter message, a YouTube video and a 1,500 manifesto linking to the buildup to these terrible crimes. Read more here.
And we are back to the dilemma thing. As a mother I am screaming out for these “expanded monitoring powers”, but as a privacy advocate I am terrified by these developments as it gives justifications for increased invasions to our private space, that is getting smaller and smaller…..
I love what is going on in Germany during a few months now, in that almost 250,000 Germans have told Google to blur pictures of their homes on the Street View service. Which is quite right. The EU directive on data privacy gives the data subject the right to consent to any personal information being stored. I wonder why it is only happening in Germany and not elsewhere in the EU, after all it is our right as data subjects.