Risk-based approach

I brushed up on one important thing – risk-based approach (RBA) which WP29 touched upon in 2014 in its “Statement on the role of a risk-based approach in data protection legal frameworks” (WP 218).

So what is RBA really about? The key phrase from the Statements that suggests answer: “… a data controller whose processing is relatively low risk may not have to do as much to comply with its legal obligations as a data controller whose processing is high-risk».

What does in mean? 

RBA does NOT mean that a controller may ignore some of its obligations if it processes low-risk data. This does not lead to compliance and this is a common misconception I’ve seen in my practice many times. Instead, RBA means that in this case a controller may do less to be compliant.

In fact, this is not correct to say that the whole GDPR implies RBA. Only some particular articles in particular cases do so (Art. 25, 30(5), 32-35 and some other).

The recent cases of usage of Facial Recognition Technologies (FRT)

Enforcement actions against Dutch supermarket and Swedish police remind that the bar for using FRT is very high.

Even if used for security purposes inside the supermarket, giving of relevant privacy notification to customers that FRT is used is not enough. However, no fine was issued by Dutch DPA (only warning).

In another case, Swedish Police unlawfully processed biometric data for facial recognition without conducting DPIA which resulted in a fine of approximately EUR 250,000. In addition, Swedish police was ordered to delete all data transfer to external database (Clearview AI) and notify data subjects that their personal data were transferred.

CLICK here to learn more on that

Mailchimp is out, even if…..

I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.

Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.

However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?

I am wondering which monkey was behind this decision, or am I missing something?

Data Retention Guidance from DPN

Hi world!

Came across a very good #Data Retention Guidance from Data Protection Network Associates issued in July, 2020 (LINK).

Being based on the #UK and #EU laws, it outlines starting tips for conducting data retention review process (it all, however, begins with data mapping exercise), provides advice on how to decide on retention periods, advises on creation of data retention policy and schedule, and much more.

Attention: the Guidance refers to #anonymization as an acceptable way of handling data when retention period comes to an end. It should be noted here that ‘true’ anonymization is very hard (if possible) to achieve, especially given that there is no industry standard on strict sequence of steps to be taken to render the data anonymized. In addition, amid the constant development of #bigdata and #AI algorithms, data we consider truly anonymized today may not have the same status tomorrow.

Booking.com reported the breach too late

So the question is when do you press the red BREACH button?

  1. Is it when you first become aware a personal data breach could have occurred?
  2. Is it when you are sure that a personal data breach has occurred which triggers an investigation,
  3. or is it on conclusion of this investigation?

Booking.com decided on option 3.

Booking.com have been fined €475k because of this. They did report the breach but what is significant about this fine is that a minor incident reported by a customer of a hotel was dismissed on 9 Jan, then a second identical report from another customer of the same hotel triggered an investigation on 13 Jan. However, the report of the breach was not until 7 Feb, 3 days after the internal security investigation was concluded. The fine is because booking.com should -according to the Dutch DPA- have reported the breach on the 13 Jan.

In fact it is common practice, to not report the breach until one is sure there has been a breach, and sometimes even the circumstances of the breach. This case shows that this is not an advisable route.

Data Breach or not Data Breach?

Here comes one another evidence of why consistent applications of #GDPR across the #EU is just a ‘shimmering dream’ thus far.

Belgian DPA issued a decision where it said that unintentional (due to human error) sending of an e-mail containing personal data does not mean the violation of Article 32 (security of processing), which prevents the incident from being classified as data breach.

This appears to be in contradiction with #WP29 Guidelines on Personal data breach notification and with the recent #EDPB Guidelines 01/2021 on Examples regarding Data Breach Notifications. Both documents, vice versa, addressed examples of mistakenly sent e-mails, while sufficiency or insufficiency of security measures was not named as a factor of whether the incident should be classified as data breach.

Decisions like this clearly erode the idea and value of ‘consistency’ proclaimed by GDPR and promoted by EDPB.

Another non-obvious conclusion made by Belgian DPA is that unlawfully obtained data cannot be further lawfully processed.

#dataprotection #privacy #datasecurity #databreach #cybersecurity #edpb #dataprivacy #gdprcompliance #databreaches #security #privacyprotection #informationsecurity #infosec #privacyissues #compliance #privacylaw

Consistent application of GDPR is just a half of the problem

Another half is contradictions between the GDPR and the legislation of national Supervisory Authorities, and this is in no way easy to overcome.

Truly, it is difficult to expect that ALL member states will apply GDRP consistently if an agreement within ONE member state seems very far from being reached.

Germany has recently become an example of how Act on Regulatory Offences contradicts to GDPR, while opinion of the District Court of Berlin (‘Court’) contradicts to that of Conference of German SAs (‘Conference’), with stumbling block being whether Article 83 GDPR lists all the requirements that SAs must address to fine a company, or whether national laws can impose additional requirements. Is it enough to establish that a breach of the GDPR has occurred for a company to be held responsible (as GDPR says) or there have to be evidences of a specific act by management or legal representatives that led to the offence (as the German Act says)?

Court opined that German Act on Regulatory Offences shall apply, and this is in clear contradiction with GDPR and the position of Conference. What is especially important here is that it is all about fines, which is often the strongest ‘motivation’ to comply (let’s be realistic).

Meanwhile, Austrian and French courts create their own case law on this issue. Overall… it is a beuatiful mess 🙂

Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).

Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.

However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.

So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.

It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.

#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2

French court decision and use of safeguards for international transfers

I was most delighted when this case popped up in my feed today.

“The court noted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg company AWS Sarl, the data is hosted in data centers located in France and in Germany, and the contract concluded between Doctolib and AWS Sarl does not provide for the transfer of data to the U.S. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. “

Even so the court decided there were sufficient legal and technical safeguards to protect the data, and this was related to covid-19.

Read more.