Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

by

16 March 2021

16:08

Leave a comment on Watch those hands: shadows of “Schrems-II” in super-interesting French case that may indeed have far-reaching effect.

European Union, France, International transfers

France’s highest administrative court (Conseil d’Etat) discussed the issue of personal data on a platform used to book COVID-19 vaccinations and hosted by Luxembourg company AWS Sarl (subsidiary of a company under U.S. law).

Unlike classic “Schrems-II” setup, there is no data transfer to third countries as the data was hosted in data centers located in the EU.

However, the court says that AWS Sarl (being a subsidiary of a company under U.S. law) may be subject to access requests by U.S. authorities based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. Hence, what the court did is started to examine legal, technical and other safeguards put in place. And came to a conclusion that those were sufficient in this particular case.

So what does it all mean? The fact of data transfer is not always a requirement to bring the discussion to the realm of “Schrems-II” – it is just enough if the EU-based data importer (with EU-based data storages) is a subsidiary of a company incorporated under law of a third country.

It was France. Now, should we expect the same approach to be taken by other member states? Seems EDPB now got some new things to think over to avoid misinterpretations and misalignment between supervisory authorities in different member states.

#gdpr #privacy #gdprcompliance #dataprivacy #privacylaw #dataprotection #edpb #compliance #schremsii #schrems2

French court decision and use of safeguards for international transfers

by

16 March 2021

09:07

3 Comments on French court decision and use of safeguards for international transfers

International transfers

, ,

I was most delighted when this case popped up in my feed today.

“The court noted for the purposes of hosting its data, Doctolib uses the services of the Luxemburg company AWS Sarl, the data is hosted in data centers located in France and in Germany, and the contract concluded between Doctolib and AWS Sarl does not provide for the transfer of data to the U.S. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333. “

Even so the court decided there were sufficient legal and technical safeguards to protect the data, and this was related to covid-19.

Read more.

Schrems-II and ePrivacy Regulation: beautiful mess?

by

14 March 2021

21:38

2 Comments on Schrems-II and ePrivacy Regulation: beautiful mess?

Case law

It may occasionally seem that the EU laws look like a chicken with its head cut-off.

It’s been more than half year since Schrem-II substantially changed privacy world, with succinct EDPB FAQ issued a week later and controversial Recommendations 01/2020 still stuck at the stage of public consultations and leaving more questions than answers, especially for businesses operating globally.

A recent agreement (after how many reiterations?) on ePrivacy Regulation resembles a Christmas that does not really make happy as it raised clear concerns among privacy community and received a plenty of negative feedbacks, with this from the German Federal Commissioner probably being the most rampant. Surely, the deadlock has been broken, and this is undoubtedly a huge progress and achievement that should not be underestimated (regardless of any criticism voiced). At the same time, there is obviously a long way to go to reach true reconciliation.

Going back to Schrem-II stalemate, my impression is that many companies took a ‘wait and see’ approach, while taking careful first steps and probably nervously waiting for possible first cases of detected non-compliance in the industry. If you want to briefly recap on what’s happened in this realm since July 2020, here it is from IAPP.

#dataprotection #privacy #gdprcompliance #privacylaws #edpb #gdpr #privacylaw #privacyissues #dataprivacy #privacymatters #privacyprotection #compliance #law #politicsandlaw

New to cybersecurity? Don’t feel helpless!

by

14 March 2021

21:20

2 Comments on New to cybersecurity? Don’t feel helpless!

cybersecurity

If you are new to #cybersecurity in a EU environment, this relatively concise article might become a good starting reading. Get to know basic documents and standards, main #NIS Directive provisions, industry best practices of responding to breaches.

https://www.lexology.com/gtdt/tool/workareas/report/cybersecurity/chapter/european-union

Virtualshadows blog is back!

by

13 March 2021

13:56

Leave a comment on Virtualshadows blog is back!

Uncategorized

This blog has got a resurrection. It was closed down in November last year because of non-compliance concerning the amount of cookies that the blog was using (WordPress was a cloud service based in US), and Schrems II ruling and that all cookie consent banners were too expensive, after all this is a private blog, its just there were quite a few visitors each month. I guess if this blog had been about my dog, or anything else, maybe I wouldn’t have bothered with all the GDPR stuff, but even so I am professionally a ‘privacy guy’, so the blog had to go.

So what happened to my blog was something I call ‘GDPR paralysis’, everything comes to a stop, and GDPR is the cause. I remember when my business (Privasee) which I founded in 2015 came into a state of GDPR paralysis in 2017, the privacy purists versus myself as CEO, in that ‘business has to function’. There needs to be a compromise, otherwise Privasee would cease to exist, making money for the business is necessary for survival, and for my business to achieve what it set out to do, i.e. ‘make privacy compliance accessible’.

One could claim that a blog comes under ‘household exemption’, which was how I was thinking, maybe misguided, but you know how we can be, human beings, believing in what is easiest, and anyhow what harm can it do to the ‘rights and freedoms of the natural person’? It’s just all those cookies made it a privacy risk to visitors, and today something popped up in my LinkedIn feed that the Danish Data protection authority have passed a ruling that a so called ‘private website’ was not exempt under Article 2(1). I can’t find the case now.

When reading this blogpost, you should only have 7 cookies downloaded, and they are all session cookies, except one with a life of a single day. The WordPress site is based in the EU, so no international transfers.

Enjoy reading the blog again, and welcome back!

Shift from a territory-based to jurisdiction-based approach to international data transfers.

by

21 November 2020

17:05

Leave a comment on Shift from a territory-based to jurisdiction-based approach to international data transfers.

International transfers

, , ,

Shift from a territory-based to jurisdiction-based approach to international data transfers.

The European Commission’s draft decision implementing renewed SCCs (‘draft’) seems to change a general understanding of what an ‘international data transfer’ is as Article 1 of the draft points out to ‘the transfer of personal data from a controller or processor subject to Regulation (EU) 2016/679 (data exporter) to a controller or (sub-) processor not subject to Regulation (EU) 2016/679’.

There are at least two (maybe more?) conceivable implications of the above:

1) the #GDPR data transfer rules will not be applicable where data is transferred from a EU-based company to a non-EU based company subject to the GDPR pursuant to Article 3(2).

2) if a non-EU based company subject to the GDPR pursuant to Article 3(2) transfers data to another non-EU based company not subject to the GDPR – then this is considered international data transfers which triggers the applicability of the GDPR International data transfer rules (so, such companies may choose to enter into #SCC as a safeguard for such transfer).

Interestingly, the first sentence of the Recital 7 of the draft contradicts to this new thinking and still reproduces a traditional territory-based approach.

The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation

by

18 November 2020

18:44

Leave a comment on The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation

Uncategorized

The EDPB has now adopted its Guidelines 04/2019 on Article 25 Data Protection by Design and by Default after public consultation. 

And this is to briefly share 3 key thoughts and conclusions from the Guidelines which might seem to be not so obvious at first sight.

1. Be sure to understand not only literal and contextual meaning of the GDPR provisions, but also their spirit. Yes, EDPB directly speaks about spirit, and this is new compared to the version for public consultations. See Example 1 in paragraph 70.

2. The notion of ‘necessity’ is understood not only in the context of achievement of purposes of the processing, but also with regard to the ways of how personal data are obtained. This serves the purpose to keep data subjects involved in the processing of their personal data to the highest degree possible. See Example in paragraph 68.

And finally, probably the most important.

3. The EDPB writes that processing options cannot be presented “in such a manner that makes it difficult for data subjects to abstain from sharing their data, or make it difficult for the data subjects to adjust their privacy settings and limit the processing” and “in a way that nudges the data subject in the direction of allowing the controller to collect more personal data than if the options were presented in an equal and neutral way» (Example 1 in paragraph 70). Personally for me, it conjures up images of some cookie banners offering just options «Accept all» and «Settings», thus nudging a user to press the ‘right’ button desirable for controller.

Some DPAs (e.g. Danish #Datatilsynet) has previously stated such type of ‘nudging’ is not allowed.

7 practical takeaways from the EDPB Guidelines 07/2020 (by Herbert Smith Freehills)

by

17 October 2020

08:40

1 Comment on 7 practical takeaways from the EDPB Guidelines 07/2020 (by Herbert Smith Freehills)

Uncategorized

I remember myself criticising new EDPB Guidelines 07/2020 for obvious mistakes in choosing an approach for giving explanations:

https://virtualshadows.wordpress.com/2020/09/13/do-new-guidelines-07-2020-on-the-concepts-of-controller-and-processor-in-the-gdpr-guidelines-really-help-to-identify-joint-controllership/

Today I came across an article from Herbert Smith Freehills (see the link below) and, ironically, found the same thought I had a month ago: “the guidelines do not appear to add much clarity with respect to the concept of joint controllers and when such a relationship will arise” and “tests will only serve to complicate matters further by requiring additional layers of analysis”.

Exactly! So obvious! Why there hasn’t been any talks on this before?! EDPB often does great things, but sometimes (like all humans, I believe) it may produce shit.

Authors of the article tried to outline 7 practical takeaways from the guidelines. An attempt to squeeze (at least) something useful out? You decide. My point here is that the guidelines partly add little new to the landscape we saw and learnt before, partly – create misunderstanding and ambiguity and, indeed, “complicate matters further”, thus making a step backward from ‘old’ WP29 Opinion 1/2010.

https://hsfnotes.com/data/2020/10/13/new-edpb-guidelines-on-the-concepts-of-controller-and-processor-seven-practical-takeaways/#page=1

Digital online rights for children

by

12 October 2020

17:57

1 Comment on Digital online rights for children

Children, Sweden

,

Sweden is ahead of the rest of the world when it comes to children’s rights, even in the digital/online world. Read more here.

To say I felt an excitement deep in me is an understatement. It was children’s safety online which brought me into privacy. My master thesis for my MSc Information Security was on protecting children online, which led to the publication of my first book “Virtual Shadows” in 2009. This was 8 months before the birth of my daughter.

But what triggered me, was long before this, was my son who was 18 by the time I had published my first book. I often had computers at home, normally open as I was twiddling with them, and so was he since he was 10 years old.

I saw his fascination in Sim City and other highly educational games which transported him into worlds of logistics and consequences. The theme of conversation amongst the boys was which level they are reached, e.g. how a famine had broken out, bad decisions on arming, etc. Gaming was not multi-player, it was single player, and installed on a PC in those days.

What Sweden has triggered is awesome. Beyond what any country has done when it comes to human rights, not surprising considering they were the first country globally to give equal rights to children in 1971. Now in 2020, it has reached the digital world.

Swedish DPA has updated its guidance for employment sector.

by

5 October 2020

22:04

Leave a comment on Swedish DPA has updated its guidance for employment sector.

Uncategorized

Swedish DPA #datainspektionen has updated its guidance as to how personal data should be processed in employment relationships. The information is primarily addressed to employers in both the private and public sectors. It can also help workers, job seekers, trade unions and trade associations.

Original text is in Swedish but can be easily translated into English via online translators.

https://www.datainspektionen.se/vagledningar/arbetsliv/