Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of November
Another month within the lifetime of General Data Protection Regulation has yet to fail to provide new developments in its course, both positive and negative. November, 2019 brought us fresh guidelines and anticipated findings regarding the protection of our personal data as the the European Data Protection Board (EDPB) met for its fifteenth plenary session in Brussels on November 12th and 13th. Furthermore, this November provided us with developments regarding the long anticipated ePrivacy Regulationand fines significant not as much due to the amount, but due to the nature of the underlying breach and legal action taken.
European Data Protection Board – EU-US Privacy Shield Review
Among the papers brought by the latest plenary session of European Data Protection Board is the newly adopted final version of Commission’s report on the Third Annual EU-US Privacy Shield Review, which took place in September, 2019.
The report has it that the Privacy Shield framework, in which more than 5,000 companies are participating this year, continues to provide for an adequate level of protection for personal data transferred from the EU to companies participating in the Privacy Shield program in US.
The Commission noted certain improvements in the operation of the framework, namely, the efforts made in oversight and enforcement actions on the commercial aspects. The findings also complemented the appointment to key oversight bodies, i.e., Privacy and Civil Liberties Oversight Board (PCLOB) and of a permanent Ombudsperson.
Regardless of the positive findings of the EDPB review process, certain aspects of the Privacy Shield’s framework were recognized as concerning and requiring attention. The improvements were advised regarding the re-certification process periods, which should not go beyond 30 day period, and spot-checks procedures, where the US authorities should assess compliance with the Privacy Shield’s principles.
Furthermore, it was indicated that the Department of Commerce should implement tools to detect false claims of participation in the Privacy Shield, as well as ways to share information on an on-going investigations with the Commission and EU Data Protection Authorities with enforcement responsibilities provided by the Privacy Shield. Lastly, it was pointed out that the EU Data Protection Authorities, the Department of Commerce and the Federal Trade Commission must create a common guidance on the treatment of HR data.
European Data Protection Board – New Guidelines on Territorial Scope and on Data Protection by Design and Default
Guidelines on Territorial Scope
At the plenary meeting the EDPB introduced the final version of the Guidelines on the Territorial Scope under Article 3 of the EU General Data Protection Regulation, which were first published for public consultation on 12 November, 2018, however, now fully adopted.
The guidelines serve the purpose of assisting data protection authorities when applying GDPR provisions to cases where it is necessary to determine whether a certain processing activity of a controller or processor falls within the territorial scope of the GDPR.
The guidelines provide for clarity regarding different situations, among others, where the controller or processor is established in EU, but processes data of non-EU subjects, an entity established outside EU has its arrangements in EU,and when processing of personal data is carried out “in the context of the activities of ” an establishment’’ in EU. Furthermore, it explains in detail the certain aspects of applicable criteria and elements, such as the context of establishment, the data subjects concerned, the targeted processing of data of persons in EU, in addition to all other extra-territorial aspects that might seem not entirely clear-cut in GDPR itself.
The guidelines have also addressed the feedback and opinions presented in the consultation stage, by providing improved wording and legal reasoning.
Guidelines on Data Protection by Design and Default
The EDPB on 20 November 2019 adopted the Guidelines on Data Protection by Design and Default for public consultation. The feedback from the public is anticipated until 16 January 2020.
The Guidelines guide through the context of principles of Data Protection by Design and by Default (DPbDD) under Article 25 of GDPR and provide for general description of the requirements that controllers must consider when designing the intended data processing.
In addition to the theoretical clarifications of elements of DPbDD, the guidelines also give the reader practical guidance on the implementation of the data protection principles set out in Article 5(1) of GDPR, by presenting the key designs and various elements of DPbDD illustrated by practical case examples. For a more complete understanding EDPB addresses the matters of certification under Article 42 of GDPR and supervisory authorities’ enforcement of Article 25.
The EDPB concludes the Guidelines with a comprehensive list of recommendations to controllers, processor and technology providers on the best practices of cooperation in order to fulfil the DPbDD requirements, and how it can become a competitive advantage to the said stakeholders.
EU Member states refuses to accept the Council’s position on a draft ePrivacy Regulation
A noteworthy turn of events took place in November when the Draft ePrivacy Regulation presented by the Finnish Presidency of the Council of the EU was rejected by the Permanent Representatives Committee of the Council of the European Union (COREPER).
The Draft ePrivacy Regulation was proposed in 2017 as a replacement of the the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive which until now safeguarded the users’ privacy and security on the internet. The newly introduced ePrivacy Regulation was proposed to strengthen user rights to privacy by providing measures against online tracking and intended to complete the EU’s framework for data protection and confidentiality of electronic communications.
Instead of moving towards safeguards that are up to date with the ever increasing technological developments and along coming privacy risks, the Committee by rejecting the draft after more than two years of discussion may turn the tables unfavourably for the users. The rejection is received by the opponents as protecting the interests of online tracking advertisers in the time when privacy and internet security scandals are commonplace.
As a result of this decision the ePrivacy reform could remain stagnant for months to come and may even be rejected altogether by the Commission.
Double fine incurred by Uber for violations
The ride-hailing companies Uber B.V. and Uber Technologies, Inc. as joint controllers were fined this November by both ICO of the United Kingdom and Dutch Autoriteit Persoonsgegevens for a data breach that occured in 2016.
The Dutch Data Protection Authority issued a fine of 600,000 euros for Uber’s failure to report the breach to the Authority and affected data subjects within 72 hours after the breach was discovered. This was followed by the ICO’s action of imposing Uber a fine in amount of 385,000 GBP (453 146,49 euros) for failing to protect personal data of customers from a cyber attack. The fine issued by the Dutch Data Protection Authority is the first data breach related fine of such significance to date.
During the cyber attack that took place in 2016 hackers’ accessed personal data, including names, surnames, email addresses and phone numbers, of 174,000 Uber customers in the Netherlands and 2,7 million Uber customers in the United Kingdom, as stated by the Data Protection Authorities. To note, the total number of data subjects affected as disclosed by Uber after the discovery was approximately 57 million. Furthermore, the fact of the incident was hidden for more than a year and in order to avoid the discovery Uber paid the perpetrators 100,000 USD in exchange for deletion and concealment of the breach.
For more information on the General Data Protection Regulation
Get in touch with us