New German law

New German law regulating eprivacy and data protection

New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.

 

Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify. 

 

The new German law implements the ePrivacy directive with regard to the use of cookies.

 

The ePrivacy directive, which became EU law in 2009, states that websites are obligated to collect visitors’ informed consent to the use of cookies. The new German legislation implements the cookie consent rules of the 2009 ePrivacy Directive with a view to GDPR and the 2019 EU Court judgment in Planet49, Case C-673/17. Failure to obtain explicit consent to the use of cookies from internet users is incompatible with EU law, as rulings from both the EU court of justice and the German High Court demonstrate. The recently amended telecommunications act had been challenged by the opposition, who claimed that it did not contain sufficient data protection provisions. 

 

Fibre optics use and development stand to benefit from this new German law.

 

Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the  country is being driven forward. The benchmark is set and  reviewed annually in collaboration with the country’s network agency. 

  

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

EU Cloud Code of Conduct

EU Cloud Code of Conduct approved by the EDPB

EU Cloud Code of Conduct approved by the EDPB to ensure GDPR compliance for the cloud industry in Europe.

Two Codes of Conduct have recently been approved for the cloud industry, to ensure GDPR compliance for cloud services in Europe. Euractiv recently reported that the EDPB has approved Codes of Conduct on cloud service providers and cloud infrastructure last month. EDPB Chair Andrea Jelinek said “We welcome the efforts made by the code owners to elaborate codes of conduct, which are practical, transparent and potentially cost-effective tools to ensure greater consistency among a sector and foster data protection compliance.” The two Codes of Conduct are the first of their kind to be formally approved by data protection authorities and will provide a blueprint for compliance with data protection regulation in Europe.

All Cloud Service Providers are invited to join the EU Cloud Code of Conduct which covers the full spectrum of cloud services.

The new EU Cloud Code of Conduct covers the full array of services- software (SaaS), platform (PaaS) and infrastructure (IaaS). The code was drafted together with authorities of the European Union, and is intended for cloud service providers, to provide guidance for data protection compliance while securing trust from customers for their cloud services. There are various membership options depending on the interest of the Cloud Service Provider, and providers will be able to declare their services as being adherent to the code. The codes are expected to increase transparency and trust in the European cloud computing market. Both Codes will appoint independent monitoring bodies that will ensure their application of the Codes is GDPR compliant. These monitoring bodies will provide external auditing and will be accredited by the relevant data protection authority.

These codes of conduct are expected to boost the cloud computing industry, bringing greater certainty to both EU companies and citizens.

While cloud computing is sill not used by several EU companies, uncertainty around judicial applicability and data protection are seen as barriers to many companies. This major step towards providing clear guidance to EU companies is expected to address those issues, as cloud computing is becoming increasingly popular. As an added benefit businesses will now be able to avoid the uncertainty created by Schrems II, although these codes cannot be used in the context of international data transfers, customers will be able to request the storage of their data within the EU. EU citizens will enjoy the benefits of greater control over their personal data, transparency on where their data is stored, and greatest certainty surrounding the use of their data.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New SCCs adopted

New SCCs adopted for international data transfers

New SCCs adopted by the European Commission last week introduce more legal and privacy safeguards for data transfers. 

 

Since the CJEU‘s Schrems II decision last July, affecting transfers outside the EU via Standard Contractual Clauses, SCC’s have been the topic of much discussion regarding data transfers. These SCCs have been used by numerous companies for the transfer of data for several purposes including, but not limited to cloud storage, hosting, finance and marketing. The announcement was made last Wednesday, that the European Commission would be adopting new Standard Contractual Clauses come Friday, June 4th. Justice Commissioner Didier Reynders said that these new SCCs “incorporated some elements of transparency, accountability in full compliance with the GDPR”, adding that the goal was to avoid a “Schrems III”.

 

The European Commission has adopted two sets of Standard Contractual Clauses reflecting the new requirements under the GDPR. 

 

The new SCCs adopted by the European Commission for the transfer of personal data to third countries take into account the details of the Schrems II judgment by the CJEU, and offer more legal predictability to European businesses. The new SCCs are expected to help small to medium enterprises in particular, to ensure compliance with safe data transfer requirements. They will provide companies with a template which is easy to implement, allowing data to move freely across borders, without legal barriers. 

 

The European Commission has also adopted another set of SCCs for use between controllers and processors within the EU.

 

The new SCCs are more practical and flexible and cover a broad range of transfer scenarios.

 

The new Standard Contractual Clauses include an overview of the different steps that companies will have to implement in order to comply with the Schrems II judgment, complete with examples of possible supplementary measures which may be necessary to ensure compliance. These supplementary measures are intended to strengthen protection of data transferred to third countries which are not regarded as having adequate protection. These additional safeguards include encryption and pseudonymized personal data, which would prevent the personal data from being attributed to a specific individual, without the use of additional details. The new SCCs adopted by the European Commission cover a broad range of various transfer scenarios, all in one practical toolbox. 

 

A transition period of 18 months is provided for processors and controllers that are currently using old SCCs.

Many companies, since the CJEU’s judgment last summer, have been using Standard Contractual Clauses to facilitate their third country personal data transfers. When the EU-US Privacy Shield was invalidated last July, the court confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU. However, this did not come without complications, as in various cases it was found that for data transfers to the US and other third countries, the SCCs did not provide sufficient protection for personal data. These, now old SCCs are currently in use by the majority of companies who transfer data to third countries. The European Commission has now verified that these SCCs can continue to be used for the next 18 months, as companies transition to using the new SCCs adopted last Friday. 

 

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

CNIL authorizes experimental concert

CNIL authorizes experimental concert in Paris

CNIL authorizes experimental concert in Paris after a request for authorization, due to the processing of sensitive data. 

 

As governments worldwide endeavour to reopen and boost economies affected by the COVID-19 pandemic, attempts are being made at hosting mass crowd events, something which has been disallowed in many countries since the start of the pandemic. Last month, we wrote about the CNIL of France’s opinion on the use of “vaccine passports” for admission into mass crowd events. The Authority addressed the aspects of privacy and protection of personal data, much of which would need to be processed in order to make this operation functional or successful. Due to the volume of personal data to be processed, authorization was sought from the CNIL, by the AP-HP for the hosting of an experimental concert, studying the risk of spread of COVID-19. The CNIL has given its support to the execution of this exercise for research purposes, reiterating the importance of ensuring compliance with the GDPR and Data Protection Act. 

 

This experimental concert is part of a clinical trial studying the risk of contamination of COVID-19 in crowd settings.

 

This clinical trial consists of two groups of people, an experimental group of 5000 people who would be in attendance at the concert and a control group of 2500 people who would not be at the concert. The aim of this study is to analyze the transmission of COVID-19 in a large-scale gathering or mass crowd event in an enclosed room, with the application of specific health protocols. The concert, which was scheduled for May 29, is seen as the first attempt at the return of standing concerts in France. Similar concerts have taken place in other European countries like Spain, and these events are expected to give researchers and officials an idea of how safe it truly is to reintroduce mass crowd events to everyday life in a post pandemic society. 

 

Due to the volume of personal data to be processed in the execution of this clinical trial, CNIL was asked for authorization. 

 

The research conducted by the hosting of this experimental concert involved the processing of sensitive data from a large number of participants. During the study, the participants had to take several COVID-19 screening tests, the results of which were centrally stored. Participants had the option of uploading proof of a recent and negative screening test result online, or of presenting a hard copy. In addition participants from the experimental group attending the concert were filmed throughout the process, using smart cameras, in an effort to assess the circumstances under which concert attendees were less likely to respect mask mandates. Each participant was individually informed on the manner in which the study would be carried out, and their consent was obtained in writing, in advance of the study, ensuring that their consent was free, specific and informed. Participants were specifically expected to consent to participating in the research in general, and also to being recorded. This consent could have been withdrawn at any time without justification.

 

CNIL was in full support of this initiative, giving authorization the very day the request was received. 

 

CNIL, considering the challenges that have been faced by entertainment professionals in France for the duration of the pandemic, has given its support to this experimental concert. The authority reiterated the importance of compliance with the GDPR, and data protection regulations, as well as guarantees for the protection of individual rights and freedoms. This concert is one of many research projects which have benefited from legal and technical support from the CNIL during this health crisis. Many of these projects have been authorized in less than two days in order to meet specific deadlines, with a total of 117 medical research authorizations issued by the CNIL on COVID-19 during the pandemic.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.