France will impose digital tax, regardless of international levy

France will impose digital tax regardless of whether the rest of the world proceeds with a deal on an international levy, according to this article by Euractiv.

France will impose a digital tax on corporate giant tech companies. According to Finance Economics Minister, Bruno le Maire, large tech companies like Amazon and Google have largely and disproportionately profited from the ease of doing business online during the COVID-19 pandemic and amid social distancing protocol and practices, and the French, like many other EU nations, feel that they must do something in order to stimulate their local economy in what is expected to be their upcoming deep recession.

Washington may fight back on digital tax

There has been a big pushback on the implementation of a digital tax, which would largely affect digital corporate giants like Google, which records an annual global revenue of over $160 billion (over 145 billion Euros). Washington, considering that many of these tech giants are US based, has threatened to fight back with their own trade tariffs, also claiming that France unfairly targets US digital companies.

Many EU nations are moving forward with digital tax implementation despite setbacks

While digital tax implementation at a uniformed rate across European nations arms to be a long time coming, France is not alone in wanting to move forward with its implementation. Countries like Italy, Britain and Spain either have already implemented digital tax or plan on doing so in the near future. However due to opposition from countries like Ireland, progress towards an EU wide digital tax seems to be stalled at the moment. In other nations, like the Czech Republic for example, Finance Minister Alena Schillerova has said that she may actually delay the implementation of a digital tax until next year and lower the rate, from the currently proposed 7% to 5%.

France will impose digital tax, whether or not international tax is implemented.

According to Euractiv, “Nearly 140 countries from the Organisation for Economic Cooperation and Development (OECD) are negotiating the first major rewriting of tax rules in more than a generation, to take better account of the rise of big tech companies such as Amazon, Facebook, Apple and Google that often book profit in low-tax countries.”

“Never has a digital tax been more legitimate and more necessary,” Finance Minister Bruno Le Maire told journalists on a conference call on May 13th. “In any case, France will apply as it has always indicated a tax on digital giants in 2020 either in an international form if there is a deal or in a national form if there is no deal.” Initially, in January, the government of France had offered to suspend its current digital tax on tech companies until the end of 2020, while an international tax deal was being negotiated. However, due to the circumstances surrounding the coronavirus outbreak, things have changed, with finance ministries more focused now than ever before, on saving their local economies.

EU seeks a better managed digital space, including digital tax.

Considering what seems to be an integration of the US and EU economies with the digital sphere, the European Union has sought to introduce regulation to achieve a level playing field and protect both European consumers and businesses in this new digital world. With legislation like the GDPR controlling the flow of information across borders and protecting consumer data, many legislative authorities do believe that a digital tax is the absolutely necessary next step. As digital corporate giants, like Amazon and Google with little to no physical presence in Europe have largely escaped what many would consider fair taxation, as a result of their predominantly online operational presence, governments across the EU believe that it is time to restructure and level the playing field. While there are many initiatives which are more focused on investment and education, there is a push now from legislators to enforce digital tax, particularly with the current need for income and to stimulate local economies impacted by the effects of COVID-19. Ultimately, the result of this will be a more managed digital space where online companies are not benefiting from a disproportionate advantage.

Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Healthcare Committee Data Breach

Healthcare Committee Data Breach in Örebro County, Sweden.

Healthcare Committee Data Breach in Örebro County, Sweden after sensitive personal data of a patient was published on the region’s website.

 

A healthcare committee data breach was uncovered after complaints were filed with the Swedish Data Protection Authority (DPA), concerning the publication of a patient’s personal data on the region’s website. According to an article by the European Data Protection Board, the complaints were concerning a patient admitted to forensic psychiatry whose personal details were found, through an audit, to have been published on the region’s website. The Swedish DPA found that the region’s website published sensitive data wrongfully, with neither legitimate purpose nor legal basis, nor eligibility for exemption from the proscription of handling sensitive personal data under the General Data Protection Regulation (GDPR). As a result, the DPA has fined the Committee and ordered some changes to ensure compliance moving forward.

 

Swedish DPA audit uncovers lack of written instructions for publishing, increasing risk of a data breach.

 

The Swedish DPA performed an audit after receiving a complaint about the data breach in question and discovered that there were no written instructions in place for the publication of information on the Committee’s website. The Committee had depended solely on oral communication for passing on instructions for publication. The publication of this patient’s personal data was the result of those instructions not being followed. While it was accidental, the publication of that personal data was the result of insufficient organisational measures to ensure protection of personal data.

 

Healthcare Committee Data Breach results in a fine of 120,000 Swedish kronor and an order for corrective action. 

 

The Swedish DPA has ordered the Committee to establish written instructions and to institute measures to ensure compliance with those instructions for those who are tasked with publishing data on their website. In addition to ordering the Committee to bring its handling of personal data into full compliance under the GDPR, the DPA has also ordered the payment of a 120,000 Swedish kronor administrative fine (approximately 11,000 Euro). The published document resulting in the data breach has since been removed from the region’s website. 

 

What should have the Healthcare Committee done in order to avoid the breach?

 

-Have in place an adequate internal data protection policy providing written and clear instructions about how to process and secure the personal data held by the Committee. 

Pursuant to Article 24 GDPR “(1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary; (2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.

-Deliver relevant training to the employees. When it comes to reducing the risk of data breaches, it is paramount to train the staff so that they understand the new processes you have put in place and also the data protection rules behind them.

Why are the measures above especially important in this case?

The data compromised involves health information, which is a special category of personal data, therefore additional safeguards should apply, plus the bases for processing it are limited to some specific scenarios. However, it should be noted that the breach would have taken place even if the personal data published in their website was not sensitive, because there was no legitimate basis to make the information public.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

EDPB GDPR consent guidelines .

EDPB published GDPR consent guidelines

The European Data Protection Board (EDPB) published guidelines on consent under regulation, including a complete analysis of the notion of GDPR consent.

 

The EDPB published guidelines on consent under regulation on May 4th 2020, which includes a complete analysis of GDPR consent. In their 31 page document released earlier this week, the EDPB outlines the requirements for obtaining and demonstrating valid consent. Consent is one of six lawful bases to process personal data, as outlined in Article 6 of the GDPR. Data controllers must consider what would be the appropriate lawful ground for the intended processing of personal data, before initiating any activities which would involve processing such data. 

 

Elements of valid GDPR consent

Article 4(11) of the GDPR specifies that consent of the data subject means “any freely given, specific,  informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” 

 

The use of the term free implies that the data subject has a real choice in the matter. As a general rule, the GDPR states that if the data subject has no real choice, feels compelled to consent or feels they will endure negative consequences in the absence of their consent, then consent will not be valid. Any element of inappropriate pressure or influence upon the data subject which prevents a data subject from exercising their free will, shall render the consent invalid.

 

In order for consent to be valid, it must also be specific, meaning that consent must be given in relation to “one or more specific” purposes and that a data subject has a choice in each of them. . The requirement that consent must be ‘specific’ aims to guarantee a degree of user control and transparency for the data subject. According to Article 6(1)(a) of the GDPR, data subjects must always give consent for a specific, explicit and legitimate processing purpose. 

 

The GDPR also maintains the requirement that consent must be informed. According to Article 5 of the GDPR, transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. It is imperative that data subjects are provided with sufficient information prior to obtaining their consent. In the absence of sufficient information, the consent will be invalid and the controller may be in breach of Article 6 of the GDPR. 

 

The EDPB believes that at least the following information is required for obtaining valid consent:

  1. the controller’s identity,
  2. the purpose of each of the processing operations for which consent is sought,

iii. what (type of) data will be collected and used,

  1. the existence of the right to withdraw consent, 
  2. information about the use of the data for automated decision-making in accordance with

Article 22 (2)(c) where relevant, and

  1. on the possible risks of data transfers due to absence of an adequacy decision and of

appropriate safeguards as described in Article 46.

 

In addition to the aforementioned criteria, consent must always be given through an active motion or declaration. It should be clear that the data subject is consenting to the particular processing. Article 4(11) GDPR clarifies that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action. Clear affirmative action implies that the data subject  must have taken a deliberate action to consent to the particular processing.

Obtaining explicit GDPR consent

In situations where serious data protection risk presents itself, it is imperative that explicit consent is obtained in order to process personal data. According to Article 9 of the GDPR, explicit content is needed for the processing of special categories of data. The term explicit refers to the manner in which consent is expressed by the data subject. It means that the data subject has to give an express statement of consent, in order for consent to be deemed valid. This can take the form of a signed statement, an electronic form, an email, or a scanned document carrying the signature of the data subject, or an electronic signature. In theory, oral

statements can also sufficiently express valid explicit consent, however, it may be difficult

to prove for the controller that all conditions for valid explicit consent were met when the statement was recorded.

Additional conditions for obtaining valid GDPR consent

According to Article 7 of the GDPR, it is the sole responsibility of the controller to demonstrate a data subject’s consent. Recital 42 states: “Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”  controllers may keep records of consent statements received or choose freely the method through which they comply with this provision. The obligation to demonstrate consent last for as long as the data processing activity is being carried out.  While there is no specific time limit in the GDPR for how long consent will last, the EDPB recommends, as a best practice, that consent should be refreshed at appropriate intervals. 

 

As far as withdrawal of consent, the GDPR prescribes that the controller must ensure that consent can be withdrawn by the data subject as easily as it was given, and at any given time. The GDPR does not specify that the giving and withdrawing of consent must be done in the same manner, however, when consent is given electronically, via a simple mouse click, swipe or keystroke, the data subject should be able to withdraw that consent just as easily. This requirement of an easy withdrawal is described as a necessary aspect of valid consent in the GDPR. Controllers also  have an obligation to delete data that was processed on the basis of consent once this consent is withdrawn, provided that there is no other purpose justifying the continued retention. 

 

Examples

 

The guidelines provide some examples for when consent is not valid and when it is. We have put together those ones we consider most relevant below:

 

Own- and third-party marketing unlawfully bundled

“Within the same consent request a retailer asks its customers for consent to use their data to send them marketing by email and also to share their details with other companies within their group. This consent is not granular as there is no separate consents for these two separate purposes, therefore the consent will not be valid. In this case, a specific consent should be collected to send the contact details to commercial partners. Such specific consent will be deemed valid for each partner …, whose identity has been provided to the data subject at the time of the collection of his or her consent, insofar as it is sent to them for the same purpose (in this example: a marketing purpose).”

Service provision and marketing unlawfully bundled

“A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.”

“Based on recital 32, actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action: such actions may be difficult to distinguish from other activity or interaction by a user and therefore determining that an unambiguous consent has been obtained will also not be possible. Furthermore, in such a case, it will be difficult to provide a way for the user to withdraw consent in a manner that is as easy as granting it”.

Access to mobile phone features unlawfully bundled with the product

“When downloading a lifestyle mobile app, the app asks for consent to access the phone’s accelerometer. This is not necessary for the app to work, but it is useful for the controller who wishes to learn more about the movements and activity levels of its users. When the user later revokes that consent, she finds out that the app now only works to a limited extent. This is an example of detriment as meant in Recital 42, which means that consent was never validly obtained (and thus, the controller needs to delete all personal data about users’ movements collected this way).”

However, if only benefits linked to the consent are lost if consent is refused, it is ok: 

“A data subject subscribes to a fashion retailer’s newsletter with general discounts. The retailer asks the data subject for consent to collect more data on shopping preferences to tailor the
offers to his or her preferences based on shopping history or a questionnaire that is voluntary to fill out. When the data subject later revokes consent, he or she will receive non-personalised fashion discounts again. This does not amount to detriment as only the permissible incentive was lost.”

Furthermore, there is no detriment if an alternative channel to access the product is provided

 

“A fashion magazine offers readers access to buy new make-up products before the official launch. The products will shortly be made available for sale, but readers of this magazine are offered an exclusive preview of these products. In order to enjoy this benefit, people must give their postal address and agree to subscription on the mailing list of the magazine. The postal address is necessary for shipping and the mailing list is used for sending commercial offers for products such as cosmetics or t-shirts year round. The company explains that the data on the mailing list will only be used for sending merchandise and paper advertising by the magazine itself and is not to be shared with any other organisation. In case the reader does not want to disclose their address for this reason, there is no detriment, as the products will be available to them anyway.”

 

A suitable policy should be put in place with regard to children’s consent:

 

“An online gaming platform wants to make sure underage customers only subscribe to its services with the consent of their parents or guardians. The controller follows these steps: Step 1: ask the user to state whether they are under or over the age of 16 (or alternative age of digital consent) If the user states that they are under the age of digital consent; Step 2: service informs the child that a parent or guardian needs to consent or authorise the processing before the service is provided to the child. The user is requested to disclose the email address of a parent or guardian;  Step 3: service contacts the parent or guardian and obtains their consent via email for processing and take reasonable steps to confirm that the adult has parental responsibility; Step 4: in case of complaints, the platform takes additional steps to verify the age of the subscriber; If the platform has met the other consent requirements, the platform can comply with the additional criteria of Article 8 GDPR by following these steps”.

 

Do you need assistance with the appropriate safeguards that should apply to consent for processing of personal data? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcingContact us today.

EDPB on Health Data

EDPB adopts Guidelines on the Processing of Health Data for Scientific Research Purposes during COVID-19

In the middle of the COVID-19 outbreak, the EDPB adopted Guidelines on the processing of health data for scientific research purposes to clarify some legal questions.

Considering that life may not return to normal until a COVID-19 vaccine becomes widely available, researchers from across the globe are focusing their efforts on producing results as soon as possible. In this context, questions regarding the application of the GDPR keep arising, therefore the European Data Protection Board (EDPB) has released guidelines on the processing of health data for scientific research purposes with the aim of providing basic guidance.

What is “health data”?

Article 4 (15) GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. This meaning also covers the following:

  • Information that becomes health data by cross referencing with other data thus revealing the state of health or health risks, such as the assumption of a person being at high risk for severe illness from COVID-19 because of his medical conditions.
  • Information that becomes health data because of its usage in a specific context, such as information regarding a recent trip to a region affected with COVID-19.

The EDPB points out that “processing for the purpose of scientific research” should be interpreted in a broad manner in line with Recital 159 GDPR.

What is the legal basis for the processing?

According to the GDPR, processing of special categories of personal data is only allowed in some scenarios. The ones that may be more relevant when it comes to the processing of health data for scientific research purposes during COVID-19 pandemic are the following:

  • The data subject has given explicit consent.
  • Processing relates to personal data which are manifestly made public by the data subject.
  • Processing is necessary for the purposes of preventive or occupational medicine.
  • Processing is necessary for reasons of public interest in the area of public health.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes based on Union or Member State law.

It should be noted also that “further processing for […] scientific research purposes […] shall, in accordance with Article 89 (1), not be considered to be incompatible with the initial purposes”, subject to appropriate safeguards.

Should the data subject be informed?

Pursuant to Articles 13 and 14 GDPR, the data subjects should be informed at the time when personal data is gathered, or “within a reasonable period after obtaining the personal data, but at the latest within one month” where it is not collected from the data subject.

However, considering that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection, the EDPB recommends to deliver the information to the data subject within a reasonable period of time before the implementation of the new research project. 

There are four exemptions of the information obligation though:

  • The data subject already has the information.
  • The provision of such information proves impossible, would involve a disproportionate effort or is likely to render impossible or seriously impair the achievement of the objectives of that processing. A controller seeking to rely on this exemption should demonstrate the factors that actually prevent it from providing the information to the data subjects or carry out a balancing exercise to assess the effort involved against the potential impact and effects of not providing the information.
  • Obtaining or disclosure is expressly laid down by Union or Member State law. This exemption is conditional upon the law in question providing “appropriate measures to protect the data subject’s legitimate interests”.
  • The personal data must remain confidential subject to an obligation of professional secrecy.

What other measures should be taken?

In light of the data minimisation principle, the EDPB deems essential to specify the research questions and assess the type and amount of data necessary to properly answer them before proceeding. Additionally, the data should be anonymised where possible.

Proportionate storage periods shall be set as well, taking into account criteria such as the length and the purpose of the research.

As for the security measures that should be implemented, together with pseudonymisation, encryption, non-disclosure agreements and strict access role distribution, the EDPS stresses that a data protection impact assessment should be carried out when such processing is “likely to result in a high risk to the rights and freedoms of natural persons”, and remarks the importance of data protection officers as a key role that should be involved in the process.

What about the exercise of data subjects’ rights?

Together with the information obligation exemptions addressed above, Article 17 (3) (d) states that the right to erasure “shall not apply to the extent that processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing”.

It has to be noted that, in the light of the jurisprudence of the CJEU, all restrictions of the rights of data subjects must apply only in so far as it is strictly necessary.

Are international data transfers allowed?

In the absence of an adequacy decision pursuant to Article 45 (3) GDPR or appropriate safeguards pursuant to Article 46 GDPR, Article 49 GDPR envisages certain specific situations under which transfers of personal data can take place as an exception, such as:

  • The data subject has explicitly consented to the proposed transfer.
  • The transfer is necessary for important reasons of public interest. 

It should be noted, however, that repetitive transfers of data to third countries, part of a long lasting research project in this regard, would need to be framed with appropriate safeguards in accordance with Article 46 GDPR.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

And if you want to be updated about COVID-19 and AI, don’t forget to subscribe to our YouTube channel.