New EU ePrivacy rules

New EU ePrivacy rules update

The ePrivacy rules governing electronic communication data will be updated as agreed upon by EU Member States. 

 

Earlier this month, EU member states agreed upon a negotiating mandate for revised ‘ePrivacy’ rules. The rules on the protection of privacy and confidentiality in the use of electronic communications define cases in which service providers are allowed to process data from electronic communications or access that which has been stored on an end user’s device. The last update to the ePrivacy directive was in 2009, and as such, the member states agree that this legislation needs to be brought up to date with new technological and market developments. The new ePrivacy Regulation will repeal the current ePrivacy Directive and is intended to complement and characterize the GDPR. This regulation will become effective 20 days after its publication in the EU Official Journal, and two years later, will start to apply. Details can be found in this press release by the European Council

 

The revised draft regulation will cover content from electronic communication over public services and networks, as well as related metadata. 

 

This draft ePrivacy regulation will repeal the existing directive and will cover content transmitted via public services and networks and related metadata, when end users are in the EU. Metadata refers to the information on the time, location and recipient of the communication for example. Metadata is considered to be potentially as sensitive as the actual content of electronic communication. The rules will also cover the handling of data transmitted from machine to machine via a public network. 

 

Any electronic communication data will be considered confidential, except when permitted by the ePrivacy regulation. 

 

As a general rule, all electronic communication is to be considered confidential, and should not be processed without the consent of the user. There are, however, a few exceptions specifically outlined in the ePrivacy regulation. These exceptions include any processing for the purposes of checking for malware and viruses as well as for ensuring the integrity of the communication service. Provisions are also made for cases where the service provider is required to do so by EU or member states’ law with regard to the prosecution of criminal offenses or the prevention of public security threats. 

 

Metadata may be processed for very specific purposes, and with strong additional safeguards applied to it. 

 

Metadata may be processed for example for billing purposes or for detecting and preventing fraud. If users give their consent, service providers may use metadata to display movements of traffic to help public authorities develop new infrastructure when needed. This processing is also allowed in instances where users’ vital interests need to be protected, for example the monitoring of epidemics or in emergencies like natural and man-made disasters. In specific cases network providers may process metadata for purposes other than that for which it was collected. In those cases, the intended purpose must be compatible with the initial purpose for the metadata and strong specific safeguards must be applied to the processing. 

 

It will be possible for users to whitelist service providers, giving consent to certain types of cookies, from certain websites via users’ browser settings. 

 

Users will be able to permit certain types of cookies from one or many service providers, and change those settings easily in their browser settings. This should make permissions for cookies easier and more seamless for users, alleviating cookie consent fatigue. In addition, end users will be able to genuinely choose whether to accept cookies or any similar identifier. It may be possible for service providers to make access to a webpage or website dependent on consent to the use of cookies for additional purposes, instead of using a paywall, however this will only be allowed if the user is able to access an equivalent offer by the same provider, that does not involve consenting to the use of cookies. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR, and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

Belgian DPA fines Family Service

Belgian DPA fines Family Service for various breaches of the GDPR

Belgian DPA fines Family Service 50,000 euros for various breaches of the GDPR including the transfer of personal data to third parties. 

 

Family Service, a Belgian company, which brands itself as a gatekeeper in family marketing has recently been fined by the Belgian DPA for various breaches of the GDPR. The company is well known for distributing “pink boxes” to expectant parents, helping brands market their products and services targeted to families. They contain samples, special offers and information sheets for these families. These pink boxes are typically distributed by gynaecologists and hospitals. That fact may have given the recipients the idea that this is a public sector initiative, rather than a private company whose core business is trading data. 

 

The company was found to have transferred personal data to third parties without valid consent. 

 

A complaint was filed with the Belgian DPA, claiming that the company transferred personal data to third parties including data brokers and that this was done without the valid consent of the customer, and without the provision of sufficient information. Through their investigation, the Inspection Service and the Litigation Chamber of the Belgian DPA found that not only was this consent indeed invalid, but the company was renting and/or selling personal data for commercial purposes. Customers were ill informed that the company behind the distribution of those boxes was in the practice of selling and/or renting this data as this was not communicated in a clear and comprehensible manner. 

 

It became clear that the consent given to the company was neither informed, nor specific, as the consent was given based on the consumers’ receipt of those boxes. In addition, the Belgian DPA found that this consent was not freely given either, as a lack of consent in this case involved the family forgoing some benefits. 

 

The Belgian DPA imposed a fine of 50,000 euro and ordered Family Service to comply with the GDPR. 

 

The Belgian DPA, taking into account the reach of this company in determining the impact of this data breach, found that Family Service processes data of roughly 21.10% of the Belgian population. The company website itself boasts a coverage of roughly 97% of new and expectant parents in Belgium. The Litigation Chamber of the Belgian DPA decided to impose a fine of EUR 50,000, based on this reach, as well as the seriousness of the breach and the nature of the data processed (particularly data relating to children). This fine is considered to be a considerable amount based on the size of the company, however the Belgian DPA felt that a significant fine was necessary due to the seriousness of the GDPR breaches by this company. The authority also ordered the company to ensure compliance with the GDPR moving forward. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

CJEU Advocate General opinion

CJEU Advocate General opinion on Facebook case

The CJEU Advocate General delivered his opinion on the ongoing case between Facebook and the Belgian Data Protection Authority. 

 

On January 13th the CJEU Advocate General delivered his opinion on the Facebook case, outlined in a recent press release from the CJEU. This case has been ongoing since May 25th 2018, when the Belgian DPA (which was at the time known as the Privacy Commission) found Facebook to be in serious violation of the privacy rights of Belgian citizens. The company was found to have been placing cookies on internet users’ computers and subsequently, collecting these cookies via social plugins and pixels on the websites that these users visit, resulting in the collection of information on the surfing behavior of millions of internet users in Belgium. The court of Brussels, after examining the details of this case, decided to refer to the CJEU for clarification on certain aspects of this case to determine whether the Belgian DPA could indeed pursue legal action against Facebook, under the GDPR. The CJEU Advocate General reiterated the principle defended by the Belgian DPA, that the one-stop-shop mechanism as per the GDPR, does not prevent supervisory authorities from bringing proceedings before a national judge as long as it is in situations specifically provided for in the GDPR. As a result, the CJEU will take a decision in this case. It is unknown when a judgement will be delivered. 

 

The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

 

The ‘one-stop-shop mechanism’ established by the GDPR ensures cooperation between the Data Protection Authorities in the case of cross-border processing. With Facebook’s European headquarters in Dublin, Ireland, this mechanism provides that the Irish DPC is competent to take sanctions against the company. The question raised by the Belgian DPA was as to whether this one-stop shop mechanism also allows for data protection authorities (such as the BE DPA) to initiate court proceedings as well. The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

The CJEU Advocate General confirmed that the Belgian DPA, though not the lead authority, may proceed with court action.

 

This case was heard by the CJEU in an initial hearing on October 5th, 2020, and on January 13th, Michal Bobek, the CJEU Advocate General delivered his opinion on this case. He confirmed that a national authority, which is not the lead authority for a cross border data processing operation may indeed initiate court proceedings in certain situations, particularly in situations where the GDPR specifies its competency to proceed with such action. In this case, the CJEU Advocate General is of the opinion that the Belgian DPA, though not the lead authority, may proceed with court action. In the press release by the CJEU, Mr Bobek was quoted as saying “The data protection authority in the State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.” With this information, the CJEU will now be the court delivering a decision in this case. At this time, it is not known when this decision can be expected. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.