New EU ePrivacy rules

New EU ePrivacy rules update

The ePrivacy rules governing electronic communication data will be updated as agreed upon by EU Member States. 

 

Earlier this month, EU member states agreed upon a negotiating mandate for revised ‘ePrivacy’ rules. The rules on the protection of privacy and confidentiality in the use of electronic communications define cases in which service providers are allowed to process data from electronic communications or access that which has been stored on an end user’s device. The last update to the ePrivacy directive was in 2009, and as such, the member states agree that this legislation needs to be brought up to date with new technological and market developments. The new ePrivacy Regulation will repeal the current ePrivacy Directive and is intended to complement and characterize the GDPR. This regulation will become effective 20 days after its publication in the EU Official Journal, and two years later, will start to apply. Details can be found in this press release by the European Council

 

The revised draft regulation will cover content from electronic communication over public services and networks, as well as related metadata. 

 

This draft ePrivacy regulation will repeal the existing directive and will cover content transmitted via public services and networks and related metadata, when end users are in the EU. Metadata refers to the information on the time, location and recipient of the communication for example. Metadata is considered to be potentially as sensitive as the actual content of electronic communication. The rules will also cover the handling of data transmitted from machine to machine via a public network. 

 

Any electronic communication data will be considered confidential, except when permitted by the ePrivacy regulation. 

 

As a general rule, all electronic communication is to be considered confidential, and should not be processed without the consent of the user. There are, however, a few exceptions specifically outlined in the ePrivacy regulation. These exceptions include any processing for the purposes of checking for malware and viruses as well as for ensuring the integrity of the communication service. Provisions are also made for cases where the service provider is required to do so by EU or member states’ law with regard to the prosecution of criminal offenses or the prevention of public security threats. 

 

Metadata may be processed for very specific purposes, and with strong additional safeguards applied to it. 

 

Metadata may be processed for example for billing purposes or for detecting and preventing fraud. If users give their consent, service providers may use metadata to display movements of traffic to help public authorities develop new infrastructure when needed. This processing is also allowed in instances where users’ vital interests need to be protected, for example the monitoring of epidemics or in emergencies like natural and man-made disasters. In specific cases network providers may process metadata for purposes other than that for which it was collected. In those cases, the intended purpose must be compatible with the initial purpose for the metadata and strong specific safeguards must be applied to the processing. 

 

It will be possible for users to whitelist service providers, giving consent to certain types of cookies, from certain websites via users’ browser settings. 

 

Users will be able to permit certain types of cookies from one or many service providers, and change those settings easily in their browser settings. This should make permissions for cookies easier and more seamless for users, alleviating cookie consent fatigue. In addition, end users will be able to genuinely choose whether to accept cookies or any similar identifier. It may be possible for service providers to make access to a webpage or website dependent on consent to the use of cookies for additional purposes, instead of using a paywall, however this will only be allowed if the user is able to access an equivalent offer by the same provider, that does not involve consenting to the use of cookies. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR, and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

Spanish DPA launched Pacto Digital

Spanish DPA launched Pacto Digital, a digital pact for data protection

The Spanish DPA launched Pacto Digital, a digital pact for data protection with the support of over 40 organizations. 

 

The Pacto Digital initiative by the AEPD was officially presented to the public on January 28th, Data Protection Day at a virtual event called “The Forum on Privacy, Innovation and Sustainability. This event was streamed live, with several state, business and media officials in attendance. This initiative is part of the Spanish DPA’s Social Responsibility and Sustainability Framework with the aim of raising awareness, making data protection compatible with innovation and fostering a commitment to privacy among organizations. The principles of this pact promote transparency, giving citizens a greater awareness of what data is being collected and why. The initiative also promotes gender and race equality and ensures the protection of children and other vulnerable persons. It promotes and supports innovation by ensuring that technological advancements avoid perpetuating biases, particularly based on race, origin, belief, religion and gender. 

 

The digital pact initiative launched by the AEPD consists of three documents; a contract, a digital responsibility pledge and a code of conduct. 

 

Organisations which subscribe to this digital pact, would all sign a contract, showing their commitment to implementing the recommendations of the pact within their organisation. In addition, these organisations will commit to giving their employees and users access to the Priority Channel to request the urgent removal of sexual or violent content online, as well as other key tools and resources to help raise awareness on the importance of privacy and personal data. 

 

As part of this initiative, the Spanish DPA has also introduced a Digital Responsibility Pledge containing obligations which the organisations pledge to keep. This is not intended to give subscribing organisations additional responsibilities outside of the legislature to which they’re already held. This pledge is simply tailored to the digital environment and geared towards getting a specific commitment from these organisations to uphold the standard. It outlines the already existing responsibilities of organisations specifically geared towards safety and privacy online. It also incorporates principles that should be considered to ensure that the ethics of data protection remain intact when designing and implementing new technological developments. 

 

Finally, the code of conduct for good privacy practices is geared towards organisations with their own dissemination channels  and the media, both of which the AEPD intends to collaborate with to report issues of relevance to their networks and audiences. In addition, the code of conduct states that these organisations commit to refraining from identifying victims of the dissemination of sensitive content or punishing any information which could possibly identify them, particularly regarding public figures. 

 

Forty organisations signed the pact on January 28th, however other interested parties may apply online. 

 

On January 28th, the 40 organisations who already form part of this pact, made their commitment to the principles of data protection and privacy publicly known by signing this agreement. This digital pact is open to any organisations that wish to assume those commitments reflected in the contract. Interested organisations may apply online showing their commitment publicly, and promising to commit to the principles outlined in this pact. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

CJEU Advocate General opinion

CJEU Advocate General opinion on Facebook case

The CJEU Advocate General delivered his opinion on the ongoing case between Facebook and the Belgian Data Protection Authority. 

 

On January 13th the CJEU Advocate General delivered his opinion on the Facebook case, outlined in a recent press release from the CJEU. This case has been ongoing since May 25th 2018, when the Belgian DPA (which was at the time known as the Privacy Commission) found Facebook to be in serious violation of the privacy rights of Belgian citizens. The company was found to have been placing cookies on internet users’ computers and subsequently, collecting these cookies via social plugins and pixels on the websites that these users visit, resulting in the collection of information on the surfing behavior of millions of internet users in Belgium. The court of Brussels, after examining the details of this case, decided to refer to the CJEU for clarification on certain aspects of this case to determine whether the Belgian DPA could indeed pursue legal action against Facebook, under the GDPR. The CJEU Advocate General reiterated the principle defended by the Belgian DPA, that the one-stop-shop mechanism as per the GDPR, does not prevent supervisory authorities from bringing proceedings before a national judge as long as it is in situations specifically provided for in the GDPR. As a result, the CJEU will take a decision in this case. It is unknown when a judgement will be delivered. 

 

The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

 

The ‘one-stop-shop mechanism’ established by the GDPR ensures cooperation between the Data Protection Authorities in the case of cross-border processing. With Facebook’s European headquarters in Dublin, Ireland, this mechanism provides that the Irish DPC is competent to take sanctions against the company. The question raised by the Belgian DPA was as to whether this one-stop shop mechanism also allows for data protection authorities (such as the BE DPA) to initiate court proceedings as well. The Belgian DPA argues that the one-stop-shop mechanism does not affect its competency in seeing these proceedings through in a civil court. 

The CJEU Advocate General confirmed that the Belgian DPA, though not the lead authority, may proceed with court action.

 

This case was heard by the CJEU in an initial hearing on October 5th, 2020, and on January 13th, Michal Bobek, the CJEU Advocate General delivered his opinion on this case. He confirmed that a national authority, which is not the lead authority for a cross border data processing operation may indeed initiate court proceedings in certain situations, particularly in situations where the GDPR specifies its competency to proceed with such action. In this case, the CJEU Advocate General is of the opinion that the Belgian DPA, though not the lead authority, may proceed with court action. In the press release by the CJEU, Mr Bobek was quoted as saying “The data protection authority in the State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. The other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.” With this information, the CJEU will now be the court delivering a decision in this case. At this time, it is not known when this decision can be expected. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.