Digital Green Certificates

Digital Green Certificates: the EDPB and EDPS release a joint opinion

Digital Green Certificates have been a topic of debate lately, and the EDPB & EDPS have released a joint opinion on this, regarding data protection and privacy.

Digital Green Certificates, which some refer to as “vaccine passports” are, contrary to popular belief, not specific to vaccines. In actuality, the digital green certificates or passes, as they would preferably be called, are proposed to be a QR code with information on a person’s status with regard to the COVID-19 virus. The specifics of the information may be pertaining to the vaccine and have details on which vaccine was taken and when it was administered, or it may contain information on a negative COVID-19 test and the date on which the last test was taken. This scannable code may also contain information on antibodies present in a person’s system, if they have developed antibodies from being infected with and recovering from this virus. Vaccines are not mandatory at this time, and the digital green certificates proposed by the European Commission are intended to make it easier to identify someone’s current status with regard to COVID-19, whether vaccinated or not, making travel throughout the EU more seamless, for anyone traveling during this global pandemic. 

The EDPB and EDPS released this joint statement specific to the aspects of the Proposal pertaining to personal data protection. 

The Commission first published the proposal for a Regulation of the European Parliament and of the Council the issuance, verification and acceptance of certificates of vaccination, testing and recovery to third-country nationals who are legally staying or residing in any of the EU Member States during the COVID-19 pandemic on March 17th. The EDPB & EDPS note that the aim of this proposal is to facilitate the exercise of the right to free movement within the EU during the COVID-19 pandemic. Due to the particular importance of these proposals and their impact on individual rights and freedoms regarding the processing of personal data, the EDPB and EDPS released their joint opinion specific to the aspects of the proposal relating to personal data protection. The organisations highlight that it is essential that the proposal is consistent and does not, in any way conflict with the application of the GDPR. 

Digital Green Certificates should be approached from a holistic and ethical standpoint, as asserted by the EDPB and EDPS in their joint opinion. 

The EDPB and EDPS suggest that the Commission take a holistic and ethical approach to the proposal in an effort to encompass all the issues related to privacy and data protection, and fundamental rights in general. They note that data protection is not an obstacle to fighting the current pandemic and that compliance with data protection law will only aid by helping citizens trust the frameworks provided in those efforts. The EDPB and EDPS advise that any measure adopted by Member States or EU institutions must be guided by the general principles of effectiveness, necessity and proportionality. In addition, they note that the World Health Organisation (WHO) in its ‘ interim position paper: considerations regarding proof of COVID-19 vaccination for international travelers’ stated that “(…) national authorities and conveyance operators should not introduce requirements of proof of COVID-19 vaccination for international travel as a condition for departure or entry, given that there are still critical unknowns regarding the efficacy of vaccination in reducing transmission.” 

The EDPB and EDPS, in their joint opinion, state that these green certificates must not lead to the creation of any central database of personal data at the EU level, under the pretext of the Digital Green Certificate framework. In addition, they made specific mention that these certificates should be made available in both digital and paper based formats, to ensure the inclusion of all citizens, regardless of their level of engagement with technology. The organisations also call for clarification on the proposal’s stance on the manner in which these certificates will be issued, whether automatically, or upon request of the data subject. Recital 14 and Articles 5(1) and 6(1) of the Proposal currently state “(…) Member States should issue the certificates making up the Digital Green Certificate automatically or upon request (…)”

The EDPB and EDPS are glad to note the considerations to the rights and freedoms of individuals, as well as compliance with data protection regulation, included in the Proposal. 

The organisations are pleased to note that the Proposal explicitly states that compliance with European data protection regulation is key to the cross border acceptance of vaccination, test and recovery certificates. Recital 38 of the proposal states that “[i]n line with the principle of minimisation of personal data, the certificates should only contain the personal data necessary for the purpose of facilitating the exercise of the right to free movement within the union during the COVID-19 pandemic”. The EDPB and EDPS recommend the inclusion of reference to the GDPR in the main text of the proposal, as it is the legal basis for the processing of personal data, for the issuance and verification of interoperable certificates, as acknowledged in Recital 37. 

Article 3(3) of the Proposal states that citizens can obtain these certificates free of charge,and may renew these certificates to bring the information up to date, or replace as necessary. While the EDPB and EDPS commend this, the organisations also recommend clarifying that the original certificate, as well as modifications shall be issued upon request of the data subject. This is very important for maintaining accessibility for all persons. 

The EDPB and EDPS call for attention to data minimisation, as well as clarification on the validity period of the data processed. 

There are naturally certain categories and data fields of personal data which would need to be processed within the framework of the Digital Green Certificates. As a result, the EDPD and EDPS consider that the justification for the need for personal data fields needs to be clearly defined in the Proposal. In addition, the organizations ask that further explanation be provided as to whether all of the categories of personal data provided for are necessary for inclusion in the QR code for both digital and paper certificates. They note that data minimisation can be achieved using an approach of differently comprehensive data sets or QR codes. In addition, the organizations note the lack of specificity with regard to an expiry date or validity period for each certificate in the draft Proposal. It is also important to note that the EDPB and EDPS clearly state that given the scope of the draft of the proposal, and the context of the global pandemic, the statement of the disease or agent from which the individual has recovered should only be limited to COVID-19 and its variants. 

The EDPB & EDPS iterate the importance of adequate technical and organizational privacy and security measures in the context of the proposal.

With regard to the Digital Green Certificate, the organizations suggest that privacy and security measures should be specially structured to ensure compliance by the controllers and processors of personal data required by this framework.  The opinion states that controllers and processors should take adequate technical and organizational measures to ensure a level of security that is appropriate to the level of risk of the processing of this personal data in line with Article 32 of the GDPR. These measures should include the establishment of processes for regular assessment of the effectiveness of the privacy and security measures which are adopted. 

While the EDPB and EDPS are pleased to note the clarification, within the Proposal, of the roles of data controllers and processors, the organisations suggest that the Proposal specify, through a comprehensive list, all entities foreseen to be acting as controllers or processors of the data in EU Member States, taking into account the use of these certificates in multiple member states by persons traveling throughout the EU. They also suggest that the Proposal should provide clarification on the role of the Commission with regard to data protection law in the context of the framework, guaranteeing interoperability between the certificates. In addition, the organisations call for attention to compliance with Article 5(1)(e) of the GDPR, with regard to the storage of personal data, as well as clarification on the storage period that Member States should not exceed, beyond the pandemic. Furthermore, the EDPB and the EDPS recommend that the Commission explicitly clarifies whether, and when any international transfers of personal data are expected, as well as safeguards within the legislation to ensure that third countries will only process the personal data for the specific purposes that this data is exchanged, according to the framework.

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

EDPB published VVA guidelines

EDPB published VVA guidelines in the context of the GDPR

The EDPB published VVA guidelines giving context to the use of Virtual Voice Assistants in compliance with the GDPR. 

 

Recently, the EDPB published its guidelines for the use of virtual voice assistants. A virtual voice assistant (VVA) is a system that understands and executes voice commands and works with other IT systems if needed. It acts as an interface between users and their devices or online services like search engines. These services are very popular particularly with the integration of smart devices and smart homes. Due to the popularity of these devices in the home, in vehicles and even being worn by users, they are often given access to quite a bit of information on individuals, often of an intimate nature, which could threaten users’ rights to privacy. As a result VVAs have come under major scrutiny from several data protection authorities. The EDPB, by releasing these guidelines for the use of virtual voice assistants seeks to give guidance on the application of these systems in the context of the GDPR as well as other applicable legal frameworks. 

 

VVAs use machine learning methods which require the collections and interpretation of large amounts of voice data. 

 

Virtual voice assistants rely very heavily on machine learning methods in order to perform their wide range of tasks. For starters, these devices usually have a wake up command, for example either pushing a button or having a command word which wakes the device up, and puts it into active listening mode. VVAs typically depend on large data sets to be collected, selected, and labeled. Both quality and quantity of data in these scenarios are equally important and as a result, the VVA’s typically depend on snippets, which could give context to the use of the devices and service in real conditions. In some circumstances the VVA can capture audio of individuals who did not intend to use the VVA service in error. For example, in an instance where the wake up expression is accidentally detected, or the wake up expression has changed and the user has accidentally woken up the device by using the new wake up expression unbeknownst to them. For this reason, among several others, it is imperative that VVA services function in compliance with the GDPR particularly regarding the storage of data. 

 

The guidelines set out by the EDPB outline the legal framework for VVAs regarding not just the GDPR, but in some cases, the e-Privacy Directive. 

 

Because VVAs will undoubtedly process significant amounts of personal data, the relevant legal framework for VVAs is the GDPR. In addition to the GDPR, for all actors who require storage or access to information stored in the terminal equipment of a subscriber or user, the e-Privacy Directive sets a specific standard. The term “terminal equipment” refers to any smart phones, smart TVs, or any similar IoT devices. VVAs should also be considered as terminal devices when information in the VVA is stored or accessed. In all of those cases, the provisions for the e-Privacy Directive are applicable. The VVA guidelines published by the EDPB provide guidance on the identification of data processors and stakeholders, transparency, processing of children’s data, processing of special categories of data, as well as many other elements of data protection relating to VVAs. 

 

The EDPB published VVA guidelines, specifically outlining mechanisms for exercising Data Subject Rights. 

 

The EDPB has suggested several mechanisms for exercising data subject rights. These include the right to access, right to rectification, right to erasure, and the right to data portability. Data controllers must allow all users, whether registered or not, access to all of those rights. The data controllers must provide information on the data subjects’ rights, at best when a data subject turns on a VVA, or at the very latest when the first user voice request is processed. Since the main interaction intended for VVAs is using voice commands, and a portion of the VVA users are actually persons with disabilities requiring them to use voice assistance, VVA designers should ensure that users can exercise any of their data subject rights using easy to follow voice commands. The EDPB suggests implementing specific tools in the development of VVAs, providing efficient and effective ways to exercise data subjects rights. 

 

Do you provide VVA services or smart devices that use VVA services? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

The EDPB and the EDPS

The EDPB and the EDPS have released a joint opinion on SCCs for international data transfers and SCCs between controllers and processors

The EDPB and the EDPS have released joint opinions on standard contractual clauses for the transfer of data within the EEA and internationally. 

 

Last month, the EDPB and the EDPS released joint statements on standard contractual clauses between controllers and processors and on standard contractual clauses for the transfer of personal data to third-countries. Both are referred to as ‘SCCs’ but it should be noted that they are two separate documents. This update is intended to bring the SCCs in line with the new GDPR requirements and provide a better reflection of the use of more complex processing operations, as well as provide specific safeguards addressing the laws of third countries and their effect on the data importer’s compliance. The Draft SCCs include, on the one hand, controller processor relationships within the EEA and, on the other, international data transfers. The EDPB and EDPS are pleased to note the specific provisions included many recommendations made by the EDPB, as well as several which address some of the main issues presented by the Schrems II ruling.

The EDPB and EDPS expressed overall satisfaction with both the Draft Decision and Draft SCCs for international data transfers. 

 

The EDPB and EDPS are both generally satisfied with the reinforced level of protection that the updated Draft Decision and Draft SCCs provide for data subjects. This update sought to bring the SCCs in line with the new GDPR while making special provisions for addressing third country destination laws on compliance with the Draft SCCs. The organisations noted that the Draft SCCs covered several of the supplementary measures recommended by the EDPB, while for some others, the organizations would like to see more consistency. There were specific recommendations made regarding the transfer of data on an international level. Many organizations will need to rely on these standard contractual clauses for international data transfers, particularly with the invalidation of the EU-US Privacy Shield. 

 

In analysing the Draft Decision and Draft SCCs between controllers and processors, the EDPB and EDPS made a few key suggestions.

While the EDPB and EDPS were generally pleased with the Draft SCCs presented, they expressed a request for the European Commission to clarify some specific clauses, with the aim of further clarifying the text and ensuring it is practical and  useful in day-to-day operations of the controllers and processors.. 

 

The EDPB and EDPS also suggested that the Annexes to the SCCs clarify as much as possible the roles and responsibilities of each of the parties with regard to each processing activity as any ambiguity in this regard could make it more difficult for the controllers or processors to fully meet their obligations under the accountability principle. The annexes are intended to provide a very technical explanation of how the SCCs will apply in specific situations. 

 

Andrea Jelinek, Chair of the EDPB, was quoted as saying: “The EDPB and EDPS welcome the controller-processor SCCs as a single, strong and EU-wide accountability tool that will facilitate compliance with the provisions under both the GDPR and the EUDPR. Among others, the EDPB and the EDPS request that sufficient clarity has to be provided to the parties as to the situations where they can rely on these SCCs, and emphasise that situations involving transfers outside the EU should not be excluded.”

 

The opinions presented by the EDPB and EDPS  will be considered by the Commission, together with the numerous other responses to its consultation on the SCCs. The European Commission will then formally adopt a decision incorporating the finalized SCCs and provide details for their adoption by organizations. Once finalized, the SCCs for international data transfers to third-countries will replace the existing sets of SCCs for transfers of personal data from within the EEA to other non-EEA countries that have not been recognized as providing an adequate level of data protection. As for the SCCs between controllers and processors, they will provide a standard for the parties, but its implementation will not be mandatory as controllers and processors will still be able to use their own clauses.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

Data breach notification guidelines

Data breach notification guidelines published by the EDPB

New data breach notification guidelines, published by the EDPB frame what curative measures should be taken based on specific examples. 

 

In a recent article, we reported on two doctors in France, who were fined by the CNIL over a data breach, and were also found to have breached article 33 of the GDPR, by neglecting to inform the supervisory authority of the data breaches. The rules on data breaches have been introdued by the GDPR, specifying that data breaches are to be reported to the competent national supervisory authority, and in some cases the individuals whose personal data has been affected by the data breach. While data breach notifications had been conceptualized by Article 29 Working Party in, October o2017, its opinion did not adequately address all practical issues. 

 

 The EDPB has found it necessary to release a document to accompany the existing data breach notification guidelines .This document contains several fictional situations as examples, with the intention of explicating how real situations of that nature are best handled, and to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessments. The examples, though fabricated, reflect a common thread of experiences shared by the various supervisory authorities within the EEA since the inception of the GDPR. 

 

There are various types of data breaches, each of which are identified and handled differently. 

 

Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The EDPB document outlines three types of breaches, as drafted in previous guidelines, Working Party 250, a “confidentiality breach”, where there is an unauthorised or accidental disclosure of, or access to personal data, an “integrity breach”, which is where there is an unauthorised or accidental alteration of personal data, and an “availability breach” which describes an accidental or unauthorised loss of access to, or destruction of, personal data. 

 

Personal data breaches can indicate system weaknesses that need attention, and in some cases, these breaches could be avoided altogether through prior preparation. 

 

Personal data breaches can present serious problems, but are also an indication of system weaknesses that need to be addressed. It is highly recommended that data controllers focus on prior preparation, in order to avoid personal data breaches altogether, or minimize and mitigate associated risks. Due to the nature of several types of data breaches, their consequences are irreversible. In addition, the root cause of a data breach must be identified in order to fully assess the risks associated with a breach from some form of attack. This will allow the controller to determine whether any vulnerabilities that brought the incident about  are still present, and are therefore still exploitable, and needing to be addressed.

 

Every controller should have plans and best practices established in the event of a possible data breach. This should include clear lines of reporting and responsible personnel assigned throughout the recovery process. Controllers should ensure that if a personal data breach were to occur, that staff is well informed on how this should be handled.The EDPB suggests trainings, which are regularly repeated and updated to address the latest trends and alerts from cyber attacks and other security incidents. Trainings should give staff the awareness to identify a data breach and recognize the action steps to be taken as a result. Controllers’ best practices should be prepared in advance and be able to advise relevant personnel on the protocols for each facet of processing at each major stage of the operation. This should allow data breaches to be handled a lot quicker than if there were no plans in place. 

 

Controllers should notify competent supervisory authorities of data breaches without delay, upon determining that it is likely to present a risk to the rights and freedoms of data subjects. 

 

A breach should result in a notification as soon as the controller realizes that it will likely result in a risk to the rights and freedoms of data subjects. It is not necessary to wait until the investigation is complete and all the facts of the breach have been determined, including the true extent of the risk, as the supervisory authority can be notified in conjunction with the ongoing investigation and updated accordingly. If a controller deems a risk unlikely, and the risk does materialize, the supervisory authority can exercise its right to enforce corrective measures including sanctions. 

 

The new guidelines concerning data breach notifications were illustrated in the EDPB’s recent document using detailed examples, highlighting variations of data breaches. 

 

The examples covered in this new EDPB document cover various types of personal data breaches including ransomware, data exfiltration attacks, internal human risk source, lost or stolen devices or paperwork, mispostals and social engineering. Because it is so important to be able to identify data breaches and provide directives on how they should be handled within institutions, the EDPB has provided within those guidelines, several very specific examples related to each of the aforementioned types of data breaches, as well as recommendations on how they should each be handled. In addition, the EDPB provides technical and organizational procedures which can be used to prevent those personal data breaches, or to mitigate their impact.

 

Actions necessary based on the identified risks 

Type of data breach No risk (internal register) Risk (notify SA) High Risk (communicate to data subjects) 

Ransomware

Ransomware with proper backup and without exfiltration

x

x

Ransomware without proper backup

x

Ransomware with backup and without exfiltration in a hospital 

Ransomware without backup and with exfiltration

Data Exfiltration Attacks

Exfiltration of job application data from a website

Exfiltration of hashed password from a website

x

x

Credential stuffing attack on a banking website

Internal Human Risk Source

Exfiltration of business data by a former employee

x

Accidental transmission of data to a trusted third party

x

x

Lost or stolen devices and paper documents.

Stolen material storing encrypted personal data

x

x

Stolen material storing non-encrypted personal data

Stolen paper files with sensitive data.

Mispostal

Snail mail mistake

x

Sensitive personal data sent by mail by mistake

Personal data sent by mail by mistake

x

x

Social Engineering

Identity theft

Email exfiltration

 

While each of the examples contained in the EDPB’s guidelines provide assistance for data controllers in assessing their own data breaches, it is also important to note that any changes in the circumstances of the cases described therein may result in different or more significant levels of risk, requiring different or additional measures, which can only fully be determined by an adequate risk assessment. For example, the document provided two different examples of snail mail being sent to the wrong address, however in one case, the example concerned two customers’ orders being switched in error, and the mail being called back, and then sent to the correct customers. While this does classify as a data breach, it is reasonably low-risk. This example does not call for reporting to the competent supervisory authority, however notification to the data subjects is imminent in this case, as the suggested mitigating measures include appealing to each customer to destroy or delete all eventual copies of the bills containing the other person’s personal data.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.