New German law

New German law regulating eprivacy and data protection

New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.

 

Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify. 

 

The new German law implements the ePrivacy directive with regard to the use of cookies.

 

The ePrivacy directive, which became EU law in 2009, states that websites are obligated to collect visitors’ informed consent to the use of cookies. The new German legislation implements the cookie consent rules of the 2009 ePrivacy Directive with a view to GDPR and the 2019 EU Court judgment in Planet49, Case C-673/17. Failure to obtain explicit consent to the use of cookies from internet users is incompatible with EU law, as rulings from both the EU court of justice and the German High Court demonstrate. The recently amended telecommunications act had been challenged by the opposition, who claimed that it did not contain sufficient data protection provisions. 

 

Fibre optics use and development stand to benefit from this new German law.

 

Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the  country is being driven forward. The benchmark is set and  reviewed annually in collaboration with the country’s network agency. 

  

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New EU ePrivacy rules

New EU ePrivacy rules update

The ePrivacy rules governing electronic communication data will be updated as agreed upon by EU Member States. 

 

Earlier this month, EU member states agreed upon a negotiating mandate for revised ‘ePrivacy’ rules. The rules on the protection of privacy and confidentiality in the use of electronic communications define cases in which service providers are allowed to process data from electronic communications or access that which has been stored on an end user’s device. The last update to the ePrivacy directive was in 2009, and as such, the member states agree that this legislation needs to be brought up to date with new technological and market developments. The new ePrivacy Regulation will repeal the current ePrivacy Directive and is intended to complement and characterize the GDPR. This regulation will become effective 20 days after its publication in the EU Official Journal, and two years later, will start to apply. Details can be found in this press release by the European Council

 

The revised draft regulation will cover content from electronic communication over public services and networks, as well as related metadata. 

 

This draft ePrivacy regulation will repeal the existing directive and will cover content transmitted via public services and networks and related metadata, when end users are in the EU. Metadata refers to the information on the time, location and recipient of the communication for example. Metadata is considered to be potentially as sensitive as the actual content of electronic communication. The rules will also cover the handling of data transmitted from machine to machine via a public network. 

 

Any electronic communication data will be considered confidential, except when permitted by the ePrivacy regulation. 

 

As a general rule, all electronic communication is to be considered confidential, and should not be processed without the consent of the user. There are, however, a few exceptions specifically outlined in the ePrivacy regulation. These exceptions include any processing for the purposes of checking for malware and viruses as well as for ensuring the integrity of the communication service. Provisions are also made for cases where the service provider is required to do so by EU or member states’ law with regard to the prosecution of criminal offenses or the prevention of public security threats. 

 

Metadata may be processed for very specific purposes, and with strong additional safeguards applied to it. 

 

Metadata may be processed for example for billing purposes or for detecting and preventing fraud. If users give their consent, service providers may use metadata to display movements of traffic to help public authorities develop new infrastructure when needed. This processing is also allowed in instances where users’ vital interests need to be protected, for example the monitoring of epidemics or in emergencies like natural and man-made disasters. In specific cases network providers may process metadata for purposes other than that for which it was collected. In those cases, the intended purpose must be compatible with the initial purpose for the metadata and strong specific safeguards must be applied to the processing. 

 

It will be possible for users to whitelist service providers, giving consent to certain types of cookies, from certain websites via users’ browser settings. 

 

Users will be able to permit certain types of cookies from one or many service providers, and change those settings easily in their browser settings. This should make permissions for cookies easier and more seamless for users, alleviating cookie consent fatigue. In addition, end users will be able to genuinely choose whether to accept cookies or any similar identifier. It may be possible for service providers to make access to a webpage or website dependent on consent to the use of cookies for additional purposes, instead of using a paywall, however this will only be allowed if the user is able to access an equivalent offer by the same provider, that does not involve consenting to the use of cookies. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR, and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

 

EU-US Privacy Shield invalidation

EU-US Privacy Shield invalidation business implications

On 16th July, the Court of Justice of the EU delivered a ruling in the case known as Schrems II by which it invalidated EU-US Privacy Shield and confirmed the validity of Standard Contractual Clauses, with caveats.

After the CJEU’s Advocate General Henrik Saugmandsgaardøe published his opinion in the so-called ‘Schrems II’ in January, now the CJEU has delivered their judgement, pursuant which Privacy Shield is declared invalid and SCC remain valid but can only be used under strict conditions.

What did the Court say?

Two important outcomes derive from the judgement issued by the CJEU:

1.The EU-US Privacy Shield is no longer a valid mechanism for international data transfers from the EU to the US.

It is important to note that it was invalidated with immediate effect. The main reason are US surveillance programmes. According to the CJEU, US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law, plus there are no effective legal remedies in the US to ensure compliance with provisions of EU law when EU data subjects’ data is used for national surveillance programs.

2.SCC but with some important caveats.

It is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC. Where this is not the case, as it happens in the US, supplementary measures and additional safeguards should be implemented in order to attain the required level of protection; otherwise the transfer should be ceased. 

National Data Protection Authorities may suspend or prohibit transfers to third country if appropriate safeguards cannot be ensured. Based on the CJEU findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US. National Data Protection Authorities responses to this decision are yet to be seen.

What does the EDPS say?

On 17th July and following the CJEU ruling, the EDPS, which together with the EDPB had previously expressed their criticisms of the Privacy Shield, released their statement where they welcomed the Court reaffirmation of the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. However, they trust that “the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court”.

What does the UK Government say?

The UK government intervened in the case, arguing in support of the validity of standard contractual clauses. In their response, they point out their commitment to ensuring “high data protection standards and supporting UK organisations on international data transfer issues”. They have announced that they are working alongside the ICO and international counterparts with the purpose of addressing the impacts of the judgment and ensuring that updated guidance on international data transfers will be provided soon.

EU Data Protection Authorities like Irish Data Protection Commissioner and three in Germany (Federal DPA, DPA of Hamburg and DPA of Rheinland-Pfalz) have also issued their statements. Other European DPAs are expected to do it soon.

What should I do now when transferring data from the EU to the US?

Where relying on the Privacy Shield:

  • Do not enter into any new agreement governed by the Privacy Shield.
  • Review all your current contracts, especially legacy ones, with your providers, clients or third-party processors and identify those that rely on the Privacy Shield. They should be amended to add SCC or any other valid safeguard covered by the GDPR for international data transfers.

Where relying on SCC:

Although the ICO and other national Data Protection Authorities are expected to produce detailed guidance soon, according to CJEU, when transferring personal data to third countries relying on SCC you should:

  • Make sure that security and technical measures which provide an adequate level of protection of personal data are actually implemented. You may need to review or at least ask for further information about the data importer’s technical and security measures plus consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
  • Reinforce your accountability processes. Do not simply sign an appendix to your contracts including SCC, rather but have a closer look at the actual security measures and other mechanisms used by the importer, plus the actual situation in the importing country, especially regarding surveillance.

What can we expect in the near future?

It is expected that guidance will be issued from the European Commission as well as the European Data Protection Board. Apart from that, the EU may decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under US surveillance laws. Likewise the US came up with the Privacy Shield ten months after the Safe Harbor was declared invalid, so one could now hope for them to put in place a new mechanism which to address the CJEU’s concerns. On another note, SCC may be updated for GDPR soon.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.

privacy considerations for video conferencing

The Age of Remote Meetings: Privacy Considerations for Video Conferencing.

In the age of remote work meetings, what are the privacy considerations for video conferencing for remote workers and employers?

 

We are in the age of remote meetings and interactions as social distancing became our new normal almost overnight, and this has brought with it a dependence on video meetings and the importance of privacy considerations for video conferencing. It is something we all think about, as we hop onto yet another video call, especially having seen news circulating on the issue. Communication technology companies like Zoom have been in the forefront of news and blog articles on the topic of privacy, as increased use has exposed hidden issues, and companies are forced to make changes to their policies and software to ensure compliance with national and international privacy regulations. Ian Hulme, the ICO’s Director of Assurance recently published guidelines and advice on navigating this new normal – the age of remote meetings for employers, business owners and managers.

 

Privacy and Security Settings.

 

One of the most important privacy considerations with regard to video conferencing is that of transparency. As with any other communication, users need to know how their data will be processed and must have choice and control in the matter. Restricted access, passwords and other privacy and security features like controlling who can share screens should be considered and communicated to employees before starting video conferencing.

 

Phishing Risks

 

Security can be compromised in video chat with phishing links and live chat features. While many of us are able to identify phishing links sent in emails, some people are being introduced to video conferencing for the first time in this era of remote meetings, or are simply not too familiar with video meetings. They are therefore not aware enough to spot phishing which may happen through a remote meeting. It is imperative that we remain vigilant against possible phishing by malicious users. Unexpected links should not be followed, especially when coming from an unrecognised source.

 

Video Conferencing that matches Company Policies.

 

Ian Hulme, director of Regulatory Assurance at the ICO, advises that video conferencing technology is checked against a company’s policies to make sure that they align. While many organisations quickly find solutions to their sudden need to function remotely with several employees spread over the city, country or globe, it is important to double check the tools that we resort to, to make sure that they match organisational policies.

 

Up-to-date Software.

 

Keeping up to date with software is one of the most effective security measures that we can take. Outdated software puts our data at risk. If using video conferencing apps, we need to ensure that all available software updates are applied regularly. If accessing video conferencing software through the web browser, the software for the web browser must also be kept up to date to protect data. 

 

As with any business decision, the organisation’s decision on video conferencing solutions should be re-examined from time to time, to make sure that it is aligned with its policies and needs, and with any updates to laws and external policies.

Do you need assistance with the appropriate safeguards and policies that should apply to organisational video conferencing? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcingContact us today.