emergency measures for children’s protection

EU approves emergency measures for children’s protection

Temporary emergency measures for children’s protection have just been adopted by European Parliament.

 

Temporary emergency measures for children’s protection were adopted by European Parliament on July 6th. This regulation will allow electronic communication service providers to scan private online messages containing any display of child sex abuse. The European Commission reported that almost 4 million visual media files containing child abuse were reported last year. There were also 1,500 reports of grooming of minors by sexual predators. Over the past 15 years, reports of this kind have increased by 15,000%. 

 

This new regulation, which is intended to be executed using AI, has raised some questions regarding privacy. 

 

Electronic communication service providers are being given the green light to voluntarily scan private conversations and flag content which may contain any display of child sex abuse. This scanning procedure will detect content for flagging using AI, under human supervision. They will also be able to utilize anti-grooming technologies once consultations with data protection authorities are complete. These mechanisms have received some pushback due to privacy concerns. Last year, the EDPB published a non-binding opinion which questioned whether these measures would threaten the fundamental right to privacy. 

 

Critics argue that this law will not prevent child abuse but will rather make it more difficult to detect and potentially expose legitimate communication between adults. 

 

This controversial legislation drafted in September 2020, at the peak of the global pandemic, which saw a spike in reports of minors being targeted by predators online, enables companies to voluntarily monitor material related to child sexual abuse. However, it does not require companies to take action. Still, several privacy concerns were raised regarding its implementation, particularly around exposing legitimate conversation between adults which may contain nude material, violating their privacy and potentially opening them up to some form of abuse. During the negotiations, changes were made to include the need to inform users of the possibility of scanning their communications, as well as dictating data retention periods and limitations on the execution of this technology. Despite this, the initiative was criticized, citing that automated tools often flag non relevant material in the majority of cases. Concerns were raised about the possible effect this may have on channels for confidential counseling. Ultimately, critics believe that this will not prevent child abuse, but will rather make it harder to discover it, as it would encourage more hidden tactics. 

 

This new EU law for children’s protection is a temporary solution for dealing with the ongoing problem of child sexual abuse. 

 

From the start of 2021, the definition of electronic communications has been changed under EU law to include messaging services. As a result private messaging, which was previously regulated by the GDPR, is now regulated by the ePrivacy directive. Unlike the GDPR, the ePrivacy directive did not include measures to detect child sexual abuse. As a result, voluntary reporting by online providers fell dramatically with the aforementioned change. Negotiations have stalled for several years on revising the ePrivacy directive to include protection against child sexual abuse. This new EU law for children’s protection is but a temporary measure, intended to last until December 2025, or until the revised ePrivacy directive enters into force. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Fine imposed for unsecured website

Fine imposed for unsecured website

Fine imposed for unsecured website for registration of new orthodontic patients. 

 

Patient personal data was found to be at risk, including citizen service numbers, when an orthodontic practice allowed new patients to sign up via an unsecured website. According to this report, several fields of mandatory personal information were captured on an unsecured connection. This could have resulted in a data breach, which could have led to fraud, with several individuals affected, including minors. The Dutch DPA has imposed a fine of €12,000 on an orthopedic practitioner. 

Sensitive personal data was at risk of being accessed by unauthorized parties. 

 

An unsecured connection was used to capture mandatory personal information from new patients signing up for orthodontic services. 

 

The unsecured website being used to capture information from new patients included a form, requiring the input of personal data into mandatory fields. The required information included patients’ parents’ information, their general practitioner, insurance information as well as their dentist and citizen service number. This information was sent over an unencrypted connection, making it unsecured. Individuals submitting their personal information while signing up on the website of an orthodontic practitioner are trusting that their sensitive data will be protected. In addition, the majority of orthodontic patients are children and young adults, so this case involved the personal data of several children. Data protection laws have specific safeguards for the sensitive data of children, who are considered a particularly vulnerable group. 

 

Fine imposed for unsecured website after a complaint was lodged about a privacy violation. 

 

A complaint was lodged with the Dutch DPA regarding a privacy violation. Because the complaint was regarding poor security within the health sector, a sector with particularly strict privacy requirements, this complaint was taken very seriously by the DPA. Monique Verdier, the DPA’s deputy chair commented on the situation stating “When you register with an orthodontist, you entrust your personal data to them. This is data that the practice needs, but it is also of interest to criminals. Taking good care of your patients includes taking good care of their personal data. This applies to all care providers, not just large institutions.” It is a business’ responsibility to ensure that its website is GDPR compliant, and to secure customer data and websites, preventing possible data breaches, phishing, and other forms of malicious online activity. A fine of €12,000 was imposed on the orthodontic practitioner for this infraction. 

 

An objection to this fine was lodged, which the DPA declared unfounded. 

The fine imposed on the orthodontic practitioner is not final, and was challenged by the provider. While the fine may be revocable, the DPA has called the objection by the practitioner unfounded. An application for judicial review can be submitted to the district court to have the €12,000 fine revoked. If this is done, the final decision will rest in the hands of the district court. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New German law

New German law regulating eprivacy and data protection

New German law recently adopted, regulates eprivacy and data protection in telecommunications and telemedia.

 

Last month, German parliament adopted a new law regulating eprivacy and data protection in telecommunications and telemedia. Previously, the laws regulating German data protection contained partially contradictory provisions, which led to legal uncertainty on various matters. In the past, data protection and privacy inquiries were typically split between two laws, the Telemedia Act and Telecommunications Act, until May 20th when the Data Protection Act was passed. This act aims to unify the country’s rules and bring them in line with the EU’s GDPR. This new law, commonly known as TTDSG, could however be superseded by European law soon, as discussions on the new ePrivacy Regulation intensify. 

 

The new German law implements the ePrivacy directive with regard to the use of cookies.

 

The ePrivacy directive, which became EU law in 2009, states that websites are obligated to collect visitors’ informed consent to the use of cookies. The new German legislation implements the cookie consent rules of the 2009 ePrivacy Directive with a view to GDPR and the 2019 EU Court judgment in Planet49, Case C-673/17. Failure to obtain explicit consent to the use of cookies from internet users is incompatible with EU law, as rulings from both the EU court of justice and the German High Court demonstrate. The recently amended telecommunications act had been challenged by the opposition, who claimed that it did not contain sufficient data protection provisions. 

 

Fibre optics use and development stand to benefit from this new German law.

 

Germany currently lags behind most EU countries in the arena of fibre optics use and development with only 4.7% of broadband being fibre optic connections. Many European countries like Sweden, Lithuania and Spain have their fibre optic connections falling somewhere between 69% and 75% of broadband. Fiber optics provide a dedicated synchronous Internet bandwidth, which is not shared with any other Internet client. Fiber is generally faster and more reliable, allowing faster downloads. The Telecommunications Act sets clear standards for the entitlements to Internet access based on “80% of the Internet speed used by consumers in upload and download,” according to MP Falko Mohrs. The amendment not only solidifies the legal right to internet access, but also contains a list of other services. These include interference-free accommodation of video conferencing, which is imperative to citizens’ abilities to participate in the digital world. By introducing this benchmark, Mohrs believes that the fibre-isation of the  country is being driven forward. The benchmark is set and  reviewed annually in collaboration with the country’s network agency. 

  

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

New EU ePrivacy rules

New EU ePrivacy rules update

The ePrivacy rules governing electronic communication data will be updated as agreed upon by EU Member States. 

 

Earlier this month, EU member states agreed upon a negotiating mandate for revised ‘ePrivacy’ rules. The rules on the protection of privacy and confidentiality in the use of electronic communications define cases in which service providers are allowed to process data from electronic communications or access that which has been stored on an end user’s device. The last update to the ePrivacy directive was in 2009, and as such, the member states agree that this legislation needs to be brought up to date with new technological and market developments. The new ePrivacy Regulation will repeal the current ePrivacy Directive and is intended to complement and characterize the GDPR. This regulation will become effective 20 days after its publication in the EU Official Journal, and two years later, will start to apply. Details can be found in this press release by the European Council

 

The revised draft regulation will cover content from electronic communication over public services and networks, as well as related metadata. 

 

This draft ePrivacy regulation will repeal the existing directive and will cover content transmitted via public services and networks and related metadata, when end users are in the EU. Metadata refers to the information on the time, location and recipient of the communication for example. Metadata is considered to be potentially as sensitive as the actual content of electronic communication. The rules will also cover the handling of data transmitted from machine to machine via a public network. 

 

Any electronic communication data will be considered confidential, except when permitted by the ePrivacy regulation. 

 

As a general rule, all electronic communication is to be considered confidential, and should not be processed without the consent of the user. There are, however, a few exceptions specifically outlined in the ePrivacy regulation. These exceptions include any processing for the purposes of checking for malware and viruses as well as for ensuring the integrity of the communication service. Provisions are also made for cases where the service provider is required to do so by EU or member states’ law with regard to the prosecution of criminal offenses or the prevention of public security threats. 

 

Metadata may be processed for very specific purposes, and with strong additional safeguards applied to it. 

 

Metadata may be processed for example for billing purposes or for detecting and preventing fraud. If users give their consent, service providers may use metadata to display movements of traffic to help public authorities develop new infrastructure when needed. This processing is also allowed in instances where users’ vital interests need to be protected, for example the monitoring of epidemics or in emergencies like natural and man-made disasters. In specific cases network providers may process metadata for purposes other than that for which it was collected. In those cases, the intended purpose must be compatible with the initial purpose for the metadata and strong specific safeguards must be applied to the processing. 

 

It will be possible for users to whitelist service providers, giving consent to certain types of cookies, from certain websites via users’ browser settings. 

 

Users will be able to permit certain types of cookies from one or many service providers, and change those settings easily in their browser settings. This should make permissions for cookies easier and more seamless for users, alleviating cookie consent fatigue. In addition, end users will be able to genuinely choose whether to accept cookies or any similar identifier. It may be possible for service providers to make access to a webpage or website dependent on consent to the use of cookies for additional purposes, instead of using a paywall, however this will only be allowed if the user is able to access an equivalent offer by the same provider, that does not involve consenting to the use of cookies. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy rules, GDPR, and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.