Declaration on digital rights and principles proposed by the European Commission

The Commission has proposed a declaration of rights and principles to the European Parliament and Council that is intended to guide digital transformation in the EU.

 

The European Commission has prepared a draft declaration on digital rights and principles with the aim of providing a clear reference point on the kind of digital transformation which Europe promotes and defends. In March 2021, the Commission laid out its vision for Europe’s digital transformation by 2030, of which this draft declaration plays a major part. The declaration also builds on previous initiatives from the Council including the Tallinn Declaration on eGovernment, the Berlin Declaration on Digital Society, among others. The European Parliament and the Council have both been invited to discuss this draft declaration, and to endorse it at the highest level by summer of 2022. 

 

The declaration covers key rights and principles for the digital transformation of the EU.

 

The draft declaration places people and their rights at its centre, supports solidarity and inclusion, ensures freedom of choice online, and fosters participation in the digital public space. With key rights and principles for digital transformation at the heart of this initiative, the aim of this draft decision is increasing safety, security and empowerment of individuals, and promoting the sustainability of the digital future. It seeks to improve the everyday lives of Europeans by providing access to affordable and high-speed digital connectivity everywhere, well-equipped classrooms and teachers who are digitally skilled, as well as seamless access to public services, and an overall safe digital environment for children. The declaration also fosters the ability to disconnect after working hours, obtain easy-to-understand information on the environmental impact of our digital products, and control how personal data is used and with whom it is shared.

 

The declaration on digital rights and principles is rooted in EU law and builds on previous initiatives from the Council. 

 

A few years ago, former European Parliament President David Sassoli promoted the idea of access to the Internet as a new human right. European digital laws are geared towards accessibility for individuals, not just to the internet but to the ability to exercise their basic human rights in the digital sphere. EU laws promote the protection of citizens’ rights and freedoms, and this draft declaration builds on this core goal. The draft declaration promotes a model of digital transformation that strengthens the human dimension of the digital ecosystem and has the Digital Single Market as its core. It builds on several previous initiatives by the Council including the Tallinn Declaration on eGovernment, the Berlin Declaration on Digital Society and Value-based Digital Government, and the Lisbon Declaration – Digital Democracy with a Purpose, furthering the overall aim of guiding digital transformation in the EU and protecting its citizens in the digital sphere. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Proposed Digital Markets Act to be enforced by the EU Commission

Proposed Digital Markets Act will be enforced exclusively by the European Commission, but what does it entail?

 

EU representatives have officially agreed that the European Commission will be the enforcer of the Digital Markets Act, which is set to be ratified on November 25 as part of the bloc’s common position ahead of negotiations with EU lawmakers. The Digital Markets Act or DMA was proposed last year by EU antitrust chief Margrethe Vestager, and aims to prevent large companies from abusing their market power and allow new players to enter the market. The proposed legislation specifically targets these online gatekeepers – companies that control data and access to their platforms- with a list of dos and don’ts, to achieve that goal of curbing any possible abuse of power within the online markets.

 

The Digital Markets Act is designed to ensure fair and open digital markets.

 

The DMA establishes a set of narrowly defined objective criteria for qualifying a large online platform as a “gatekeeper”, and specifically targets these platforms. They are defined by their strong economic position, significant impact on the internal market, strong intermediation position, durable position in the market, and/ or solid presence  in multiple EU countries. This is expected to benefit consumers by giving them better access to a range of services to choose from, more choices leading to opportunities to switch their providers, as well as direct access to services, and more reasonable prices. In addition, this will provide smaller companies the opportunity to be competitive in online markets.

 

The act consists of various dos and don’ts which will be monitored by the European Commission.

 

The act consists of various dos and don’ts which will be monitored by the European Commission to ensure that gatekeepers do not have unfair advantage. These gatekeepers will still be allowed to innovate and offer new services, however they will simply not be allowed to gain an undue advantage. Under the DMA, companies will still be able to allow their business users to access the data that they generate while using the gatekeeper’s platform. Gatekeepers will also continue to have the capabilities to allow third parties to inter-operate with the gatekeeper’s own services in certain specific situations. These companies will still be allowed to provide advertising for companies on their platform with the tools and information necessary for advertisers and publishers to carry out their independent verification of the advertisements they hosted with the gatekeeper. They will also still be able to allow their business users to promote their offer and conclude contracts with their customers outside the gatekeeper’s platform.

 

There are some things, however, which will not be allowed under the Digital Markets Act. Gatekeeper companies will not under any circumstances be allowed to rank their own services and products more favourably than similar services or products offered by third parties on the gatekeeper’s platform. Preventing consumers from linking up to businesses outside their platforms will also be disallowed. These companies are also not allowed to prevent users from uninstalling any pre-installed software or app if they wish so, and failure to comply with these guidelines may result in penalties of up to 10% of their annual worldwide turnover, or periodic payments of 5% of their daily turnover.

 

The European Commission, as the exclusive enforcer of the DMA will be responsible for carrying out market investigations.

 

The European Commission, as the exclusive enforcer of the DMA will be responsible for carrying out market investigations. This gives the Commission the authority to dynamically update the obligations for gatekeepers when necessary, and also to identify companies as gatekeepers, based on the aforementioned criteria. In addition, the European Commission will be expected to design remedies to tackle systematic infringements of the Digital Markets Act rules, as additional penalties may be imposed after the Commission carries out a market investigation, if they consider the previously mentioned penalties insufficient or inappropriate.

 

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

emergency measures for children’s protection

EU approves emergency measures for children’s protection

Temporary emergency measures for children’s protection have just been adopted by European Parliament.

 

Temporary emergency measures for children’s protection were adopted by European Parliament on July 6th. This regulation will allow electronic communication service providers to scan private online messages containing any display of child sex abuse. The European Commission reported that almost 4 million visual media files containing child abuse were reported last year. There were also 1,500 reports of grooming of minors by sexual predators. Over the past 15 years, reports of this kind have increased by 15,000%. 

 

This new regulation, which is intended to be executed using AI, has raised some questions regarding privacy. 

 

Electronic communication service providers are being given the green light to voluntarily scan private conversations and flag content which may contain any display of child sex abuse. This scanning procedure will detect content for flagging using AI, under human supervision. They will also be able to utilize anti-grooming technologies once consultations with data protection authorities are complete. These mechanisms have received some pushback due to privacy concerns. Last year, the EDPB published a non-binding opinion which questioned whether these measures would threaten the fundamental right to privacy. 

 

Critics argue that this law will not prevent child abuse but will rather make it more difficult to detect and potentially expose legitimate communication between adults. 

 

This controversial legislation drafted in September 2020, at the peak of the global pandemic, which saw a spike in reports of minors being targeted by predators online, enables companies to voluntarily monitor material related to child sexual abuse. However, it does not require companies to take action. Still, several privacy concerns were raised regarding its implementation, particularly around exposing legitimate conversation between adults which may contain nude material, violating their privacy and potentially opening them up to some form of abuse. During the negotiations, changes were made to include the need to inform users of the possibility of scanning their communications, as well as dictating data retention periods and limitations on the execution of this technology. Despite this, the initiative was criticized, citing that automated tools often flag non relevant material in the majority of cases. Concerns were raised about the possible effect this may have on channels for confidential counseling. Ultimately, critics believe that this will not prevent child abuse, but will rather make it harder to discover it, as it would encourage more hidden tactics. 

 

This new EU law for children’s protection is a temporary solution for dealing with the ongoing problem of child sexual abuse. 

 

From the start of 2021, the definition of electronic communications has been changed under EU law to include messaging services. As a result private messaging, which was previously regulated by the GDPR, is now regulated by the ePrivacy directive. Unlike the GDPR, the ePrivacy directive did not include measures to detect child sexual abuse. As a result, voluntary reporting by online providers fell dramatically with the aforementioned change. Negotiations have stalled for several years on revising the ePrivacy directive to include protection against child sexual abuse. This new EU law for children’s protection is but a temporary measure, intended to last until December 2025, or until the revised ePrivacy directive enters into force. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Adequacy decisions adopted

Adequacy decisions adopted for EU-UK data transfers

Adequacy decisions adopted by the European Union for the UK regarding data transfers.

 

The European Commission has recently adopted adequacy decisions for the United Kingdom. Since Brexit there has been some question as to the UK’s adequacy, or rather the level of protection afforded to data transfers between the EU and the UK. With the adoption of these adequacy decisions- one under the General Data Protection Regulation or GDPR, and the other for the Law Enforcement Directive, data transfers can now freely flow between the European Union and the United Kingdom. This data will be considered as having the equivalent level of protection that is guaranteed under EU law when being transferred to the UK.

 

The adequacy decisions adopted came after a thorough assessment process, during which data transfers occurred based on a Trade and Cooperation agreement. 

 

Since the draft adequacy decisions for the UK were published in February, the UK’s practices and laws regarding personal data protection have been carefully assessed. In April, the EDPB gave its opinion on UK adequacy, which was then followed by a comitology procedure which included a vote from EU Member States. In the absence of an adequacy decision, and while in the process of establishing one, data transfers flowed between the EU and the UK, based on a Trade and Cooperation agreement. This agreement expired on June 30, 2021, and provided that, in the absence of an adequacy decision, all data transfers carried out in the context of its implementation would comply with the GDPR and Law Enforcement Directive. 

 

UK data protection laws still very much resemble the laws under which the country operated as an EU Member State.

 

The UK, as a former EU Member State, had a data protection system which was still based on the very same rules under which UK data protection functioned while the UK was still an EU Member State. The principles, rights and obligations of the GDPR and Law Enforcement Directive have been fully incorporated into UK law. This has made, not only the Trade and Cooperation agreement, but also the adequacy decisions easier and more feasible.  The UK provides strong safeguards regarding access to personal data by public authorities. In principle, The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body. 

 

The adequacy decisions include a sunset clause which causes them to expire after four years.

 

These adequacy decisions include a ‘sunset clause’. This is the first of its kind and strictly limits the duration of the validity of these adequacy decisions. What this means is that these decisions will automatically expire in four years, after which adequacy findings may be renewed. However, this is subject to the UK continuing to ensure an adequate level of data protection. The European Commission will continue to monitor the legal situation in the UK and at any point, reserves the right to intervene if the UK deviates from the current level of data protection provided. After the four year duration of these recently adopted adequacy decisions, if the European Commission decides to renew the adequacy decisions, the adoption process would start over.

 

GDPR adequacy related to immigration control has been excluded from this decision, to be reassessed pending judgments from the England and Wales Court of Appeal.

 

Due to a recent judgment of the England and Wales Court of Appeal, data transfers for the purposes of UK immigration control have been excluded from the scope of the GDPR adequacy decision. The judgment affects the validity and interpretation of certain data protection rights related to immigration and control and therefore the Commision, once this matter has been dealt with under UK law, will reassess the necessity of this exclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.