A new post-Schrems II transfer solution for cloud services?

The EU Cloud Code of Conduct General Assembly, creators of the EU Cloud Code of Conduct, announced work is underway on a proposed legal solution for the transfer of personal data outside the EU.

The Cloud Code of Conduct, which defines clear requirements for cloud service providers acting as “processors” under the General Data Protection Regulation (GDPR) and is adopted broadly by the cloud market, is under review by the European Data Protection Board as an approved Code of Conduct under GDPR.

In the interim, the EU Cloud Code of Conduct General Assembly is proposing the creation of a new module to the Code for transferring personal data outside of the EU.

The EU Cloud Code of Conduct General Assembly invites interested Cloud Service Providers (CSPs) and cloud-users to join the initiative and to contribute to the development of the module, thereby shaping the future legal basis to transfer EU citizen’s personal data to third countries around the world.

Details from the EU Cloud Code of Conduct General Assembly.

Time for a U.S. federal privacy law?

“U.S. Sen. Roger Wicker, R-Miss., chairman of the Committee on Commerce, Science, and Transportation, will convene a hearing titled, “Revisiting the Need for Federal Data Privacy Legislation,” at 10:00 a.m. on Wednesday, September 23, 2020.

The hearing will examine the current state of consumer data privacy and legislative efforts to provide baseline data protections for all Americans.

It will also examine lessons learned from the implementation of state privacy laws in the U.S. and the E.U. General Data Protection Regulation, as well as how the COVID-19 pandemic has affected data privacy.

Details from the Senate Committee on Commerce, Science, and Transportation.

“Convention 108+ (Convention 108 as amended by the protocol) is set to become the international standard on privacy and data protection in the digital age, and represents a viable tool to facilitate international data transfers while guaranteeing an appropriate level of protection for people globally,”  say Alessandra Pierucci, Chair of the Committee of Convention 108 and Jean-Philippe Walter, Data Protection Commissioner of the Council of Europe.

“Being Party to the Convention 108+ could in the future also facilitate the case-by-case assessment that companies are required to do [following the Schrems II judgement] in the context of standard contractual clauses, regarding the essentially equivalent level of protection to be guaranteed”.

“The time has come to use the numerous criteria developed by the Courts in respect of what constitute adequate and effective guarantees, effective accountability, and independent oversight of intelligence services, and find consensus on this critical issue at global level”

Read the full text of the joint statement: “Better protecting individuals in the context of international data flows: the need for democratic and effective oversight of intelligence services.”

Blockchain and data protection: A report issued by the Law Society and Tech London Advocates & Global Tech Advocates highlights the extent of unknowns in a series of questions posed for the UK Information Commissioner’s Office.

  • What does “all means reasonably likely to be used” mean under Recital 26 of the General Data Protection Regulation (GDPR)?
  • Does this require an objective or subjective approach?
  • Does the use of a blockchain automatically trigger an obligation to carry out a data protection impact assessment?
  • Does the continued processing of data on blockchains satisfy the compelling legitimate ground criterion under Article 21 GDPR?
  • How should “erasure” be interpreted for the purposes of Article 17 GDPR?
  • How should Article 18 GDPR regarding the restriction of processing be interpreted?
  • What is the status of anonymity solutions such as ZKP under GDPR?
  • Should the anonymization of data be evaluated from the controller’s perspective, or also from the perspective of other parties?
  • What is the status of the on-chain hash where transactional data is stored off-chain and subsequently erased?
  • Can a data subject be a data controller in relation to personal data that relates to them?
  • How should the principle of data minimization be interpreted?

Read the full text of the report.

The Washington Privacy Act is back and now includes provisions for handling personal data during a public health emergency such as a pandemic.

Its provisions are closer to the European Union’s General Data Privacy Regulation (GDPR) than the California Consumer Privacy Act (CCPA) and include:

  • Controller and processor obligations
  • Right of correction
  • Provisions regarding profiling
  • Purpose specification
  • Data minimization
  • Mandatory Data Protection Impact Assessments, called Data Protection Assessments, in certain cases

Read the full text of the bill.

On the heels of the Court of Justice of the European Union’s decision in Schrems II, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC)  has determined that the U.S.-Swiss Privacy Shield does not meet the “requirements of adequate data protection as defined by the FADP (Swiss Federal Act on Data Protection).” It issued a policy paper offering advice on transferring data to countries not on its list of nations with adequate safeguards.

Key takeaways from FDPIC decision:
  • The FDPIC agrees with most of the European Data Protect Board’s criticisms regarding access by U.S. authorities and deems the lack of transparency and the resulting absence of guarantees concerning the interference of U.S. authorities irreconcilable with Swiss data protection laws.
  • When transferring data to non-listed countries, data exporters should conduct due diligence. If necessary, the clauses should be expanded.
  • Exporters must consider whether the foreign recipient company is capable of providing the cooperation necessary for the enforcement of Swiss data protection principles.
  • If not, exporters must consider technical measures that effectively prevent the service providers and authorities in the destination country from accessing the transferred personal data. (e.g. storage in a non-listed country + encryption with principles of BYOK (bring your own key) and BYOE (bring your own encryption).
  • If such measures are not possible, the FDPIC recommends refraining from transferring personal data to the non-listed country on the basis of contractual guarantees.

Read the full text of the decision.

There is no quick fix to the Schrems II decision, says European Union Justice Commissioner Didier Reynders.
Per Bloomberg Law: Justice Commissioner Reynders plans to finalize work by the end of this year on clauses that companies use to safely transfer data. In addition, talks with the U.S. will intensify in coming weeks on “sustainable solutions that deliver legal certainty” in line with the court ruling.

Details from Bloomberg Law.

The European Data Protection Supervisor has issued guidance on data protection and body temperature taking.

Key takeaways:
  • Basic body temperature checks designed to measure body temperature only, operated manually and not followed by registration, documentation or other processing of individuals’ personal data are, in principle, not subject to the regulation.
  • Other systems of temperature checks, operated manually or automatically, followed by the processing of individuals’ personal data are subject to the regulation.
  • Depending on the processing capabilities of the systems used, additional data protection safeguards need to be implemented.
  • Institutions should design body temperature checks such that the amount of collected personal data is minimized.
  • Temperature checks carried out on a mandatory basis should not be based solely on automated processing. Human involvement should be provided at relevant stages of the temperature checks.
  • Review the necessity and proportionality of such measures regularly, in light of the evolution and scientific understanding of the epidemic.

Read the full text of the guidance.

Automatic photo taking is excessive as a way to monitor employee working hours and a less invasive method should be used,  French data privacy regulator CNIL told a number of employers.

In its opinion, CNIL said that:
  • Any system for controlling working hours must comply with the principle of minimization (Article 5 (1.c)) of the General Data Protection Regulation (GDPR). Data collected in this context must be adequate, relevant and limited to what is necessary.
  • Per previous decisions by the Cour de Cassation and the Conseil d’etat, a geolocation system to ensure the control of employee working hours is only lawful when it cannot be done by other means, however less effective.
  • The use of photo badgers by organizations violate the principle of minimization. The compulsory and systematic collection,  two to four times a day, of the employee’s photograph appears excessive.
  • Tools for managing schedules without taking a photograph, such as conventional badge clockers, appear sufficient to fulfill the purpose of controlling working schedules.
  • The companies were put on formal notice to make their time control systems compliant with the GDPR within three months.

Read the full text of CNIL’s Opinion.

Two bills dealing with processing COVID-19 data in California were referred to the Senate Appropriations Committee.

Assembly Bill 660 prohibits data collected, received or prepared for purposes of contact tracing from being used or disclosed for any purpose other than facilitating contact tracing efforts. It also requires the data collected to be deleted within 60 days, unless that data is in the possession of a state or local health department.

Read the full text and check updated status.

Assembly Bill 1782  regulates public health entities and businesses that provide technology-assisted contact tracing. It requires data collected and maintained in the course of fulfilling the duties of a TACT contract to be encrypted to the extent practicable. It also requires a business or public health entity offering technology-assisted contact tracing to provide a simple mechanism for a user to revoke consent for the collection, use, maintenance or disclosure of data and requires consent given to be revocable at any time.

Read the full text and check updated status.