General Data Protection Regulation (GDPR)

Forget me yes.

The Danish data protection authority has published a practical guide on data minimization and the right of erasure under GDPR:

  • If you use “soft delete,” a link is deleted but not the personal information in the underlying database, this is not a real deletion.
  • Based on the purposes of the processing, and subject to legal retention requirements, the data controller must determine and document the deletion deadline for each processing.
  • Data controllers must develop deletion procedures for systems where personal data is processed and must implement a follow-up procedure to ensure deletion.
  • For accountability, data controllers may keep a log of requests received under the right to be forgotten. They should set reasonable deletion deadlines for the log.
  • Personal data must be deleted from backups if technically possible. If not, data controller must ensure that the personal data deleted from the system in operation is also removed if a backup is restored.

Read the guide.

Enforcement is increasing under the EU US Privacy Shield Framework for cross border transfer of personal data. A report published by European regulator, the European Data Protection Board (EDPB), lists enforcement initiatives by the Department of Commerce (DoC) and the FTC.

  • On a quarterly basis the DoC conducts “false claims reviews” to identify organizations that have started but not finished an initial or re-certification or that did not submit their annual recertification.
  • The DoC performs random web searches for false claims of participation in the program
  • The DoC performed a sweep of 100 randomly chosen organizations.
  • The DoC designated a person to follow the media and to do keyword searches to identify possible breaches of the Privacy Shield commitment.
  • The DoC performs regular checks for broken links to the privacy policy on the Privacy Shield list.
  • This year the FTC brought 5 new Privacy Shield cases.
  • The FTC investigates Privacy Shield-related referrals (approximately 100).
  • The FTC started to send Civil Investigation Demands (CIDs) proactively to monitor compliance with the Privacy Shield principles.

Details in the Second Annual Joint Review.

Key takeaways from the European Commission (EC) decision holding Japan as providing adequate protection to personal data:

  • Japan ensures an adequate level of protection for personal data transferred from the EU Japan pursuant to the Japanese Act on the Protection of Personal Information (APPI) as complemented by the stricter Supplementary Rules and official representations, assurances and commitments received from Japan.
  • The Personal Information Protection Commission (PPC) is empowered to adopt “Guidelines” for the actions to be taken by a business operator under the data protection rules.
  • To comply with the Supplemental Rules, Japanese business operators receiving and/or further processing personal data from the EU need to ensure (e.g. by technical (“tagging”) or organisational means (storing in a dedicated database)) that they can identify such personal data throughout their “life cycle.”

Excluded from the adequacy decision are:

  • broadcasting institutions, newspaper publishers, communication agencies or other press organisations
  • professional writers
  • universities and academic institutions
  • religious bodies
  • political bodies

Read the full text of the decision.

EU US Privacy Shield Framework 2nd annual review: Per European Regulator, the European Data Protection Board (EDPB), the U.S. has made significant progress but some issues remain.

Progress includes: 

  • Adapting the initial certification process to avoid inconsistencies between the Privacy Shield List and the representations made by the organizations on their websites
  • Oversight and enforcement actions by the US Department of Commerce (DoC) and the FTC
  • Further guidance by DoC for EU individuals and for US business

Outstanding issues include:

  • Enforcement of compliance with the substance of the Privacy Shield principles
  • Enforcement of “onward transfers” of personal information to third parties
  • Clarification of Privacy Shield requirements regarding HR data
  • Refinement of the re-certification process
  • Addressing data subject rights
  • Lack of guarantees on transfers for regulatory purpose in the field of medical context
  • Lack of specific rules on automated decision making
  • Overly broad exemption for publicly available information.

Details in the full text of the Second Annual Joint Review.

A total of 41 fines have reportedly been issued for GDPR violations across the various German states.

Violations included:

  • A clinic accidentally handed over a copy of a severely handicapped person’s ID card to the wrong patient.
  • Bank customers were able to see the bank statements of third parties in online banking.
  • Web shop customer data was copied without authorization following a hacker attack.
  • A hotel could not rule out that by an extortionate hacker attack, credit card or other customer data from its booking system fell into the wrong hands.
  • In a fire department of the country Bremen all phone calls were recorded, not only the emergency calls, but all outgoing and incoming calls.
  • Advertising mails, Dashcam use as well as open E-Mail distributors were the subjects of fines.

Details from Handelsblatt.

GDPR is here and is instrumental in bolstering individuals’ rights to their data.

The European Commission has issued a statement in honor of Data Protection Day which will be celebrated worldwide on January 28.

Some highlights:

  • Individuals’ data is one of the most valuable resources in modern economy.
  • One of the main aims of the General Data Protection Regulation (GDPR) is to empower people and give them more control of their data.
  • In order to achieve this goal, people must become fully aware of their rights and the consequences of their decisions.
  • The effects of GDPR are already noticeable. People are more aware of their rights and exercising them. The EU data protection authorities have received more than 95,000 GDPR complaints.
  • With GDPR, and its requirements for cross border data exchanges, Europe strives to ensure strong privacy rules at home but also lead the way globally.

Full details here from the EU.

Japan is the latest country to be recognized by the European Union as providing adequate protection to data. The decision is one of mutual adequacy and creates the world’s largest area of safe data flows.

Per European commissioner Vera Jourova: “Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market.”

Before the adoption of the decision, Japan implemented additional safeguards to guarantee that data transferred from the EU enjoy protection in line with European standards. This included:

  • a set of supplementary rules to bridge differences between the two data protection systems (specifically regarding sensitive data, the exercise of individual rights and cross border data transfers).
  • assurances from the Japanese government that the access of Japanese public authorities to personal data for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate
  • a complaint handling mechanism to investigate and resolve complaints from Europeans regarding access to their data

Details from the International Association of Privacy Professionals.

 

When responding to a data subject access request under the EU General Data Protection Regulation (GDPR) you must disclose all the relevant personal data you hold and provide all information required by Article 15 of GDPR – all in a clear, easy-to-understand way.  A new complaint by public interest organization NOYB against media streaming services shines a spotlight on this GDPR right:

To comply with the right to access, controllers must disclose all data they hold and which could render the individual identifiable, including cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers. You must disclose:

  • purpose
  • categories
  • recipients
  • retention
  • sources (if not the individual)
  • transfers outside the EU
  • the individual’s right to right to request rectification, restriction of or objection to processing
  • the individual’s right to lodge a complaint
  • the existence of automated processing / profiling

You must provide the information in a manner clearly readable by the average consumer. Machine readable format will not suffice without also providing an explanation, software or other means to make the data readable and understandable.

Details from NOYB.

A 50 Million Euro GDPR fine recently issued by French data protection authority CNIL provides actionable lessons for companies handling personal information for advertising purposes. First and foremost, refrain from block consents; state your data handling practices clearly:

  • make sure information you provide users is easily accessible
  • tell people why you process their information, for how long you keep it and the categories of it
  • put the information in one or limited locations
  • refrain from requiring multiple actions to access the necessary information
  • describe your purposes specifically, and clearly.

Vague statements like “any of the following purposes may apply” will not suffice. – when relying on consent:

  1. Provide clear disclosure in a centralized location. This is particularly important if the processing is complex, uses information from different sources or involved sensitive information
  2. Require action by the user to signify consent ( no pre-checked checkboxes).
  3. Use separate call outs for each purposes. Statements like: “I accept that my information is used as described above ” may not suffice.

Details from CNIL.

More here from Law360.

Does your company have a processing agreement with each service provider that handles personal information for you as required by the EU General Data Protection Regulation (GDPR)?

If you don’t, it may cost you 5,000 EUR per missing agreement – says the data protection authority of Hesse, Germany.

Following a complaint to the data protection authority, the Hessian DPA investigated and learned that the data controller company (a small shipping company) did not have a data processing agreement as required by Art 28 of GDPR, with its Spanish service provider, and subsequently issued the 5,000 EUR fine. This comes only a few days after the Dutch data protection authority reported it requested information about such agreements from 30 companies in the Netherlands.

Details from Heise Online.