– Giovanni Buttarelli has Passed Away –
Giovanni Buttarelli, The European Data Protection Supervisor, passed away on the 20th of August. The EDPS state: ‘It is with the deepest regret that we announce the loss of Giovanni Buttarelli, the European Data Protection Supervisor. Giovanni passed away surrounded by his family in Italy, last night, 20 August 2019.’ This is truly sad news. Giovanni has touched all members of the privacy community, both in Europe and beyond. He will be fondly remembered both for his amiable character as well as for his insightful and intelligent contributions to privacy discussions and policy.
– Irish DPA Guidance on Data Breaches –
The Irish DPA has released Guidance on data breach notifications under the GDPR. The guidance is welcome in clarifying one of the novelties in the GDPR – although data breach notifications already appeared in ePrivacy legislation. The guidance is particularly useful in its reiteration that a data breach constitutes ‘a security incident that negatively impacts the confidentiality, integrity, or availability of personal data’, in its clarification that the default position must be to report a breach to the supervisory authority and in its clarification of time scales for breach notification reporting. There are, however, criticisms to be made of the Guidance. Two criticisms seem particularly relevant. First, the suggestion that the concept of a data breach means the ‘controller is unable to ensure compliance with the principles relating to the processing of personal data as outlined in Article 5 GDPR’ seems unhelpful – breaches can be independent of compliance. Second, the Guidance shies away from clarifying how controllers should understand, and calculate, the degree of risk a data breach poses to data subjects rights – the key threshold concept determining the applicability of breach notification obligations.
– European Parliament Studies on the GDPR: Blockchain and Scientific Research –
The European Parliament has released two studies. The first study examines the tension between the GDPR and blockchain technologies. The study concludes that, on the one hand, blockchain technologies may have difficulty complying with the GDPR. The study highlights, for example, the fact that blockchain technologies may not rely on one single controller and there will be considerable practical difficulty in applying the rules on joint-controllers. This distributed responsibility raises problems, in particular, in relation to accountability and to the rectification and deletion of data – rectification and deletion in one segment of the blockchain does not automatically lead to rectification and deletion in other segments. On the other hand, blockchain may also support the objectives of the GDPR. The study highlights, for example, that blockchain technologies may offer more transparency in data processing operations and may make it easier for data subjects to exercise their rights of access to personal data. The second study focuses on the implication of the GDPR for scientific research. The study concludes that the impact of the GDPR will depend on the type of research in question and on the scientific domain in question. The study recognises that, while some types of research may be negatively impacted by the GDPR and ambiguities remain in the applicability of the GDPR, scientific research could also benefit from the GDPR. The study highlights, for example, the potential benefits of the GDPR’s data security and data subject rights provisions.
- https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf
- http://www.europarl.europa.eu/RegData/etudes/STUD/2019/634447/EPRS_STU(2019)634447_EN.pdf
– ISO Releases Privacy Management Standard –
The International Standards Organisation (ISO) has released a global privacy management standard. The standard purports to be adaptable to the requirements of the GDPR and to European Data Protection law. The ISO is a highly significant international standard setting body and, accordingly, the standard will likely to become a reference point in privacy management and GDPR compliance in Europe. Indeed, previous standards and approaches adopted by the ISO have already played a role in shaping European data protection discussions – the ISO’s risk management approach, for example, is highlighted as a template for the construction of Data Protection Impact Assessment methodologies. It remains unclear, however, the degree and form of role the standard will play in privacy management and compliance in Europe. In-depth investigation as to the level to which the standard corresponds with – or deviates from – the obligations outlined in the GDPR would now be welcome.
– ICO Investigates Facial Recognition Technology –
The ICO has opened an investigation into the deployment of facial recognition technology at King’s Cross, London. The investigation follows media coverage of the fact that the technology has been deployed, with the justification of ensuring public safety, without informing the public. The ICO states: ‘My office and the judiciary are both independently considering the legal issues and whether the current framework has kept pace with emerging technologies and people’s expectations about how their most sensitive personal data is used.’ This comment not only signals that there may be legal compliance issues but also alludes to possible weaknesses in the legal framework as such. The ICO investigation is particularly significant following the general increase in concern surrounding the deployment of facial recognition technologies and the risks these pose. The ICO’s final conclusions and recommendations will thus, likely, have implications for the discussion of the regulation of facial recognition technologies across Europe.
– Germany Braces for Huge Fines –
The Data Protection Authority in Berlin has confirmed that it may soon impose a fine of tens-of-millions of Euros against a private company for infringements of the GDPR. For legal reasons, the DPA has neither named the company against which the fine may be imposed nor the infringement for which the fine may be imposed. If the fine is eventually imposed at the levels discussed, German DPAs would join French and UK DPAs in having imposed multi-million Euro fines. The move by the Berlin DPA acts as another indicator that DPAs will not shy away from using their newly vested powers in order to enforce GDPR compliance. On the one hand, the fact that DPAs in more European states seem willing to impose such fines will certainly encourage companies in the EU, and worldwide, to step-up GDPR compliance activities. On the other hand, such fines may lead to an industry backlash against the GDPR and a general chill in relationships between industry and DPAs.
– EDPS: Information and the Environment Podcast –
The third episode of the EDPS’ #DebatingEthics podcast deals with the relationship between the information society and its environmental impact. As the EDPS put it: ‘We think of digital as being virtual and non-physical, and of technology as a tool to help us do more with less. Yet, behind the life cycle of our digital tools lies a vast network, involving human and natural exploitation, continuous energy consumption and pollution.’ Environmental protection is one of the most significant tasks faced by contemporary societies. Yet, the environmental impact of digitisation is scarcely discussed. Information societies run on the back of technological infrastructure. This infrastructure both requires huge – and increasing – quantities of energy to function as well as creates specific refuse by-products and pollutants. Information societies thus cannot be conceptually separated from the natural and human environments they inhabit. It is refreshing that an actor as significant as the EDPS has this theme on its agenda.