{"id":72131,"date":"2020-04-30T21:07:21","date_gmt":"2020-04-30T19:07:21","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-22\/"},"modified":"2020-04-30T21:07:21","modified_gmt":"2020-04-30T19:07:21","slug":"data-protection-insider-issue-22","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-22\/","title":{"rendered":"Data Protection Insider, Issue 22"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/news\/news_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><strong>EDPB Holds 21<sup>st<\/sup>-24<sup>th<\/sup> Plenary Sessions &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">Since the 7<sup>th<\/sup> April, the EDPB has held four Plenary Sessions. The focus of each of these sessions has been data protection in relation to the COVID-19 outbreak. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/news\/news_en\" target=\"_blank\" rel=\"noopener\">Across these sessions, the EDPB has adopted the following six documents<\/a>:<\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\">\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A response to a letter from the United States Mission to the European Union concerning transfers of health data for research purposes, enabling international cooperation for the development of a vaccine.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A response to a request from MEPs Lucia \u010euri\u0161 Nicholsonov\u00e1 and Eugen Jurzyca concerning the applicability of data protection rules in relation to the COVID-19 outbreak.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A response to two letters from Sophie In &#8216;t Veld MEP, concerning the latest technologies that are being developed in order to fight the spread of COVID-19.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Guidelines on the processing of health data for research purposes in the context of the COVID-19 outbreak.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Guidelines on geolocation and other tracing tools in the context of the COVID-19 outbreak.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A letter concerning the European Commission&#8217;s draft Guidance on apps supporting the fight against the COVID-19 pandemic.<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">Documents which are not yet available on the EDBP\u2019s website should be made available shortly, following internal checks.<\/span><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">\u00a0<\/span><\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\u00a0<a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>EDPB Guidelines on Health Data, Scientific Research and COVID-19 &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 21<sup>st<\/sup> April 2020, the EDPB published a set of Guidelines on the processing of health data for scientific research in relation to the COVID-19 outbreak. The Guidelines are relatively short \u2013 at only 13 pages \u2013 and aim to provide an overview of the applicability of data protection rules to scientific research activities concerning COVID-19. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_202003_healthdatascientificresearchcovid19_en.pdf\" target=\"_blank\" rel=\"noopener\">The bulk of the Guidelines will thus hold few surprises for data protection experts and do not delve into many questions of law in need of clarification \u2013 for example, how secondary scientific processing should be legitimated under Article 5(1)(b) or what the concept of \u2018specific\u2019 national law under Article 9(2)(j) implies<\/a>. Despite their general nature, the Guidelines are nevertheless worth reading. First, the Guidelines contain some novel clarifications as to the interplay between data protection and scientific research. For example, the Guidelines offer useful guidance and clarification of transparency obligations under Article 14 GDPR and as to exceptions to these obligations. Second, the Guidelines also contain certain comments likely to raise eyebrows. For example, the Guidelines assert that: \u2018It has to be noted that there is no ranking between the legal bases stipulated in the GDPR.\u2019 Whilst this assertion is true when one considers only the text of the GDPR, in relation to any given scientific context, other relevant legal and ethical principles will play a role in defining the appropriate legal basis.<\/span><\/p>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; EDPB Adopts Guidance on Corona Apps &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"word-break: break-word; line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">In its Plenary Meetings in April 2020, one of the topics the EDPB focused on was the deployment of apps designed to assist in the fight against the virus \u2013 including apps which aim to model the spread of the virus and contact tracing apps to inform individuals whether they have been in contact with someone infected with the virus. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf\" target=\"_blank\" rel=\"noopener\">The outcome of discussions was a set of recommendations and guidance on app development and deployment<\/a>. The key recommendations can be summarized as follows: app usage should be voluntary \u2013 this should be distinguished from the suggestion that consent is the basis for data processing; data minimisation should be ensured \u2013 for example via the anonymisation or pseudonymisation of data: the proximity of users, instead of their location, should be traced; the controller should be clearly defined; apps\u2019 functions should correspond strictly to the originally defined purpose; apps must have a legal basis for operation under data protection law \u2013 under the GDPR and, if relevant, under ePrivacy; apps should have proportionate data storage limits in place; apps should ensure the accuracy of data processing \u2013 for example, by auditing the algorithms, carrying out processing; and apps should always ensure proper security. The guidelines also stress the fact that such apps have technical limitations which should be considered. In this regard, careful consideration should always be paid to the question of how far apps can really assist public health systems. The issued guidelines are, exceptionally, not subject to public consultation due to the urgency of the issue discussed. It is yet to be seen whether, and to what degree, the Guidelines will be followed across Europe given apps have already been deployed which do not seem to conform to the above recommendations \u2013 for example because they have been designed from the outset to serve different purposes and\/or because they do not include limited data storage periods.<\/span><\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\u00a0<a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/health\/sites\/health\/files\/ehealth\/docs\/covid-19_apps_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>European Commission Releases Toolbox on COVID-19 Contact Tracing Apps &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 16<sup>th<\/sup> April, the European eHealth Network, with the support of the European Commission, released the document: \u2018Mobile applications to support contact tracing in the EU\u2019s fight against COVID-19: Common EU Toolbox for Member States\u2019. The document is based on the recognitions that: i) tracing apps offer potential to assist in effective contact tracing in EU Member States; ii) tracing apps deployed \u2018without appropriate safeguards\u2026could have a significant negative effect on privacy and individual rights and freedoms\u2019; and iii) \u2018<a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/health\/sites\/health\/files\/ehealth\/docs\/covid-19_apps_en.pdf\" target=\"_blank\" rel=\"noopener\">[a] fragmented and uncoordinated approach to contact tracing apps risks hampering the effectiveness of measures aimed at combating the COVID-19 crisis, whilst also causing adverse effects to the single market and to fundamental rights and freedoms<\/a>\u2019. The toolbox thus aims to provide a common orientation for Member States in the development and deployment of tracing apps, such that these apps: \u2018exploit the latest privacy-enhancing technological solutions that enable at-risk individuals to be contacted and, if necessarily, to be tested as quickly as possible, regardless of where she is and the app she is using.\u2019 In this regard, the Toolbox outlines a set of basic requirements for tracing apps. These requirements include, in line with those outlined by the EDPB: the requirement that apps be voluntary; the requirement that apps be approved by the relevant national health authority; the requirement that apps be privacy preserving; and the requirement that apps be dismantled as soon as they are not needed. Given the rapidly changing nature of the public health situation, as well as the rapidly changing nature of the development and deployment of tracing apps, the toolbox will be updated as necessary.<\/span><\/p>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/iapp.org\/news\/a\/cnil-launches-public-consultation-on-minors-digital-rights\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; CNIL Launches Public Consultation on Children\u2019s Privacy &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The CNIL has launched a public consultation on three topics related to children\u2019s privacy:<\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\">\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The legal capacity of children to take part in online activities.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The implementation of means to verify the age of the children and the collection of their consent.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The exercise of children\u2019s data subject rights.<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The consultation is open until 1<sup>st<\/sup> June 2020. Feedback will help the CNIL elaborate recommendations concerning the above topics. <a style=\"text-decoration: underline;\" href=\"https:\/\/iapp.org\/news\/a\/cnil-launches-public-consultation-on-minors-digital-rights\/\" target=\"_blank\" rel=\"noopener\">The consultation signals the importance of data protection matters in relation to children and minors<\/a>. The questions subject to consultation remain largely unaddressed in data protection discussions \u2013 despite their importance for guaranteeing the effective protection for children. In this regard, the consultation is welcome and will hopefully trigger a productive debate leading to concrete recommendations.<\/span><\/p>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.theguardian.com\/world\/2020\/apr\/22\/ministers-plan-to-give-more-uk-public-bodies-power-to-hack-phones\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; UK Plans to Expand \u2018Snooper\u2019s Charter\u2019 &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/www.theguardian.com\/world\/2020\/apr\/22\/ministers-plan-to-give-more-uk-public-bodies-power-to-hack-phones\" target=\"_blank\" rel=\"noopener\">The UK government is planning to give five additional public authorities \u2013 in addition to law enforcement authorities \u2013 access to the electronic data of phone and internet users under UK Data Retention legislation<\/a>: the Civil Nuclear Constabulary; the Environment Agency; the Insolvency Service; the UK National Authority for Counter Eavesdropping (UKNACE); and the Pensions Regulator. The proposal still needs to be debated and voted on by the Parliament. The motivation for the proposed amendment is that these five authorities are \u201cincreasingly unable to rely on local police forces to investigate crimes on their behalf.\u201d From the Memorandum to the proposed amendments, it remains unclear why the local police forces cannot perform the investigations. On one hand, the justification could be the increase in the crimes these agencies have to deal with \u2013 for example, the Memorandum talks of 40,000 suspected environmental offences annually. On the other hand, the justification could be cuts to police forces and their reduced resources \u2013 i.e. the planned increased access to communication data might function as a compensation for the lack of police capacity. Significantly, the Memorandum does not seem to consider the data protection implications of the increased access to individuals\u2019 data implied by the proposals. In this regard, the reader may recall that there are ongoing court cases which challenge, amongst others, the legality and proportionality of access to communications data for law enforcement purposes in Europe \u2013 as previously discussed in Data Protection Insider. The outcome of such challenges will need to be considered when assessing legality of the proposed enhanced access.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211;\u00a0EDPB Holds 21st-24th Plenary Sessions &#8211; Since the 7th April, the EDPB has held four [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72131","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72131"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72131\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72131"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72131"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}