{"id":72180,"date":"2020-09-29T21:32:29","date_gmt":"2020-09-29T19:32:29","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-32\/"},"modified":"2020-09-29T21:32:29","modified_gmt":"2020-09-29T19:32:29","slug":"data-protection-insider-issue-32","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-32\/","title":{"rendered":"Data Protection Insider, Issue 32"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/20200914plen1.2_agenda_public.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><strong>EDPB 38<sup>th<\/sup> Plenary Session &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 14<sup>th<\/sup> September, the EDPB held its 38<sup>th<\/sup> Plenary Session. There have been no official announcements concerning the proceedings or outcomes of the session on the EDPB\u2019s website. The agenda for the session, however, indicates the following significant matters, amongst others, were discussed: <\/span><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Information regarding the exchange of views with the LIBE Committee on the recent CJEU Schrems II judgment\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018WSJ recent press article &#8211; Sharing information on salient topics escalated in public sphere\u2019 (we presume the article referred to is that published on September 9<sup>th<\/sup> 2020 concerning the Irish DPC and Facebook);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Task force 101 complaints\u2019 (we presume this refers to the 101 complaints filed by NOYB concerning international data flows \u2013 see also the story on noyb\u2019s complaints below);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The work of the Enforcement Expert Subgroup on a \u2018Coordinated Enforcement Framework\u2019 and on the \u2018Exchange of Information in Relevant Cases\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The work of the Cooperation Expert Subgroup on \u2018Administrative cooperation between EU and Supervisory Authorities in third countries\u2019. <\/span><\/li>\n<\/ul>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/research_and_innovation\/ethics_of_connected_and_automated_vehicles_report.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>European Commission Publishes \u2018Ethics of Connected and Automated Vehicles\u2019 &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The European Commission has just published the Expert Group report <a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/research_and_innovation\/ethics_of_connected_and_automated_vehicles_report.pdf\" target=\"_blank\" rel=\"noopener\">\u2018Ethics of Connected and Automated Vehicles: Recommendations on road safety, privacy, fairness, explainability and responsibility\u2019<\/a>. The report aims to \u2018promote a safe and responsible transition to connected and automated vehicles (CAVs) by supporting stakeholders in the systematic inclusion of ethical considerations in the development and regulation of CAVs\u2019. Of particular interest to the privacy and data protection community will be the two chapters of the report on \u2018Data and Algorithm Ethics: Privacy, Fairness, Explainability\u2019 and on \u2018Responsibility\u2019. The report promotes a number of logical recommendations concerning CAVs, including that: \u2018agile and continuous consent\u2019 approaches to consent for CAVs be introduced \u2013 especially in light of the volume and variety of data collected; [p]olicymakers, with assistance from researchers, should develop legal guidelines that protect individuals\u2019 rights at group levels (e.g driver, pedestrian, passenger or other drivers\u2019 rights) and should outline strategies to resolve possible conflicts between data subjects that have claims over the same data\u2019; there is a need to \u2018develop transparency strategies to inform users and pedestrians about data collection and associated rights\u2019; and \u2018CAVs should be designed and operated in ways that neither discriminate against individuals or groups of users, nor create or reinforce large-scale social inequalities among users\u2019. Whether, and to which degree, the recommendations in the report are pursued by policymakers, remains to be seen.<\/span><\/p>\n<p>&nbsp;<\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.cnil.fr\/fr\/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles-par-les\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>CNIL Guidance on the Processing of Employee Data During COVID-19 &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 23<sup>rd<\/sup> September the CNIL released <a style=\"text-decoration: underline;\" href=\"https:\/\/www.cnil.fr\/fr\/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles-par-les\" target=\"_blank\" rel=\"noopener\">guidelines to employers concerning compliance with the GDPR regarding the monitoring of employees\u2019 health during the COVID-19 crisis<\/a>. The guidance goes into detail with regard to the following four issues: measuring employee temperature upon entry into the workspace; carrying out serological tests and sending health questionnaires to the employees; work re-organisation via the usage of software; and data processing in the framework of the work continuation plan. The CNIL emphasizes, in particular, that whereas employers may process health related data in the context of the current crisis under the current legal framework, the limits imposed by the GDPR have to be respected \u2013 e.g. the principle of data minimisation in relation to the amount of (health) data an employer may collect \u2013 and reminds employers that health data are sensitive data, whose processing should remain an exception. It is positive that data protection supervisory authorities keep reminding controllers of the need for compliance with the GDPR whilst highlighting the possibilities for processing personal data in the context of the pandemic. This demonstrates the flexibility of the GDPR as an instrument which strikes a fair balance between data protection and other societal interests.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.parlament.ch\/de\/services\/news\/Seiten\/2020\/20200925102019419194158159041_bsd050.aspx\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>Swiss Data Protection Law Adjusted toward the GDPR &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">Last week, the Swiss Parliament passed a new law concerning the total revision of the Swiss Federal Data Protection Law. In short, <a style=\"text-decoration: underline;\" href=\"https:\/\/www.parlament.ch\/de\/services\/news\/Seiten\/2020\/20200925102019419194158159041_bsd050.aspx\" target=\"_blank\" rel=\"noopener\">the new law seeks to adapt the existing Swiss legislation on data protection in the private and public sectors toward the approach of the EU data protection framework<\/a>. Some have noted, however, that the new law does contain significant differences to the GDPR and LED. These differences include weaker provisions on consent as well as the ease with which personal data may be transferred to foreign authorities. They further argue that the provision on restricting the processing of non-personal data, e.g. for statistical purposes, is more strictly regulated. The new Data Protection Act is supposed to come into effect in 2022. The Swiss Data Protection Commissioner has expressed support for the new law and will published a more detailed review after the referendum. The new Swiss law proves once again that EU data protection standards have an influence on third countries.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/noyb.eu\/en\/update-noybs-101-complaints-eu-us-data-transfers\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; noyb Complaints Receive Limited Response &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">In August of this year, the NGO <a style=\"text-decoration: underline;\" href=\"https:\/\/noyb.eu\/en\/update-noybs-101-complaints-eu-us-data-transfers\" target=\"_blank\" rel=\"noopener\">noyb filed 101 complaints<\/a> \u2018against several companies based in the EU\/EEA because they continue to use Google Analytics and Facebook Connect on their websites \u2013 thereby transferring personal data to Google and Facebook in the US.\u2019 On 22nd September, noyb followed up on the progress of these complaints and informed the public that there has been \u2018[h]ardly any reaction from the companies concerned\u2019. In fact, it seems that \u2018only two companies and one university have contacted noyb \u2013 all of them based in Liechtenstein.\u2019 It is interesting that NOYB has received so little response from the companies involved. This lack of response will also become more interesting as time goes on and as the complaints progress. What would be more interesting to know, however, is the reason that companies have not responded. Are they simply ignoring the CJEU <em>Schrems<\/em> II decision and hoping the limitations the case puts on international data flows will somehow disappear? Are they hoping that the limitations placed by the case will, over time, begin to be ignored by the relevant authorities? Are they hoping for further guidance will appear which will allow them to adapt existing practises and legally continue with existing transfers \u2013 for example forthcoming guidance from the EDPB concerning safeguards and bilateral agreements? Or are they working to find alternative solutions and adapting practices in line with the case before making their actions public? Further research into such questions would be most welcome.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com\/wp-content\/uploads\/2020\/09\/JohnnyRyanDocumnet.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; RTB Complaint to the Irish DPC &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 21<sup>st<\/sup> September Johnny Ryan of the Irish Council for Civil Liberties made a submission to the Irish DPC \u2013 following up on his complaint with the same authority from two years ago \u2013<\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">concerning the data protection breaches which occur in the framework of real-time bidding (RTB). <a style=\"text-decoration: underline;\" href=\"https:\/\/g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com\/wp-content\/uploads\/2020\/09\/JohnnyRyanDocumnet.pdf\" target=\"_blank\" rel=\"noopener\">The complaint focuses of the fact that, through the data disclosed to companies via RTB, a large quantity of sensitive information is collected on internet users which is then used to influence our behaviour in different contexts<\/a>. We note that the submission is significant for two reasons. First, it adds momentum to the scrutiny of the topic of data protection breaches or risks posed by RTB is gaining. Second, the submission contains very interesting technical and factual information for researchers and policymakers concerning how RTB actually functions and how its practices are at odds with the GDPR.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211;\u00a0EDPB 38th Plenary Session &#8211; On 14th September, the EDPB held its 38th Plenary Session. [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72180","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72180"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72180\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72180"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72180"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}