{"id":72256,"date":"2021-06-17T22:15:59","date_gmt":"2021-06-17T20:15:59","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-49\/"},"modified":"2021-06-17T22:15:59","modified_gmt":"2021-06-17T20:15:59","slug":"data-protection-insider-issue-49","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-49\/","title":{"rendered":"Data Protection Insider, Issue 49"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_21_2847\" target=\"_blank\" rel=\"noopener\"><em>&#8211; Commission Publishes New SCCs &#8211;<\/em><\/a><\/strong><\/p>\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_21_2847\" target=\"_blank\" rel=\"noopener\">On 4th June, the European Commission \u2018adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries.\u2019<\/a> In terms of law, the Commission asserts that the new SCCs take into account requirements under the GDPR as well as the CJEU\u2019s elaborations on international transfers in <em>Schrems II<\/em>. In terms of practice, the Commission suggests that \u2018these new tools will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.\u2019 The Commission highlights a set of innovative features in the new SCCs, including:<\/span><\/p>\n<ul>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Update in line with the [GDPR];<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">More flexibility for complex processing chains, through a \u2018modular approach&#8217; and by offering the possibility for more than two parties to join and use the clauses;<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">Practical toolbox to comply with the <em>Schrems II<\/em> judgment; i.e. an overview of the different steps companies have to take to comply with the <em>Schrems II<\/em> judgment as well as examples of possible \u2018supplementary measures&#8217;, such as encryption, that companies may take if necessary\u2019.<\/span><\/li>\n<\/ul>\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">A transition period of 18 months is now in effect concerning international processing operations legitimated under the old SCCs. Whether the new SCCs can deliver on their promises remains to be seen. We would also note that reliance on the new SCCs alone cannot lift the general obligation that all transfers of personal data outside the EU must maintain an \u2018essentially equivalent\u2019 standard of protection to that available in the EU \u2013 as elaborated, for example, in <em>Schrems II<\/em>.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><strong><span style=\"font-size: 14px; line-height: 21px;\">&#8211; <\/span><\/strong><strong><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/IP_21_2663?f\" target=\"_blank\" rel=\"noopener\">Commission Adopts Digital ID Proposal<\/a><\/strong><strong><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/search.coe.int\/cm\/pages\/result_details.aspx?ObjectId=0900001680a2436a\" target=\"_blank\" rel=\"noopener\">&#8211;<\/a><\/span><\/strong><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/IP_21_2663?f\" target=\"_blank\" rel=\"noopener\">On 3rd June, the Commission adopted a proposal concerning e-IDs which will build on the existing Member State schemes for digital IDs<\/a>. Under the new scheme, the digital IDs, called \u2018European Digital Identity Wallets\u2019, will \u2018allow (\u2026) citizens to digitally identify themselves, store and manage identity data and official documents in electronic format. These may include a driving licence, medical prescriptions or education qualifications. With the wallet, citizens will be able to prove their identity where necessary to access services online, to share digital documents, or simply to prove a specific personal attribute, such as age, without revealing their identity or other personal details.\u2019 The proposal is supposed bring the following four main amendments to the existing scheme. First, the European Digital Identity Wallets will now be available to every EU citizen and resident and will be accepted in all Member States. Second, all public and some private service providers in the EU will be obliged to accept the eIDs issued by all the Member States. Third, the new Digital Identity scheme may be used both online and offline. Fourth, the Commission is proposing interoperability standards to enable the cross-border usage of the scheme and is also working on establishing a high level of security of the personal data processed by the application. The scheme is supposed to remain voluntary, i.e. citizens and residents remain free to use it if they wish, but they will not be obliged to do so. The digital IDs will continue being issued by a Member State. According to the proposal, citizens will have full control over their data and the scheme is supposed to comply with the GDPR. However, we note that a careful examination of the proposal is needed in order to assess whether the proposal indeed ensures a high level of data protection.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 21px; font-size: 14px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/inf_21_2743\" target=\"_blank\" rel=\"noopener\"><strong>&#8211; Commission Probing into Belgian DPA Independence<\/strong><\/a><\/span><span style=\"line-height: 18px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-05\/edpb_contribution052021_6throundconsultations_budapestconvention_en.pdf\" target=\"_blank\" rel=\"noopener\"><strong>&#8211;<\/strong><\/a><\/span><\/span><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/inf_21_2743\" target=\"_blank\" rel=\"noopener\">On 9th June, the Commission sent a formal letter to the Belgian government concerning the independence of the Belgian DPA<\/a>. The letter seems to be a response to several complaints submitted last year that members of the Commission are not independent from external influence. It is alleged that some members are not politically independent as they report to the Belgian government, or they are members of the Information Security Committee, or they participate in government projects on COVID-19 contact tracing solutions. If it is proven that indeed the Belgian DPA is not independent, this would be a breach of Article 52 GDPR. Already in March 2021 the Commission sent a letter to the Belgian government expressing concerns about the Belgian DPA\u2019s independence. However, the reply did not alleviate the concerns and now the Belgian government has to reply within two months which measures it has taken in order to ensure the independence of the Belgian DPA. If it again does not alleviate the concerns, the Commission will send back a reasoned opinion. If the issue is eventually not resolved, then the dispute might end up at the CJEU.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 21px; font-size: 14px; word-break: break-word;\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-06\/edpb_es_080621_en_0.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"line-height: 18px;\">&#8211; EDPB Releases Their Annual Report<\/span><\/a><\/span><\/strong><strong><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edps.europa.eu\/system\/files\/2021-03\/21-03-05_edps_formal_comments_on_serious_cross-border_threats_to_health_en_0.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"line-height: 18px;\">&#8211;<\/span><\/a><\/span><\/strong><\/p>\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/system\/files\/2021-06\/edpb_es_080621_en_0.pdf\" target=\"_blank\" rel=\"noopener\">On 2nd June, the EDPB released its annual report, taking stock of their activities in 2020.<\/a> From the executive summary it becomes evident that the EDPB contributed to data protection in the following ways:<\/span><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">When participating in the GDPR evaluation, they noted the necessity for more resources for the SAs, for alignment of national procedure and that at the moment a revision of the GDPR is not necessary;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">They issued guidance on the processing of personal data in the framework of the COVID-19 pandemic and on international transfers following the <em>Schrems II<\/em> judgement in view of its implementation in practice;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">They adopted one dispute resolution decision concerning the Twitter fine issued by the Irish DPA;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The EDPB issued ten guidelines, two recommendations and 32 Article 62 GDPR Opinion in total;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">They published a register concerning the one-stop-shop decisions taken by the national DPAs;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">The EDPB organised seven stakeholder consultations and a survey about their work;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">They adopted their Strategy for 2021 \u2013 2023 and the working plan for 2021 \u2013 2022 based on the Strategy.<\/span><\/li>\n<\/ul>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 21px; font-size: 14px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.irishlegal.com\/article\/high-court-facebook-loses-challenge-to-dpc-s-draft-decision-on-eu-us-data-transfers\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><span style=\"color: #123256; line-height: 18px;\">&#8211; <\/span><\/span><\/span><\/strong><\/a><strong><a style=\"text-decoration: none;\" href=\"https:\/\/www.wsj.com\/articles\/amazon-faces-possible-425-million-eu-privacy-fine-11623332987\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">Amazon to be Hit with Largest GDPR Fine to Date?<\/span><\/a><\/strong><a style=\"text-decoration: none;\" href=\"https:\/\/www.irishlegal.com\/article\/high-court-facebook-loses-challenge-to-dpc-s-draft-decision-on-eu-us-data-transfers\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><span style=\"color: #123256; line-height: 18px;\">&#8211;<\/span><\/span><\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/www.luxtimes.lu\/en\/business-finance\/big-tech-luxembourg-hits-amazon-with-eu-s-biggest-data-fine-60c2f589de135b923677acc6\" target=\"_blank\" rel=\"noopener\">The Wall Street Journal reports that La Commission Nationale pour la Protection des Donn\u00e9es (CNPD), Luxembourg\u2019s DPA, has proposed that Amazon be fined 349 Million Euros for breaches of the GDPR<\/a>. The CNPD is the lead DPA for the company, whose European headquarters are located in Luxembourg. A fine of this size would amount to 2% of the company\u2019s net income last year or 0.1% of its sales last year \u2013 recall that the GDPR permits DPAs, under Article 83(5), to levy fines for certain infringements at up to \u20184 % of the total worldwide annual turnover of the preceding financial year\u2019. Specific details of the alleged violations behind the fine remain unclear \u2013 although the fine does not, supposedly, relate to Amazon\u2019s cloud computing business. The proposal appears in a draft decision concerning Amazon which has been circulated among the other EU DPAs. The draft decision still needs to be agreed to by the other DPAs. However, there are already, allegedly, certain objections which have been put forward to the decision. Should the fine eventually be handed down in its current form, it will be, by some distance, the largest fine issued under the GDPR. The size, form, regularity and location of GDPR fines are central to the impact the law has on shaping personal data processing practices. It will be interesting to see how companies and markets react to the release of this news.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/statement_21_1506\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"color: #123256; line-height: 18px;\">&#8211;<\/span><\/strong> <\/a><\/span><\/span><strong><a style=\"text-decoration: none;\" href=\"https:\/\/www.cnil.fr\/fr\/la-cnil-publie-8-recommandations-pour-renforcer-la-protection-des-mineurs-en-ligne\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">CNIL Publishes Recommendations on Children\u2019s Privacy Online<\/span><\/a> <\/strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/statement_21_1506\" target=\"_blank\" rel=\"noopener\"><strong>&#8211;<\/strong><\/a><\/span><\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/www.insideprivacy.com\/childrens-privacy\/french-cnil-publishes-recommendations-for-protecting-minors-online\/\" target=\"_blank\" rel=\"noopener\">On June 9th, La Commission Nationale de L\u2019informatique et des Libert\u00e9s (CNIL), France\u2019s DPA, published a set of eight recommendations intended to secure the protection for children online<\/a>. The recommendations build on a survey and consultation process on the topic \u2013 including workshops in which minors\u2019 views were considered \u2013 as well as in-depth legal analysis. The CNIL highlight the need for these recommendations in light of major societal challenges concerning children\u2019s online privacy, including, for example, the significant value of children\u2019s data. The eight recommendations concern: i) the regulation of minors\u2019 ability to act online; ii) the encouragement of minors to exercise their rights; iii) the support of parents in the digital education of minors; iv) parental consent for minors under 15; v) the promotion of parental tools which respect minors\u2019 privacy and interests; vi) the reinforcement of information disclosure and minors\u2019 rights by design; vii) age verification and parental consent in light of privacy; and viii) the provision of specific safeguards to protect minors\u2019 interests. The topic of children\u2019s online privacy deserves focused attention and the recommendations are, in this respect, welcome. The CNIL\u2019s recommendations come only weeks after the UN Special Rapporteur on the Right to Privacy \u2013 Joseph A. Cannataci \u2013 delivered his latest report to the UN Human Rights Council, which also had a focus on children\u2019s privacy.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211; Commission Publishes New SCCs &#8211; On 4th June, the European Commission \u2018adopted two sets [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72256","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72256"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72256\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72256"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72256"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}