{"id":72294,"date":"2021-11-11T22:32:42","date_gmt":"2021-11-11T21:32:42","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-58\/"},"modified":"2021-11-11T22:32:42","modified_gmt":"2021-11-11T21:32:42","slug":"data-protection-insider-issue-58","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-58\/","title":{"rendered":"Data Protection Insider, Issue 58"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: Arial, Helvetica Neue, Helvetica, sans-serif; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px; text-align: justify;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/opinion-board-art-64\/opinion-332021-draft-decision-belgian-supervisory_en\" target=\"_blank\" rel=\"noopener\"><strong>&#8211; \u00a0<\/strong><strong>EDPB Adopts Opinions on Belgian BCRs <\/strong><strong><em>&#8211;<\/em><\/strong><\/a><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/opinion-board-art-64\/opinion-342021-draft-decision-belgian-supervisory_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">On 26th October, the EDPB adopted two Opinions concerning Belgian companies\u2019 BCRs: i) \u2018Opinion 33\/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding.<\/span><\/a><\/p>\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/opinion-board-art-64\/opinion-332021-draft-decision-belgian-supervisory_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"> Corporate Rules of Carrier\u2019; and ii) \u2018Opinion 34\/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding <\/span><\/a><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/our-documents\/opinion-board-art-64\/opinion-332021-draft-decision-belgian-supervisory_en\" target=\"_blank\" rel=\"noopener\">Corporate Rules of Otis\u2019.<\/a> In both cases, the EDPB considered the proposed BCRs as unproblematic and that they adhered to all relevant requirements. The Opinions relate to BCRs, the content of which may be of interest to those dealing with the creation and substantive conditions relevant for functional and legitimate BCRs. The Opinions themselves are relatively short and limited in terms of discussion of the substantive content of the BCRs in question. The Opinions, however, are nevertheless interesting as they provide an insight into the procedures via which BCRs are adopted, and the conditions around which these procedures revolve.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/globalprivacyassembly.org\/highlights-from-the-global-privacy-assembly-closed-session-2021\/\" target=\"_blank\" rel=\"noopener\"><strong>&#8211; <\/strong><strong>GPA Publishes Highlights of 2021 Closed Sessions <\/strong><strong>&#8211;<\/strong><\/a><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/globalprivacyassembly.org\/highlights-from-the-global-privacy-assembly-closed-session-2021\/\" target=\"_blank\" rel=\"noopener\">The 43rd GPA Closed Sessions were held on 20th-21st October 2021.<\/a>\u00a0\u2018<a style=\"text-decoration: underline;\" href=\"https:\/\/globalprivacyassembly.org\/document-archive\/adopted-resolutions\/\" target=\"_blank\" rel=\"noopener\">Resolutions<\/a>\u00a0were discussed and agreed at the conference, giving a shared view on a range of important current topics:<\/span><\/p>\n<ul>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">Data sharing for the public good;<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">Children\u2019s digital rights;<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">Government access to data; and<\/span><\/li>\n<li style=\"font-size: 14px; line-height: 21px;\"><span style=\"font-size: 14px; line-height: 21px;\">The future of the Global Privacy Assembly<\/span><\/li>\n<\/ul>\n<p style=\"font-size: 14px; line-height: 21px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">Other topics discussed in detail included international enforcement cooperation and regulatory sandboxes.\u2019\u00a0The resolution are available on GPA\u2019s website, where the strategic plan for the following two years can also be found.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.euractiv.com\/section\/data-protection\/news\/leak-draft-impact-assessment-sheds-some-light-on-upcoming-data-act\/\" target=\"_blank\" rel=\"noopener\"><strong>&#8211; Draft Impact Assessment of the Upcoming EU Data Act Leaked <\/strong><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 27th October, the independent Regulatory Scrutiny Board which monitors the Impact Assessment of new EU legislative proposals rejected the proposed EU Data Act, according to a leaked Impact Assessment. The identified problems are the insufficient information about the conditions under which governments may access data, the proposed compensatory provisions for businesses and the unclear relationship between the proposal and other legislative acts. <a style=\"text-decoration: underline;\" href=\"https:\/\/www.euractiv.com\/section\/data-protection\/news\/leak-draft-impact-assessment-sheds-some-light-on-upcoming-data-act\/\" target=\"_blank\" rel=\"noopener\">The leaked Impact Assessment, as seen by EURACTIV, nevertheless provides an overview of the content of the proposal.<\/a> The proposal, which is part of the European Strategy on Data and is expected to be adopted at the beginning of 2022, is supposed to boost both the data economy and help governments adopt better policies and services. According to EURACTIV, the proposed Data Act will focus on regulating the following matters: (1) consumer and business access to data, although EURACTIV reports that the Act might not anchor \u2018significant access rights\u2019, which might be rather regulated by other means, e.g. contracts; (2) access to data by public authorities, which would be \u2018based on a list of purposes defined at the EU level limited to \u201conly the most pressing social needs, where other means of accessing data are not available,\u201d including exceptional circumstances, environmental protection and public health.\u2019 A balance between the business interests, fundamental rights and public interests is supposed to be achieved; (3) interoperability, especially to enable the switching of cloud providers; and (4) a ban on data transfers to Third States whose laws are in conflict with EU and Member State legislation. Interested readers may read the updated EURACTIV article for more details of the Act.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/www.oaic.gov.au\/updates\/news-and-media\/oaic-and-ico-conclude-joint-investigation-into-clearview-ai\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">&#8211; OAIC and ICO Investigation into Clearview AI &#8211;<\/span><\/a><\/strong><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/www.oaic.gov.au\/updates\/news-and-media\/oaic-and-ico-conclude-joint-investigation-into-clearview-ai\" target=\"_blank\" rel=\"noopener\">On 3rd November, the Australian and UK DPAs announced the completion of their investigation into Clearview AI, which began in 2020.<\/a> According to the announcement, \u2018the ICO is considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws.\u2019 The Australian DPA (the OAIC) however, has already concluded that: \u2018Clearview AI, Inc. breached Australians\u2019 privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.\u2019 More specifically, the OAIC found that: \u2018Clearview AI breached the Australian Privacy Act 1988 by:\u2026collecting Australians\u2019 sensitive information without consent\u2026collecting personal information by unfair means\u2026not taking reasonable steps to notify individuals of the collection of personal information\u2026not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure\u2026not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.\u2019 In consequence, \u2018Clearview AI [should] cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia\u2019. The conclusion of the investigation is interesting from several perspectives. In the first instance, whilst the substance of the decision made on the back of the investigation is Australian, and relates to Australian law, the investigation was international, and many of the criticisms may have resonance within Europe. In turn, the outcomes of the investigation provide further valuable input to the emerging collage of information related to the issue of the legitimacy of AI and facial recognition.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\"><a style=\"text-decoration: none;\" href=\"https:\/\/iabeurope.eu\/all-news\/update-on-the-belgian-data-protection-authoritys-investigation-of-iab-europe\/\" target=\"_blank\" rel=\"noopener\"><strong>&#8211; <\/strong><strong>IAB Provides Update on Belgian Investigation <\/strong><strong>&#8211;<\/strong><\/a><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/iabeurope.eu\/all-news\/update-on-the-belgian-data-protection-authoritys-investigation-of-iab-europe\/\" target=\"_blank\" rel=\"noopener\">On 5th November, the IAB published an update of the Belgian DPA\u2019s \u2018investigation of IAB Europe and its role in the Transparency &amp; Consent Framework (TCF)\u2019.<\/a> The IAB announce that: \u2018The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD [the Belgian DPA] overseeing the execution of an agreed action plan by IAB Europe.\u2019 The IAB further clarify that: \u2018The draft ruling is expected to be shared with other Data Protection Authorities\u2026in the coming 2-3 weeks under the Cooperation Procedure laid down in the GDPR. Those DPAs will have 30 days to review it. Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.\u2019 Given the significance of investigations into AdTech for data processing business models, the final decision of this investigation should be followed with interest.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-size: 12px; line-height: 18px; text-align: justify; font-family: Arial, 'Helvetica Neue', Helvetica, sans-serif;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><strong><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/newsroom\/just\/items\/724795\/en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">&#8211; First Review Meeting of the EU-Japan Mutual Adequacy Decisions &#8211;<\/span><\/a><\/strong><\/p>\n<p style=\"line-height: 21px; word-break: break-word; font-size: 14px;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/newsroom\/just\/items\/724795\/en\" target=\"_blank\" rel=\"noopener\">On 26th October, the EU Commission, data protection authorities and Japanese authorities met to carry out the first review of the mutual adequacy decisions between the EU and Japan, which were adopted in 2019.<\/a> The review covered a broad range of topics, including the application of the agreements, the relevant legal developments and access to personal data by governments. From the press release quoting Commissioner Didier Reynders and Shuhei Ohshima, Personal Information Protection Commission of Japan, the commitment of both partners to upholding data protection and the free flow of data between the regions becomes evident. The final step to completing the review this year are the publication of the reports on the functioning of each adequacy decision by the EU and Japan.\u00a0<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211; \u00a0EDPB Adopts Opinions on Belgian BCRs &#8211; On 26th October, the EDPB adopted two [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72294","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72294"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72294\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72294"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72294"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}