Weekly Newsletter: 23 November – 27 November 2020

November 30, 2020

Dutch journalist gatecrashes EU defence video conference

[#EUmeeting #EUDefenceVideoconference #EUSecurity]

“Daniel Verlaan of RTL Nieuws joined the meeting after the Dutch defence minister accidentally posted some of the login details on Twitter. The visibly surprised technology reporter started waving once he realised he’d been let in.

[…] While many have seen the funny side of the hack, it raises serious questions over the security of confidential EU meetings. The meeting was ended due to the breach, while a Foreign Affairs Council spokesman told RTL: ‘Such a breach is illegal and will be reported to the authorities.'”

To read more: Click here

The Information Commissioner’s Office provides guidance on how to prepare your privacy notice before the end of the transition period.

[#UKrepresentative #DataProtection #PrivacyNotice #PrivacyPolicy]

Is your company ready for Brexit? The Information Commissioner’s Office provides guidance on how to prepare your privacy notice before the end of the transition period.

“Data protection at the end of the transition period – Preparing your privacy notice.

Information required in your privacy notice is unlikely to change. You may need to:
(a) review your privacy notice to reflect changes to international transfers,
(b) review references to your lawful bases or conditions for processing if any refer to ‘Union law’ or other terminology changed in the UK GDPR, and
(c) identify your EU representative (if you are required to have one)

For more guidance on preparing for the end of the transition period – visit ICO’s hub

 

Statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB

[#EDPB #ePrivacy #Regulations]

“On November 19, the European Data Protection Board (the “EDPB”) adopted its statement ‘on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB’. The EDPB pinpointed that:

‘[…] the scope of the proposed Regulation aims at ensuring its uniform application across every Member State and every type of data controller. Any proposed changes in the draft Regulation that may undermine this objective should be avoided to guarantee an equal level playing field for every provider and to ensure the confidentiality of electronic communications, as a fundamental right protected under the Charter, also taking into account the applicable CJEU case law.

[…] The future ePrivacy Regulation should lay out a clear framework for the cooperation between data protection authorities as supervisory authorities competent under GDPR and authorities having the appropriate expertise, so their cooperation could function effectively.'”

To read more: Click here

 

UK firms face hefty compliance costs without EU data deal, report warns

[#BrexitDeal #ComplianceCost #BrexitCostforBritishFirms #BrexitCost]

“British firms face a bill of up to £1.6 billion if Boris Johnson’s government fails to convince the EU to grant an adequacy decision allowing dataflows to continue, according to a new report published on Monday (23 November).

The economic modelling used in the report by the New Economics Foundation thinktank and University College London estimates that the additional compliance cost for firms wanting to continue transferring data will range from an average £3,000 for a micro business to almost £163,000 for a large company.

The report was based on interviews with 60 legal professionals, data protection officers, business representatives, and academics, from the UK and EU. In total, the cost to UK firms of no adequacy decision would likely be between £1 billion and £1.6 billion. This extra cost stems from the additional compliance obligations – such as setting up standard contractual clauses (SCCs).”

To read more: Click here

New EU data brokers won’t have to be European, Commission says

[#EUDataBrokers #EuropeanCommission #DataGovernanceAct #DataGovernanceEU #EURegulationDraft]

“The European Commission has decided against imposing geographical restrictions on the establishment of so-called ‘data sharing services’ as part of ambitious new plans laid out in the executive’s landmark Data Governance Act, presented on Wednesday (25 November).

As a means to facilitate greater sharing of non-personal and industrial data across the bloc, the European Commission believes that such data-sharing processes should be set up as a means to act as a go-between for exchanges between data producers and acquirers.

Previous drafts of the new regulation […] had laid down the obligation that new data sharing services acting as intermediaries between data holders and secondary users would have to be established in the EU. Yet the final version stipulated that any such data sharing services should either have a place of establishment in the EU, or at least ‘designate a representative’ in Europe.”

To read more: Click here

The CNIL sanctions CARREFOUR group with fines of 2,250,000 EUR and 800,000 EUR

[#CarrefourFrance #GDPRfines #GDPRsanctions #CNIL]

After receiving several complaints, the CNIL sanctioned two companies of the CARREFOUR group for breaches of the GDPR concerning, amongst others, the information provided to individuals and the respect of their rights.

The CNIL sanctioned CARREFOUR FRANCE and CARREFOUR BANQUE with fines of 2,250,000 EUR and 800,000 EUR. However, it did not issue an injunction since it noted that significant efforts had been made to bring all the breaches of the law into compliance.

For an unofficial English translation of the full article: Click here.

To read more from the CNIL: Click here

GDPR enforcement must level up to catch big tech, report warns

[#GDPRenforcement #Beuc #GDPRcomplaints #GoogleGDPR #DPCIreland]

“A new report by European consumer protection umbrella group Beuc, reflecting on the barriers to effective cross-border enforcement of the EU’s flagship data protection framework, makes awkward reading for the regional lawmakers and regulators as they seek to shape the next decades of digital oversight across the bloc.

Beuc’s members filed a series of complaints against Google’s use of location data in November 2018 — but some two years on from raising privacy concerns there’s been no resolution of the complaints.

The tech giant continues to make billions in ad revenue, including by processing and monetize Internet users’ location data. Its lead data protection supervisor, under GDPR’s one-stop-shop mechanism for dealing with cross-border complaints, Ireland’s Data Protection Commission (DPC), did finally open an investigation in February this year.”

To read more: Click here

Do you think that the new SCCs drafted by the European Commission will be sufficient to ensure safe EU-US data transfers?

[#SCCs #EUUSDataTransfers #SafeDataTransfers #EUCommission #EDPB]

Results of the poll of 24 November 2020 on the following question: “Do you think that the new SCCs drafted by the European Commission will be sufficient to ensure safe EU-US data transfers?”

It appears that 52% of the 349 voters aren’t sure yet if the SCC’s will be sufficient. 40% think they won’t change a thing and only 8% believe that they can do the trick.

The question was intentionally “tricky” because we wanted to trigger conversations and help raise awareness around the fact that using SCC’s alone cannot ensure safe/legal EU-US data transfers. The next question is then whether adding supplementary measures as those proposed in the European Data Protection Board (the “EDPB”)’s Recommendations 01/2020 published on November 11, 2020, would do the trick.

Many thanks to those who contributed to the discussion!

To read this post: Click here

Follow Us On Social Networks

Stay Up to Date With The Latest News & Updates