Weekly Newsletter: 3 May – 7 May 2021
GDPR EU Representative

May 10, 2021

Navigating EU Data Transfers: Effects of Schrems II Start to Bite 

[#EDPB #DataTransfers #DataprotectionAuthority] 

“Companies should expect further investigations by DPAs into the steps they take to legitimize transfers of personal data out of Europe. […]

Recently, the Conference of the DPAs of Germany (known as Datenschutzkonferenz or DSK) announced that the German DPAs are planning to carry out random checks using an “agreed questionnaire” with specific queries on how controllers are implementing the CJEU’s decision and the EDPB Recommendations regarding cross-border data transfers. […]

In the meantime, the hope is that the final versions of the EDPB Recommendations and the European Commission’s new SCCs (expected to be issued in the near future) will provide much needed clarification on the uncertainties that continue to challenge businesses in the aftermath of Schrems II.”

To read more: Click here.

The EDPS (European Data Protection Supervisor) issues a decision against the CJEU (Court of Justice of the European Union) for data protection breach

[#EDPS #CJEU #Dataprotection] 

“The CJEU was found by the EDPS to have breached data protection requirements in relation to web tracking. They were found to have insufficient information on their site, and a banner which did not [allow] users to reject cookies. In relation to linked pages of third party services that the CJEU used to host branded conference videos, which laid Google and DoubleClick cookies without information or a possibility to reject […].

This case clarified and confirmed that a withdraw button is needed to be placed as clearly as an accept button in order for consent to be valid to cookies and similar technologies. The EDPS took no formal action as the CJEU engaged rapidly with the organisation and rectified all breaches following the complaint.”

Link to the decision of the EDPS in complaint case 2019-0878 […] against the Court of Justice of the European Union : https://cloud.michae.lv/s/pBisKt6tCyY2s3j

To read more: Click here

Signal Issues Stunning New Strike At Facebook 

[#Signals #Facebookads #TargetedAdvertising] 
“We wanted to use those same tools,” Signal says, “to directly highlight how most technology works. We wanted to buy some Instagram ads.”

Signal selected some user characteristics to explicitly share in its proposed ads. “We created a targeted ad designed to show you the personal data that Facebook collects about you and sells access to. The ad would simply display some of the information collected about the viewer.”

It would have been stark and effective, thought-provoking. And it would have sent shivers down the spines of millions of Facebook users. The stark realisation that the reason you receive the ads you do is not guesswork—your strings are being pulled.

But “Facebook was not into that idea.” Signal says. “We wanted to use Instagram ads to highlight how ad tech invades your privacy. Instead, Facebook shut our account down.” […]
“Facebook is more than willing to sell visibility into people’s lives,” Signal says, “unless it’s to tell people about how their data is being used. Being transparent about how ads use people’s data is apparently enough to get banned; in Facebook’s world, the only acceptable usage is to hide what you’re doing from your audience.”

To read more: Click here

Austrian DPA has option to fine Google up to €6 billion 

[#GDPRfines #Google] 
“Google continues to send data from EU websites to the US – despite two Court of Justice rulings. Austrian Data Protection Authority could fine Google up to €6 billion. […]

Google primarily argues that it uses “supplementary measures” that are supposed to help against NSA surveillance (see pages 23 to 26). However, none of the measures are new, nor somehow effective: Google even argues with signs and fences around data centers and average HTTPS encryption which is just a minimum standard even for small websites. That these measures have no impact on US surveillance laws is already evident in Google’s own “transparency report”: in 2019 alone, more than 210,000 requests under the US surveillance law “FISA” were answered by Google. More recent statistics are missing. […]

The Austrian data protection authority has asked noyb to respond to Google’s opinion. In the statement of 36 pages, noyb elaborates on the obvious violation of the GDPR. The legal submissions of noyb (German, English Translation) were filed today.”

To read more: Click here

Answering Europe’s Call: Storing and Processing EU Data in the EU

[#Google #MicrosoftCloud #Dataprotection] 

“Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s core cloud services – Azure, Microsoft 365, and Dynamics 365. […]
We have already begun engineering work so our core cloud services will both store and process in the EU all personal data of our EU commercial and public sector customers, if they so choose. This plan includes any personal data in diagnostic data and service-generated data, and personal data we use to provide technical support. We will also extend technical controls […].
Our EU Data Boundary for the Microsoft Cloud will be powered by our substantial and ongoing investments in an expansive European datacenter infrastructure. Microsoft will continue to do all we can to encourage government leaders on both sides of the Atlantic and beyond to address lawful access issues quickly. “

To read more: Click here.

Answering GDPR access request via e-mail? German Data Protection Authority imposes six-figure fine for inadequate security measures

[#Dataprotectionauthority #Cybersecurity #GDPR] 

“Information according to Art. 15 GDPR must also be provided electronically, if required based on Art. 12 (3) GDPR. […] However […] The Data Protection Authority of the state of Brandenburg […] reports that it imposed a six-figure fine on a company for violating Art. 32 GDPR in the context of providing access to information.

The company answered requests for access via e-mail. A password-protected PDF document containing the requested information was attached to the e-mail. In order to open the PDF document, the data subject received a second e-mail a few minutes later containing the password in plain text. This second e-mail was only encrypted with Transport Layer Security (TLS), which is the default setting. […]

From the point of view of the DPA, the decisive factor was in particular the close connection in terms of time and content between the sending of the first e-mail with the password-protected information documents and the second e-mail, which was not sufficiently secured.”

To read more: Click here.