Weekly Newsletter: 30 November – 4 December 2020

December 7, 2020

SCHREMS II Impact Survey Report

[#DataProtection #datatransfers #SCCs #EUUSDataTransfers] “This survey provides a snapshot of how personal data is transferred from Europe to the rest of the world.

[…]While famous for annulling the EU-US Privacy Shield, the ruling requires all organisations transferring personal data outside the European Economic Area (EEA) to assess or reassess their use of SCCs in order to verify that it complies with the conditions set out in the ruling, notably in terms of preventing access by third-country governments.

The impact of these obligations can be significant, considering that potentially they apply to all data controllers and processors in the EEA, which for the most part are SMEs. However, real-world data about the use of SCCs has so far been lacking, and the economic impact of complying with the ruling remains largely unknown.”

To read more: Click here

.be Domain Name Holders On The Edge

[#BelgianDPA #DNSBelgium #domainnameholders] The Belgian DPA and DNS Belgium signed a cooperation protocol regarding the suspension of .be domain names in cases of breaches of fundamental principles of privacy protection by domain name holders.

The Protocol provides that the DPA can request DNS Belgium to take necessary technical measures to redirect the domain name to a DPA warning page if a domain name holder breaches DNS Belgium’s general terms and conditions (i.e. GDPR obligations).

If the domain name holder does not cease the infringement within 14 days, DNS Belgium shall continue to redirect the domain name to the warning page of the DPA for a further period of 6 months, after which it will attach the domain name to one of its temporary accounts and then cancel the domain name.

For an unofficial English translation of the full French version of the Protocol: Click here.

For an official French version: Click here


Thousands of US lab results and medical records spilled online after a security lapse

[#healthdata #databreach #datasecurity #securitymeasures]NTreatment, a technology company that manages electronic health and patient records for doctors and psychiatrists, left thousands of sensitive health records exposed to the internet because one of its cloud servers wasn’t protected with a password.

[…]None of the data was encrypted, and nearly all of the sensitive files were viewable in the browser. Some of the medical records belonged to children.

TechCrunch found the exposed data as part of a separate investigation. It wasn’t initially clear who owned the storage server, but many of the electronic health records that TechCrunch reviewed in an effort to trace the source of the data spillage were tied to doctors and psychiatrists and healthcare workers working at hospitals or networks known to use nTreatment. The storage server also contained some internal company documents, including a non-disclosure agreement with a major prescriptions provider.”

To read more: Click here

Dutch Court Overturns DPA Fine on Legitimate Interest Legal Basis


[#GDPRfines #legitimateinterest #DutchDPA #EDPB] “On November 23, 2020, the Dutch District Court of Midden-Nederland (the “Court”) determined that the concept of a legitimate interest for processing is broader than simply being an interest derived from law, overturning a fine by the Dutch data protection authority (the “Dutch DPA”).

The Dutch DPA, Autoriteit Persoonsgegevens, issued a €575,000 fine in July 2020 against VoetbalTV, which allowed football players and fans to view professional video footage of amateur matches on its platform, on the basis that it lacked a legal basis for its processing of personal data, as required by Article 6(1) of the EU General Data Protection Regulation (“GDPR”).

[…]In overturning the Dutch DPA’s decision, the court relied on guidance issued by the European Data Protection Board (the “EDPB”), which provides that legitimate interests can cover a range of different interests, provided that they are real and present (not speculative), meaning that all kinds of factual, economic and idealistic interests can qualify as legitimate interests.”

To read more: Click here

Data transfers, AI addressed in European Commission’s EU-US agenda

[#DataProtection#datatransfers#aigovernance#EUUSDataTransfers] “The European Commission published its proposal for a new EU-U.S. agenda that includes considerations for data transfers and artificial intelligence. The commission suggests the EU and U.S. must “intensify their cooperation” in an effort to “promote regulatory convergence and facilitate free data flow with trust.”

With AI, the commission proposes work on a Transatlantic AI Agreement that will “set a blueprint for regional and global standards aligned with our values.” Additionally, an EU-U.S. Summit to discuss these matters was confirmed for 2021.”

To read more: Click here

Keep data flowing at the end of the UK’s transition out of the EU


[#UKGDPR #DataProtection #ico #internationaldatatransfers] Watch this very useful webinar that was given by the UK DPA (Information Commissioner’s Office) to learn more about the impact of Brexit on the GDPR!

Here are some of the key takeaways:

-After the transition period, transfers of data from the UK to the EEA will be permitted and the EU GDPR will continue to apply to the EEA exporter of personal data.
-The UK is going through an adequacy assessment – no word on if and when a decision can be expected
-An EU representative will be required for UK companies if they offer goods and services to individuals in the EU or monitor their behaviour; and if they don’t have a branch, office or establishment within the EEA.

An incredible amount of questions were asked on the role of the EU Representative. This fact highlights that there is still work to do in terms of awareness about this important obligation.

Click here to watch the webinar (and then click on “MS Live Event”): https://lnkd.in/e3n2D9J