Privacy Transformation - Issue 51
PRIVACY
Data protection offices need proper resources now more than ever
Europe’s General Data Protection Regulation (GDPR) is unable to function properly and give mandated protections because EU member states have failed to adequately fund and staff their data protection authorities, a new report from privacy-focused web browser company Brave argued this week.
Brave's DPA report can be found here.
European Union’s Data-Based Policy Against the Pandemic, Explained
Benefitting from a mature and largely harmonized data protection legal framework, the European Union and its Member States are taking policymaking steps towards a pan-European approach to enlisting data and technology against the spread of COVID-19 and to support the gradual restarting of the economy. This is an overview of key recent events essential to understand EU’s data-based approach against the pandemic.
CONTACT TRACING
Coronavirus: Ireland and UK opt for different tracing approaches
The Republic of Ireland has opted for a virus contact-tracing phone app backed by Apple and Google, which it says "maximises the protection of privacy".
The approach differs from the UK's, raising questions over how it might affect cross-border operations with Northern Ireland.
UK Parliament: Report on the contact tracing app published - Committees
The Joint Committee on Human Rights publishes a Report on the contact tracing app, concluding that if effective, the app could pave the way out of the current lockdown restrictions and help prevent the spread of Coronavirus, but there are significant concerns regarding surveillance and the impact on other human rights which must be addressed first.
UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal
Britain is sleepwalking into another coronavirus blunder by failing to listen to global consensus and expert analysis with the release of the NHS COVID-19 contact-tracking app.
A UK NCSC blog post explaining the development approach to the NHS contact tracing app can be found here.
ENFORCEMENT
DUTCH DPA: An organisation has been fined €725,000 after requiring its staff to have their fingerprints scanned to record attendance. However, as the decision of the data protection authority stated, the organisation could not rely on exceptions to the processing of this special category of personal data and the company could also not provide any evidence that the employees had given their consent to this data processing.
[More info (in Dutch)]
Belgian DPA (APD): An organisation has been fined €50,000 due to the company's data protection officer not being sufficiently involved in the processing of personal data breaches. The company did not have a system in place to prevent a conflict of interest of the DPO, who also held numerous other positions within the company (head of compliance and audit department), which led the DPA to the conclusion that the company's DPO was not able to work independently.
[More info (in Dutch)]
More GDPR enforcement information can be found on:
GUIDANCE
EDPB - Updated guidelines on consent under GDPR
The European Data Protection Board has updated their guidlines on consent under GDPR, including clarifying examples on cookie processing practices.
ICO: Video conferencing: what to watch out for
Ian Hulme, the ICO’s Director of Assurance gives business owners, employers and managers advice about how to safely roll out the latest video conferencing technology