Privacy Transformation - Issue 61

PRIVACY

Privacy Shield Invalidated, SCCs problematic — Blockbuster Schrems decision to impact nearly every business

Privacy Shield Invalidated, SCCs problematic — Blockbuster Schrems decision to impact nearly every business

CJEU justices have given a blockbuster opinion that will impact nearly every business, small to large. At the heart of this decision lie Edward Snowden’s 2013 disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet companies.

IMPACT:

The immediate impact of the decision is that Privacy Shield is invalidated and so cannot be used as a mechanism to legitimise EU & UK data transfers to the USA. In addition, data exporters & importers using SCCs must first verify protection in the third country.

RELATED:

TechCrunch: Europe’s top court strikes down flagship EU-US data transfer mechanism

CJEU: Schrems II Judgement

NOYB: Most common misunderstandings in reporting on the CJEU case

NOYB: FAQs on the CJEU case

DPC statement on CJEU decision

ICO statement on CJEU decision

NOYB statement on CJEU decision

Data Protection Commissioner defends speed of investigations into tech firms

Data Protection Commissioner defends speed of investigations into tech firms

The Data Protection Commissioner has said concluding investigations that are underway into large multinational tech firms is the number one priority for her office.

SECURITY & TECH

UK, US and Canada allege Russian cyberattacks on Covid-19 research centers

UK, US and Canada allege Russian cyberattacks on Covid-19 research centers

Russian cyber actors are targeting organizations involved in coronavirus vaccine development, according to a new warning by US, UK and Canadian security officials on Thursday that details activity by a Russian hacking group called APT29, which also goes by the name "the Dukes" or "Cozy Bear."

Apple, Biden, Musk and other high-profile Twitter accounts hacked in crypto scam

Apple, Biden, Musk and other high-profile Twitter accounts hacked in crypto scam

A number of high-profile Twitter accounts were simultaneously hacked on Wednesday by attackers who used the accounts — some with millions of followers — to spread a cryptocurrency scam.

Opinion: Tracker app is a giant leap for transparency, but beware its privacy implications

Opinion: Tracker app is a giant leap for transparency, but beware its privacy implications

The authorities rolling out Ireland's Covid-19 smartphone tool have taken on board civil liberties concerns — but data protection experts say there is still no room for complacency.

Should you delete TikTok? Here’s everything you need to weigh the real privacy risks

Should you delete TikTok? Here’s everything you need to weigh the real privacy risks

We looked under the hood at what data the TikTok app gathers about you — and where it sends it.

ENFORCEMENT

Google faces €600,000 privacy fine in Belgium

Google faces €600,000 privacy fine in Belgium

Google Belgium was imposed a fine of €600,000 by the Data Protection Authority (DPA) because the search engine did not respect a citizen's right to be forgotten

EDPB: The President of the Personal Data Protection Office imposes a fine in cross-border proceedings

EDPB: The President of the Personal Data Protection Office imposes a fine in cross-border proceedings

The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.

Italian supervisory authority cracks down on unlawful marketing activities

The Italian supervisory authority, the Garante, has issued a fine of €16.7M to a company for conducting a number of unlawful marketing-related data processing activities.

Isle of Man DPA - First Administrative Fine

Under their own implementation of the GDPR, the Isle of Man Supervisory Authority has imposed an administrative fine of £12,250 on the Department of Home Affairs for failure to comply with data access rights and failure to comply with an enforcement notice regarding right of access to personal data.

More on the latest GDPR enforcement news can be found on:

enforcementtracker.com

GUIDANCE

EDPS: Reactions of EU institutions as employers to the COVID-19 crisis

EUIs are already in the process of planning a possible gradual return to the office, telework is likely to remain a big part of the new normal for near future. This document  is addressed to controllers and Data Protection Officers (DPOs) in EUIs. It builds on the experience of the past months and addresses the issues that were raised to, or encountered by the EDPS.

EDPB: Guidelines on derogations of Article 49 under GDPR

Relevant in the context of the Schrems II ruling by the CJEU, these are the EDPB guidelines for derogations for data transfers under Article 49 GDPR.

EDPB: Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR

Adopted 7 July 2020, EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR.

ICO:  Regulatory approach during the coronavirus public health emergency

This paper sets out how we will regulate during the current public health emergency, focusing in particular on data protection and freedom of information laws.