Privacy Transformation - Issue 61
PRIVACY
Privacy Shield Invalidated, SCCs problematic — Blockbuster Schrems decision to impact nearly every business
CJEU justices have given a blockbuster opinion that will impact nearly every business, small to large. At the heart of this decision lie Edward Snowden’s 2013 disclosures about secretive US surveillance agency programmes that access user data from a roster of huge US social media and internet companies.
IMPACT:
The immediate impact of the decision is that Privacy Shield is invalidated and so cannot be used as a mechanism to legitimise EU & UK data transfers to the USA. In addition, data exporters & importers using SCCs must first verify protection in the third country.
RELATED:
TechCrunch: Europe’s top court strikes down flagship EU-US data transfer mechanism
CJEU: Schrems II Judgement
NOYB: Most common misunderstandings in reporting on the CJEU case
NOYB: FAQs on the CJEU case
DPC statement on CJEU decision
ICO statement on CJEU decision
NOYB statement on CJEU decision
Data Protection Commissioner defends speed of investigations into tech firms
The Data Protection Commissioner has said concluding investigations that are underway into large multinational tech firms is the number one priority for her office.
SECURITY & TECH
UK, US and Canada allege Russian cyberattacks on Covid-19 research centers
Russian cyber actors are targeting organizations involved in coronavirus vaccine development, according to a new warning by US, UK and Canadian security officials on Thursday that details activity by a Russian hacking group called APT29, which also goes by the name "the Dukes" or "Cozy Bear."
Apple, Biden, Musk and other high-profile Twitter accounts hacked in crypto scam
A number of high-profile Twitter accounts were simultaneously hacked on Wednesday by attackers who used the accounts — some with millions of followers — to spread a cryptocurrency scam.
Opinion: Tracker app is a giant leap for transparency, but beware its privacy implications
The authorities rolling out Ireland's Covid-19 smartphone tool have taken on board civil liberties concerns — but data protection experts say there is still no room for complacency.
Should you delete TikTok? Here’s everything you need to weigh the real privacy risks
We looked under the hood at what data the TikTok app gathers about you — and where it sends it.
ENFORCEMENT
Google faces €600,000 privacy fine in Belgium
Google Belgium was imposed a fine of €600,000 by the Data Protection Authority (DPA) because the search engine did not respect a citizen's right to be forgotten
EDPB: The President of the Personal Data Protection Office imposes a fine in cross-border proceedings
The President of the Personal Data Protection Office (UODO) imposed a fine of PLN 15 000 on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks.
Italian supervisory authority cracks down on unlawful marketing activities
The Italian supervisory authority, the Garante, has issued a fine of €16.7M to a company for conducting a number of unlawful marketing-related data processing activities.
Isle of Man DPA - First Administrative Fine
Under their own implementation of the GDPR, the Isle of Man Supervisory Authority has imposed an administrative fine of £12,250 on the Department of Home Affairs for failure to comply with data access rights and failure to comply with an enforcement notice regarding right of access to personal data.
More on the latest GDPR enforcement news can be found on:
GUIDANCE
EDPS: Reactions of EU institutions as employers to the COVID-19 crisis
EUIs are already in the process of planning a possible gradual return to the office, telework is likely to remain a big part of the new normal for near future. This document is addressed to controllers and Data Protection Officers (DPOs) in EUIs. It builds on the experience of the past months and addresses the issues that were raised to, or encountered by the EDPS.
EDPB: Guidelines on derogations of Article 49 under GDPR
Relevant in the context of the Schrems II ruling by the CJEU, these are the EDPB guidelines for derogations for data transfers under Article 49 GDPR.
EDPB: Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR
Adopted 7 July 2020, EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR.
ICO: Regulatory approach during the coronavirus public health emergency
This paper sets out how we will regulate during the current public health emergency, focusing in particular on data protection and freedom of information laws.