Privacy Transformation - Issue 62
PRIVACY
Schrems II: there's no way to transfer data to US and comply with EU law
In the week since the Court of Justice of the European Union (ECJ) handed down its far-reaching decision in the Schrems 2 case, many – especially in the US – just keep missing the earth-shattering, business-recalibrating nature of the decision.
Coronavirus: England's test and trace programme 'breaks GDPR data law'
The government has acknowledged the initiative was launched without a data privacy assessment.
EDPB: Thirty-fifth Plenary session: Information note on Binding Corporate Rules with UK SA as Lead Authority
In light of the upcoming end to the Brexit transition period, the EDPB has adopted an information note outlining the actions that need to be taken by Supervisory Authorities (SAs), the holders of approved Binding Corporate Rules (BCRs) and organisations that have BCRs pending with the UK SA to ensure that these BCRs can still be used as a valid transfer tool, following the end of the transition period.
ICO: Combining privacy and innovation - Regulatory Sandbox six months on
It’s been an exciting, interesting and challenging first six months for the ICO Sandbox – both for those externally involved in the various projects and for the ICO staff working on the scheme. Ian Hulme discusses the progress so far.
MORE SCHREMS II NEWS:
Using SCCs post-'Schrems II': Guidance from DPAs
If you are one of the thousands of companies that exports data from the EU to the U.S. or to another third country that lacks an adequacy decision using standard contractual clauses, are you permitted to continue doing so, following the Court of Justice of the European Union’s ruling in the "Schrems II" case? At least to some extent, the answer to this question differs based upon which data protection authority is considered to be your “lead supervisory authority.”
EDPB: Statement on Schrems II
EDPS: Statement on Schrems II
What Privacy Shield organizations should do in the wake of 'Schrems II'
UK Government response to the European Court of Justice decision in the Schrems II case
SECURITY & TECH
Hackers Tell the Story of the Twitter Attack From the Inside
Several people involved in the events that took down Twitter this week spoke with The Times, giving the first account of what happened as a pursuit of Bitcoin spun out of control.
Ireland donates contact tracing app to the Linux Foundation
Ireland's HSE has donated its contact tracing app as open source to Linux Foundation Public Health, supporting the global effort against Covid-19.
Coronavirus: The inside story of how government failed to develop a contact-tracing app
Whitehall sources described Matt Hancock's "fanboy" attitude to tech and "tendency to overpromise and only sometimes deliver".
DATA BREACH
University of York: Hackers who stole data get ransom payment
The firm that manages data for the University of York confirms it was the victim of a cyber attack. The university has notified the Information Commissioner's Office about the breach and said it was "awaiting further guidance".
Twitter Alerts Irish Privacy Regulator About Hacker Attack
Twitter has alerted the Irish DPC about a cyber-attack it fell victim to last week, days after the company said hackers had targeted just some 130 accounts and didn’t steal any passwords.
ENFORCEMENT
Spanish DPA: Company fined for not fulfilling data subject access request
The AEPD fined a company 40,000 EUR for not granting a data subject access to telephone records. The applicant's request for access did not receive a reply, despite the prior order of the AEPD. [Notice is in Spanish]
More on the latest GDPR enforcement news can be found on:
GUIDANCE
EU Data Exports After Schrems II – Guidance by Data Protection Authorities
The table in this document sets out the guidance provided by data protection authorities in response to the European Court of Justice’s landmark judgment in Schrems II in which the Court found that SCCs were valid in principle but declared the Privacy Shield invalid.
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
These guidelines aim to provide further guidance on data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions on the GDPR and the PSD2.
IAPP: DPA and government guidance on ‘Schrems II’
The invalidation of Privacy Shield and the additional requirements for SCCs have created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial guidance for how to handle the post-“Schrems II” data transfer world. This IAPP Resource Center page collects together DPA and government guidance as it comes out.
ICO: Global privacy expectations of video teleconference providers
Data protection and privacy authorities from around the world have today published an open letter to video teleconferencing companies, reminding them of their obligations to comply with the law and handle people’s information responsibly.
RESOURCES
Video: IPEN Online Workshop - Enforcing the GDPR rules on encryption
At the recent IPEN Workshop, The Data Protection Commissioner of Schleswig-Holstein (Germany), Ms Marit Hansen, gave a perspective on the challenges of enforcing the GDPR provisions on encryption in practice.
UK Information Commissioner’s Office publishes 2019-2020 annual report
The Information Commissioner’s Office (ICO) has published its annual report for 2019-20, covering what the Information Commissioner has called a “transformative period” for privacy and data protection and broader information rights.