,

Email sent to wrong recipient? Avoid getting fined

Sending an email to the wrong recipient can trigger privacy risks, and even sanctions, especially if the email contained attachments or other content with personal data. Here’s a brief analysis on how to limit the risk of sanctions and avoid getting fined in case of an email sent to the wrong recipient.

Recent cases

On 21.05.2020 the Data Protection Supervisory Authority of Romania (ANSPDCP) finalized an investigation with an energy operator who accidentally send an email containing personal data of a customer to the wrong recipient and found that it violated the provisions of art. 32 of the GDPR, regarding the security of the processing.

The operator was sanctioned with a fine of 19368.4 lei, the equivalent of 4,000 EURO.

The investigation was initiated as a result of a complaint issued by a customer who was informed of the violation of security and confidentiality of his personal data, by the data controller. The company accidentally transmitted, via email, the personal data of a client (name and surname, address, e-mail address, client code and eneltel code) to another client, who was not entitled to receive such information.

During the investigation, the National Supervisory Authority found that the operator did not take sufficient security and confidentiality measures to prevent accidental disclosure of personal data to unauthorized persons , violating the provisions of art. 32 of the GDPR.

The operator was therefore sanctioned because it did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of the processing generated especially, by the unauthorized disclosure or the unauthorized access to personal data.

At the same time, the corrective measure was applied to the operator Enel Energie Muntenia SA, according to the provisions of art. 58 paragraph (2) i) of the GDPR.

Thus, the operator was obliged to implement the appropriate and adequate security measures, both technical and organizational, within 30 working days of the communication.

Prevention & Remediation measures

Sending an email to the wrong recipient is one of the most recurring case of databreach, hence chances are it may happen to you too. So here’s a list of suggestions regarding safeguards to prevent the error, and try to limit its risks in case it happens.

1: Technical security measures

  • Recall the email: yes, in theory you can do that if you instantly become aware of the mistake, however based on the timing of the discovery and conditions and procedures of the different email service providers, you may actually not be able to avoid your message getting – wrongfully- delivered. In case you wish to give it a try, here’s a how-to guide. PROS: easy, generally free CONS: might not be effective
  • Adopt a data loss prevention software. Seriously, do it. Although not specifically aimed at preventing material errors by the sender, a Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). It can feature advanced security measures which employ machine learning and temporal reasoning algorithms to detect abnormal access to data (e.g., databases or information retrieval systems) or abnormal email exchangehoneypots for detecting authorized personnel with malicious intentions and activity-based verification (e.g., recognition of keystroke dynamics) and user activity monitoring for detecting abnormal data access. It can become super useful if the breach is not consequence of a mere error… PROS: effective technology CONS: cannot prevent material errors, expensive.
  • Avoid including personal data in the body of the message and encrypt attachment files, then send the decrypting password through a different email (making the same mistake twice, can happen, less probable though) or a different channel (e.g. SMS message, in app notification). PROS: can effectively limit the risk of a databreach CONS: adds burdens to communication, makes it slower, however you can use in-mail add-ins to make it way faster.

2: Organizational measures

  • Train your employees: yes, that’s so important. The databreach lies between the fingers of your employee ready to send an email without double-checking if the email address is correct. You may wish to give them a proper training, pointing out the risks and pains which can arise from such an inaccurate move.
  • Get in contact with the recipient: once an email has been successfully sent, there is no way to call back or delete it from recipient inbox. Still you can get into contact with the unintentional recipient explaining that the email was a mistake, and ask them to not read the message – if that’s still possible.
  • Take note: study what happened and what fault caused the incident, in order to plan some follow-up action to limit the possibility it happens again. Document this process. It will be an aid to your defense in case of an investigation by the data protection authorities.

In any case, as a data controller you should carry out a databreach severity assessment in order to assess if the incident shall be communicated to the data subjects involved or notified to the supervisory authority. We built an automatic tool to do that for you, taking into account the EU (ENISA + EDPB) standards. If you wish to know more, get in contact here.

***

In the next TechnoLawgy post we will assess how to handle a databreach once it happens and how to evaluate whether it shall be notified to the Supervisory Authority. Meanwhile you may fancy a look here: DATA BREACH NOTIFICATION: NEW PROCEDURE ADOPTED IN ITALY also you can find the dedicated #databreach podcast here.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss our Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

,

Handling a DataBreach during Covid-19

WHY TALKING ABOUT DATA BREACH IS RELEVANT DURING COVID-19?

Simple. Because data breaches happen every day. Therefore being able to handle a databreach, especially during covid19 emergency, is crucial.

Since 25 May 2018 to 31 March 2020, 2,368 breaches were notified to the Data Protection Supervisor, with a peak between 30 September and 31 December 2019 of 553 notifications followed in the latest period (i.e. from January to March) by 295 notifications. This does not mean, however, that this number actually corresponds to the number of data breaches suffered because, as we will see below, not all breaches must be notified.

In this post we will assess how to prevent a databreach.

The current cybersecurity scenario


The most recent report by Clusit – Italian Association for Information Security, which reported how – in 2019 alone – about 1670 cyber attacks occurred in Italy, with a growth percentage of 7.6% compared to 2018 and 91.2% compared to 2014. This percentage, however, refers only to real attacks, i.e. those that have overcome all the existing defenses adopted by data controllers or data processors and have therefore caused significant damage, without considering failed and/or blocked attack attempts. The report also highlights that those affected by cyber attacks belong to the most varied categories, from companies providing online or cloud services to telcos, from the retail sector to the chemical/pharmaceutical or banking sector. This shows that no company processing personal data is immune from this type of danger.

Risks during emergency periods


Today, moreover, there is a further reason to talk about data breaches: as we will see in more detail, the emergency situation we are experiencing prevents – at least at the moment – all workers from going to their offices, so that many of these workers are turning to the remote working mode, which involves significant risks.

HOW TO PREVENT A DATABREACH

First of all, it should be pointed out that most data breaches are caused either by the adoption of insufficient technical security measures or by real human errors. It therefore one of the most effective ways of avoiding this is to adopt, as required by the legislation, security measures – both technical and organisational – that are appropriate.
Now, the concept of adequacy is certainly mutable, since – unlike in the past – the GDPR does not indicate minimum measures to be taken to ensure data security, but on the contrary, it requires the controller to make a case-by-case assessment of what is actually adequate, taking into account

  • the state of the art and the costs of implementing the measures it intends to adopt,
  • the nature, object, context and purposes of the processing,
  • risks to the rights and freedoms of natural persons.

Organizational measures

In this context, from an organisational point of view, an internal privacy compliance model is certainly essential. It is therefore necessary to identify the individuals who have a privacy role . In this context, it is very often assumed that the appointment of a Data Protection Officer is sufficient, but this is not the case. If the appointment of a DPO is necessary with respect to certain activities related to the data controller, this does not mean that the DPO should be called upon to ensure the privacy compliance of the data controller, as is often the case. On the contrary, the DPO plays the role of advisor and controller of the controller’s activities, providing advice and suggestions, but then the final decision is up to the controller, who must therefore be well aware of the risks arising from its choices.
This policy, depending on the circumstances, must identify the roles assigned to each person processing personal data and consequently the obligations and instructions applicable to them. In this context, fundamental precautions become both (i) ensuring that the procedures adopted are made known to the entire company population and (ii) that they are well understood also through training activities for employees and collaborators.

Technical measures for remote working


In addition to this, there are all the technical security measures that the owner must adopt, and GDPR, for example, refers merely to the pseudonymisation and encryption of personal data, however their suitability must again be assessed on the basis of the actual processing.

Many authorities and institutions, such as the Department of Public Administration, ENISA and the Irish Data Protection Supervisor, have provided suggestions and guidelines on practices to be followed to ensure IT security in remote working. From a technical point of view, the main solutions that the employer can use are:

  • the activation of a VPN connection, i.e. that “secure” communication channel between the remote device and the company, through which applications and company data can be accessed directly;
  • the setting up of a remote device management system, with which the company’s IT technicians can monitor and manage any problems, after assessing the privacy compatibility of these tools with the provisions of the Workers’ Statute;
  • the use of ACL (Access Control List) systems, particularly effective in limiting the risk of unauthorized access, dissemination, loss and destruction of data.

Training

In addition to technical measures, employee awareness and training are essential to stay up to date with the latest threats. In particular, adequate information about certain essential security concepts should be provided:

  • secure wifi connection; most wifi systems at home today are properly protected, but some older installations may not be. With an unsecured connection, people nearby can snoop around in network traffic;
  • updated security software and antivirus system; PC security tools such as privacy tools, browser add-ons, etc. need to be updated. Patch levels and system updates must be checked regularly;
  • regular backups; all important files must be backed up regularly. In the event of a computer attack, for example, the entire contents of a device could be lost without a backup.

In addition, employers can take action to optimize organizational management in case of incidents or risks, for example by providing a specific procedure to employees on how to react in case of problems and giving appropriate priority to support for remote access solutions, including through the establishment of special shifts for support staff.

***

In the next TechnoLawgy post we will assess how to handle a databreach once it happens and how to evaluate whether it shall be notified to the Supervisory Authority. Meanwhile you may fancy a look here: DATA BREACH NOTIFICATION: NEW PROCEDURE ADOPTED IN ITALY also you can find the dedicated #databreach podcast here.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable share it on your #SocialMedia, Be Influent!

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

EDPB letter on contact tracing App privacy issues

The European Data Protection Board has shared its view on contact tracing app privacy issues.

Following a request for consultation from the European Commission, the European Data Protection Board adopted a letter concerning the European Commission’s draft Guidance on apps supporting the fight against the COVID-19 pandemic. This Guidance on data protection and privacy implications complements the European Commission’s Recommendation on apps for contact tracing, published on 8 April and setting out the process towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.

Key takeaways:


💡 no one-size-fits-all solution applies envisaged technical solutions need to be examined in detail, on a case-by case basis


💡 EDPB believes that it is a step in the right direction to highlight the essential need to consult with data protection authorities


💡 development of the apps should take into account Privacy by design and Privacy by Default mechanisms, and the source code should be made publicly available for the widest possible scrutiny by the scientific community


💡 EDPB strongly supports the Commission’s proposal for a voluntary adoption of such apps, a choice that should be made by individuals as a token of collective responsibility


💡 Legal Basis for the processing? the mere fact that the use of the contact tracing takes place on a voluntary basis, does not mean that the processing of personal data by public authorities necessarily be based on the consent; The enactment of national laws, promoting the voluntary use of the app without any negative consequence for the individuals not using it, could be a legal basis for the use of the apps; it appears that the most relevant legal basis for the processing is the necessity for the performance of a task for public interest


💡 Contact tracing apps do not require location tracking of individuals users. Collecting an individual’s movements in the context of contact tracing apps would violate the principle of data minimisation. In addition, doing so would create major security and privacy risks


💡 the main function of such apps is to discover events (contacts with positive persons), such events can be stored both at local level (within the device of the user) and centralized level; according to the EDPB the decentralised solution is more in line with the minimisation principle


💡 these apps are not social platforms for spreading social alarm or giving rise to any sort of stigmatisation. a mechanism should ensure that whenever a person is declared as COVID-positive, the information entered in the app is correct, since this may trigger notifications to other people concerning the fact that they have been exposed


💡 once this crisis is over, such emergency system should not remain in use, and as a general rule, the collected data should be erased or anonymised.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

,

Privacy: come prepararsi alla Brexit

La Brexit potrebbe comportare cambiamenti sostanziali nella strategia di compliance privacy delle società, soprattutto quelle con sedi nel Regno Unito o che scambiano dati personali con società basate in U.K. . Il Garante privacy lo scorso 18 febbraio 2019 ha reso noto che il Comitato Europeo per la Protezione dei Dati (EDPB) in una recente nota informativa ha chiarito quali conseguenze potrebbe avere su tale flusso di dati personali l’ uscita del Regno Unito dall’UE senza accordo. Ormai è ufficiale, la Brexit avverrà il 31 marzo 2020, per di più senza un accordo (cosiddetto “No Deal”). Vediamo i principali impatti operativi per le aziende e come prepararsi allo scenario di Brexit senza accordo con l’Ue (“Hard Brexit”) anche alla luce dei suggerimenti del Garante. Continua a leggere

,

Facebook “free” claim sanctioned

Facebook is not free anymore (and has never been)

Half victory of #Facebook in Italy on the #privacy side: the Regional Administrative Court of Lazio (TAR) partially voided the Antitrust Authority’s decision which sanctioned the company for a total of 10 million euros.

> The Court has confirmed the 5 million sanction for unfair commercial practices regarding the false claim “it’s free and will always be”, which is no longer in place.

 > however the 5 million sanction relating to the sharing of data with third party sites and services has been dismissed.

According to the Court the Antitrust sanction “is unlawful because it lacks in the reconstruction of the functioning of the integration of the platforms and there is absence of sufficient evidence of a conduct capable of influencing consumer choice”.

This conduct is at the root of the Cambridge Analytica scandal, a Facebook partner company that used the data to influence electoral campaigns (including the 2016 US presidential election).

This decision is particularly interesting in light of the currently pending issue in front of the European Data Protection Board raised by the Italian Data Protection Authority: can personal data be exchanged for money?

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

Cyprus GDPR implementation: local peculiarities

The implementing Law and the interplay with GDPR

by Christiana Markou

Another EU country has adopted a GDPR implementation law: the Law on the Protection of Natural Persons with regard the Processing of Personal Data and on the Free Movement of such Data, Law 125(I)/2018 ( “the Law”) was published in the Official Gazette of the Republic of Cyprus on the 31st July 2018.

The purpose of the Law is the effective application (or implementation) of some of the provisions of the General Data Protection Regulation (GDPR). The Law responds to Recital 8 of the GDPR, which allows Member States to implement elements of the Regulation into their national law and to provisions in the GDPR allowing or obligating Member States to expand upon, adapt or deviate from the rules of the Regulation. It only comprises thirty-seven (37) provisions and must be read together with the Regulation, which remains the main piece of legislation governing data protection in Cyprus.

Key features and peculiarities of the Law

Data Processing by Courts & judgements databases

There are a few provisions in the Law that deserve to be highlighted. One of them is Section 5(a), which specifically renders the data processing performed by courts in the exercise of their duties for the purposes of the administration of justice (including the processing necessary for the issuance and publication of their judgements) permissible and lawful. This however does not cover the processing inherent in the operation of databases of judgements by private parties who offer a service to lawyers or the public at large. These entities must ensure that the processing they perform can come under one of the lawful bases of processing listed in Article 6(1), GDPR.

Minors lawful consent

Additionally, the Law, through Section 8(1), takes a rather liberal approach in relation to children deeming them as capable of offering valid consent at a younger age than the one specified by the GDPR, which is 16 years. Notably, the chosen age of 14 years in the Law coincides with the age over which children can be criminally liable in Cyprus as per Section 14 of the Cyprus Criminal Code, Cap. 154.

Biometric data processing

Another provision of the Law, namely Section 9(1) explicitly introduces a prohibition for the processing of genetic and biometric data for the purpose of health and life insurance and also clarifies that when the processing of such data is based on consent, separate consent must be secured for any further processing. This mirrors the Cypriot legislator deeming genetic and biometric data of increased sensitivity. Notably, the Insurance Association of Cyprus has suggested the inclusion in the Law of another derogation from the prohibition of Article 9(1) GDPR, specifically one permitting the processing of special categories of personal data for the purposes of conclusion and performance of insurance contracts. The particular suggestion has not been taken up by the Cypriot legislator and it seems that the GDPR places significant restrictions; insurance companies have to be secure the explicit consent of data subjects in order to process health data concerning them (despite the fact that such processing is strictly necessary for the conclusion and performance of the insurance contract requested by the data subject). Explicit consent entails significant administrative burden, which insurance companies would prefer to avoid. Most certainly, the GDPR is eligible to an interpretation that achieves a fair balance between the interests of the insurance companies and sufficient data protection, yet this requires the co-operation of all relevant stakeholders.

Data transfers outside EU

Section 17(1) is another notable provision. It introduces an obligation for controllers and processors to inform the Commissioner about their intention to transfer special categories of data (such as health data) to third countries (outside the EU) in certain cases. This is important for organisations or businesses in the medical sector which often send blood (or other) samples outside the EU for testing. When the country to which the data is exported is not one for which the European Commission has issued an adequacy decision based on Article 45, GDPR, the Cyprus Commissioner will have to be informed prior to each such transfer. This entails considerable administrative burden, which can be avoided by eliminating the health data exported or through anonymozation, amongst others.

GDPR 1st year implementation report: how is it going?

It is noteworthy that the Cyprus Data Protection Commissioner (“the Commissioner”) has recently published certain statistics on the application of the GDPR during the first year of its life.

According to those statistics, the Commissioner has received 464 complaints (146 of which concerned unsolicited commercial communications) and 55 data breach notifications. The authority has issued 20 decisions, nine of which imposed fines of a total of nearly €37,000 Euros. Furthermore, the Commissioner conducted nine 9 investigations on its own initiative.

These numbers reflect Cyprus as a small Member State of the EU; in other Member States, there have been much more enforcement actions, some of which have led to multi-million fines.

This post is part of TechnoLawgy Guest Post series and has been written by the brilliant  Christiana Markou, Practising lawyer  & Assistant Professor at the European University Cyprus School of Law. For a more in-depth report on Cyprus GDPR implementation click here.

If you are a interested in sharing your expertise with TechnoLawgy international readers hit the Contact button above.   

, ,

Data breach notification: new procedure adopted in Italy

New procedure, new burdens and obligations

With the decision  no. 157 of July 30, 2019, the Italian Data Protection Authority (Garante) has introduced a new official model containing the minimum information required to perform a notification of a personal data breach pursuant to art. 33 of the GDPR. In the past, the Garante had already introduced specific methods and requirements for notifying a data breach in various sectors and with the new decision, the Authority has introduced standardized terms, contents and methods of notification, adding a number of burdens for the notifying entity.

What to include in the notification

The GDPR provides that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Likewise, the data processor who becomes aware of a possible violation is obliged to promptly inform the controller so that remediation actions can be performed (Articles 33 and 55 of the GDPR, Art. 2-bis of the Italian Privacy Code).
As a result of the aforementioned Garante’s decision nr. 157, the level of detail of a data breach notification has increased significantly, probably also in order to allow the controller to assess in a responsible manner the actual need to communicate, or not, the same violation also to the natural persons concerned, in accordance with the provisions of Article 34 of the GDPR.

Let’s see how the notification of data breach changes.
In order to perform the notification the data controller shall download the form available on the website of the Garante and fill in the following sections:

  • A. Data of the subject who makes the notification, entering the personal and contact details of the person who actually makes the notification (if appointed, this is the DPO of the holder);
  • B. Data relating to the data controller, meaning the identification data of the controller  (full name of the company, fiscal code, address, …), the contact details of the subject to be contacted for information, such as the DPO or the internal legal counsel (where a DPO has been appointed the relative protocol  number communicated by the Garante after the DPO online registration shall be inserted) and the references of other subjects involved with an indication of the role played in the breach(co-controller or processor, representative of the controller not established in the EU);
  • C. Summary information on the violation, this is one of the most critical sections as it will be necessary to indicate detailed information relating to the violation, including: the exact date on which it occurred, the time and manner in which the controller became aware of it, the reasons for the delay in case of notification beyond 72 hours (if applicable), the nature and cause of the date breach and the categories of personal data and individuals affected, with an indication of their volumes;
  • D. Detailed information on the violation, in addition to the previous section in this one details of the violation must be given, describing in particular the incident underlying the violation, the categories of data violated, the information systems and infrastructures involved in the incident, with an indication of their location and the technical and organizational security measures adopted;
  • E. Possible consequences and seriousness of the violation, this is a section that requires a prognostic effort by the controller who will be required to identify the possible impacts of the violation based on its nature and the potential negative effects for those concerned; it will also be necessary to make a reasoned estimate of the likely seriousness of the data breach;
  • F. Measures taken as a result of the breach, in which all technical and organisational countermeasures adopted to limit the impacts of the breach and of future implications shall be reported in order to prevent future incidents;
  • G. Communication to the data subjects, in this section it will be necessary to specify whether or not the violation has been communicated to data subjects in accordance with Article 34 of the GDPR, and in the event of non-communication it will be necessary to clarify the reasons for such decision;
  • H. Other information, this is a closing section in which details about the cross-border impact of the data breach and any reports already made to other authorities can be entered.

If the data controller is not in possession of all the information required by the form,  a partial notification can be performed, initiating the process even in the absence of a complete picture of the violation, subject to a subsequent supplementary notification.

How to send the notification

The notification form, once completed with the required information, must be sent to the Garante by e-mail at “protocollo@pec.gpdp.it” and must be digitally signed (with qualified electronic signature/digital signature) or with handwritten signature. In the latter case, the notification must be submitted together with a copy of the signatory’s identity document.
The notification should not include personal data concerning the subject  affected by the breach. Furthermore the subject of the message must contain the words “NOTIFICATION OF VIOLATION OF PERSONAL DATA” and, optionally, the name of the data controller.

Next steps

The new notification form requires the controller to collect a large amount of information relating to the breach. In order to be able to perform the notification, the controller must therefore ensure to have implemented appropriate organizational procedures – both internal and external aimed to the data processors – that enable the controller to promptly obtain  all the information necessary to complete the notification.
The notification procedure must be supported keeping the so-called “data breach record”: a document that has the dual function of allowing the controller to easily monitor and control all the violations of personal data occurred and allows the , to verify compliance with the obligation of timely notification.
This register should be prepared in line with the requirements of the notification form to collect all information necessary to adequately document any personal data breach, including the circumstances surrounding it, its consequences and the remediation steps undertaken.

The data breach scenario in Europe and Italy

The phenomenon of data breaches is constantly increasing in Europe. The European Data Protection Board has published a report on the state of implementation of the GDPR 9 months after its full applicability, which notes that the supervisory authorities in Europe have recorded about 64,684 notifications of data breaches, and it is reasonable to assume that since the publication of the report to date this figure has grown further. In this respect according to the World Economic Forum cyber attacks are the greatest threat to companies operating in Europe. In recent years, Europe has been the scene of a long series of major cyber attacks, the number of which increased by about a third in the first quarter of 2018, compared to the same period last year.
These estimates are confirmed by the report presented by the European Union Agency for Network and Information Security (ENISA), according to which, while the number of attacks cyber has increased significantly and their seriousness has increased exponentially. In the first half of 2018, around 4,500 million records were compromised due to data breaches, which represents a big increase compared to 2017, when “only” 2.7 million records were breached in the same period.
As for Italy, according to the most recent estimates available, up to June 30, 2019 the Garante has recorded 1254 confirmed cases of notifications of data breach, with an increase of about 31% compared to the violations recorded up to March.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuable, repay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #LegalTech news!

, ,

Cookiebot: what changes after Planet 49 decision?

Cookies are a tricky topic for web professionals. Essential to the sites that use them, annoying to the consumers who agree to them, and misunderstood by plenty of people on both sides. The GDPR has indirectly imposed higher standards for cookie usage – in particular what constitutes valid consent and transparency.

The  Court of Justice of the European Union (CJEU) has issued a landmark decision on the Planet49 case, an important case regarding the rules applicable to cookies. This decision may impact your cookiebot settings and cookie policy. So it’s time to find out how Cookiebot change after “cookie decision?

The case

Planet49, an online gaming company registered in Germany, hosted a lottery on its website. In order to participate in the lottery, users were required to enter name and address. Beneath the input fields for the address were two sets of checkboxes.

The first checkbox was not pre-ticked, and it was meant for the participant to consent to being contacted by certain sponsors about their commercial offers. The second checkbox was pre-ticked, and it was meant for the participant to consent to have cookies placed on his device for the purposes of providing targeted ads to the participant.

According to the rules of the lottery, participation was only possible if the participant ticked at least the first checkbox.  Such approach was claimed to infringe the EU rules on informed and freely given consent. The case reached Germany’s Federal Court of Justice, which then referred the case before the CJEU

Key takeaways from the recent CJEU decision on cookies

🔹️The EU Court of Justice confirmed today in its decision on the Planet49 case that the placing of cookies requires active consent of the internet user.

🔹️Active consent is not validly constituted by way of a pre-checked checkbox which that user must de-select to refuse his or her consent.

🔹️Consent must be specific. The fact that a user selects the button to participate in a promotional online lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

🔹️It doesn’t matter if the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

🔹️The user must be informed about the duration of the operation of cookies and whether or not third parties may have access to those cookie (this may impact your cookie policy).

🔹️Interestingly, the Court was not asked – and so did not rule on – whether a data subject can be required to consent to processing of personal data for advertising purposes in order to participate in a promotional lottery. That leaves a big open question with significant implications for ad-funded content.

How Cookiebot settings change after “cookie decision“⁉️

If your cookiebot has every cookie category (analytics, profiling, etc.) pre-checked, well it might be the case to consider changing your settings. According to the Court only technical cookies are considered necessary and can be pre-activated. However, the different Data Protection Authorities across Europe have different interpretation of what constitutes technical cookies and when consent is required. Furthermore the ePrivacy Regulation is coming and it may change the scenario again. Meanwhile the ICO (U.K. Data Protection Authority) recently issued a Guidance on a GDPR compliant cookie strategy. Grab it on TechnoLawgy channel on Telegram.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!

,

📹First GDPR fine in Sweden: facial recognition at school📹

Facial Recognition under GDPR

For the first time the Swedish Data Protection Authority, Datainspektionen, has issued a fine for violation of the rules introduced by the General Data Protection Regulation, GDPR, towards a school that implemented a facial recognition system to monitor students’ attendance in class.

The GDPR, which was transposed into national legislation by the Swedish Data Protection Act (2018:218), introduces special safeguards and obligations for data controllers who process biometric data, that are used for facial recognition, including for example, the obligation to appoint a Data Protection Officer and to carry out an Data Protection Impact Assessment (Articles 37-35).

The sanction

According to the DPA website, a high school in Skellefteå has used a facial recognition system to monitor students’ attendance at the lessons. The trial has been going on for three weeks and affected 22 students. The Datainspektionen has examined the use of the system and concluded that the High School Board in Skellefteå has processed sensitive personal data in violation of the GDPR (see art. 9 of the Regulation) and it was fined with a sanction of  200.000 SEK (appr 20.000 EURO). The fine is moderate since Skellefteå is a public entity, and that it has only been a limited trial. The maximum fines for public entities in Sweden is 10.000.000 SEK.

In its decision, the DPA finds that facial recognition meant camera surveillance of the students in their everyday environment, which was an intrusion on their integrity and that presence control could have be done in other – less intrusive – ways.

The high school board has stated that they have received the students’ consent to use face recognition for attendance control. However as explained by Ranja Bunni, a lawyer at the DPA who participated in the review, the high school board cannot use consent in this case because the students are in a position of dependence on the board, and therefore the consent cannot be deemed to be valid pursuant to the GDPR.

Conclusion

This fine confirms the EU wide trend of Data Protection Authorities towards biometric data processing, therefore here is my advice:

  1. prior to implementing a facial recognition system all the available alternatives shall be considered adopting a privacy by design and privacy by default approach;
  2. if no alternatives are viable, the data processing shall respect the data minimization principle, collecting as little data as possible and retaining the data for the period of time strictly necessary to pursue the analysis;
  3. when processing biometric data enhanced security measures shall be adopted to guarantee the safety and protection of such precious information;
  4. prior to seeking for data subjects’ consent, you shall consider if consent is a valid legal basis for processing at all in the specific circumstance.

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!

,

🛫New Drones Law in Europe🛫

On July 1, 2019, the set of specific European rules for Unnamed Aircraft Systems (UAS), commonly referred to as drones, came into force. These rules set out the general principles for ensuring safety, protecting privacy and safeguarding the environment. Let’s see what are the main changes for manufacturers and users.

1. Why a new regulation?

Commission Delegated Regulation (EU) 2019/945 & Commission Implementing Regulation (EU) 2019/947, have been published to ensure drone operations across Europe are safe and secure.

The common rules will help drone operators, whether professional or recreational, to have a clear understanding of what is allowed or not. At the same time it enables them to operate across borders. Once drone operators have received an authorisation in the state of registration, they are allowed to freely circulate in the European Union. This means that they can operate their drones seamlessly when travelling across the EU or when developing a business involving drones around Europe.

In recent years there has been an exponential development of drones with reference to both the technology available and the possibilities of use. Initially exploited in the military field, today drones are within everyone’s reach, and are increasingly used for recreation and leisure time.

But it is in the commercial field that we find the maximum variety of purposes for which a drone can be used: filming in movie sets, outdoor light shows (as an alternative to traditional fireworks), search and rescue operations, field watering, window cleaning in height and delivery in a short time, are just some of the activities that currently see the use of drones in different countries of the world, and thanks to the versatility of these machines the development of new models and areas of application proceeds rapidly.

In England, for example, researchers are developing drones capable of independently inspecting and repairing holes in the streets. And in the near future, drones will certainly be used for public transport, as the “Urban Air Mobility” project supported by the European Union, which is encouraging private initiatives for the creation of “flying taxis”, and which already has Audi and Airbus as partners.

As a fact, according to the European Commission, the drones industry could create about 150,000 jobs in the EU by 2050.

In this scenario, a significant number of national aviation authorities have started issuing new aviation safety standards to regulate the use of drones in national airspace. However, to ensure legal certainty and consistency across the EU and in the design of a “Single European Sky”, the European Commission proposed on 7 December 2015 a revision of the EU legislative framework to be ready for the challenges beyond 2020. The result of this proposal was the Regulation (EU) 2018/1139, thanks to which the European Union can regulate the civil operations of all types of drones, gradually replacing the national regulations on civil operations of drones weighing less than 150 kg.

Recital 26 of the Regulation expressly states that, since drones use the same airspace as manned aircraft and are equipped with technologies that make a wide range of operations possible today, they must be subject to the same general rules on civil aviation regardless of their mass.

2. What do the new rules say? Privacy and environmental protection obligations

Regulation (EU) 2018/1139 sets out the general principles for ensuring security, protecting privacy and safeguarding the environment.

These rules are proportionate and risk-based, designed to reduce constraints and encourage innovation. For example, sport and recreational aviation, including so-called model aircraft (recreational drones), is subject to simplified procedures compared to those applicable to commercial air transport. On the other hand, operations with high-risk drones are more burdensome for operators.

To ensure safety, the Regulation states that all drones must be controllable and manoeuvrable in total safety and never put people at risk. For example, drones must be equipped with collision avoidance systems.

In addition, all drones should be designed taking into account a privacy by design and by default approach. The risks to privacy and data protection are essentially related to the availability on the UAS of cameras or other sensors that are able to record personal information. As pointed out by the Article 29 Working Party (now known as the European Data Protection Board), the risks are increased by the lack of transparency, due to the difficulty of being able to see the drones from the ground and to know for what purposes the images are taken and especially by whom.

Therefore to protect privacy, and more generally in order to identify offences and violations, the Regulation provides that the drones’ pilots shall be registered in national registers and drones shall be registered in electronic databases that are easily accessible.

To guarantee the protection of the environment, new limits are placed on the noise and emissions generated, as in the case of any other aircraft.

Finally, the Regulation extends the mandate of the EASA (the European Aviation Safety Agency), giving it new powers of inspection, coordination with national authorities, certification tasks and implementation powers, to strengthen the development of a so-called “single European sky”, which now also affects drones of all sizes. The EASA will also play an important role in cybersecurity.

This post is co-authored by my brilliant colleague Ludovica Mosci who is an outstanding expert of drones regulation. 

 

For more info drop me a line via Twitter –  Fb or Telegram  

If you think this information is valuablerepay my effort and share it on your #SocialMedia, Be Influent! 

Also don’t miss my Telegram channel @TechnoLawgy for the latest #Privacy and #TMT news!