The niner noteworthy and the 12 recaps of 2016 (day 10)

Except for one article, all others deal with data protection and privacy laws related to the European Union. Not too surprising as the general data protection regulation and the EU/US privacyshield have been dominating the privacy news over the last year.
Apart from those major topics I will be looking at how Florida is handling data from citizens with a drivers license as well as what the Donald may have in store for cross-atlantic data transfers.
besides this, there are already some pointers to the semi-final instalment of this series which will focus on online surveillance.

In chronological order:

Is Ireland ready to police the data world?


Whilst Ireland is strengthening it’s institutions to cope with becoming the data policeman of the world, the big Internet companies are probably already thinking of moving their headquarters away if Ireland indeed becomes more stringent then the proposed directive may set as minimum requirements coming May this year.
Besides the fact that this is a directive and not a regulation, which means it will take up to three years after the EU institutions are done writing and discussing it before it has to be implemented into national laws at the member states, which will have the freedom to some extend to give their own spin on the matter. Besides the difficulties for Ireland as the data policeman, implementations may vastly differ across the EU member states, as we have seen over the last 20 years happened with the data protection directive as well as the e-privacy directive. And even the general data protection regulation will have it’s differences across the member states, although less so as it’s predecessor obviously.
We indeed live in interesting times, but it remains to be seen how much power the Irish institutions will really have to become an effective policing force on the protection of our data.
source: Silicon Republic (external link)

Privacy Shield challenged by Irish privacy advocates


I can’t but agree. Although the new framework certainly has it’s improvements over the older safe harbor agreement, there are enough oles (exceptions) in the agreement for the US government to be able to continue it’s mass surveillance of EU citizens to warrant a good look by the same European court that struck down it’s predecessor in October 2015.
The route taken to get rid of the privacyshield however is somewhat of a surprise it seems. Although this same group should not be underestimated as they were responsible for getting the data retention directive annulled as well.
This will take time and I’m sure I will have more on this topic later in 2017.
source: ITProPortal (external link)
and Ars Technica (external link)

German and Czech governments seek to join Privacy Shield case

Interestingly enough, the German government is joining this leal battle on the side of the European Union, the Czech government is joining in as well but the article isn’t as clear on their position in the matter.
As one of the member states with the most stringent implementation of the data protection directive (95/46/EC) it is somewhat surprising that Germany is taking a different point of view in this, which if you look at recent cases on data breaches and privacy issues may even be contrary to the views of Germany’s own data protection agencies.
source: the irish Times (external link)

The GDPR will set the benchmark for global privacy contracting – and here’s why


An most positive view in this article on the world wanting to become compliant and data processors their willingness to implement their new responsibilities to attract business. But does the author really expect big players like Googl,e Salesforce and Microsoft to adopt these rules or are they simply going to push back om them because they are already privacyshield compliant so they don’t have to comply to the GDPR’s article 28 as well?
Let’s hope the article’s author is correct in making this assumption, it certainly would make the world a safer place for our personal data.
source: Fieldfisher (external link)

How the ICO will be supporting the implementation of the GDPR


Those who may have expected the UK to not implement the general data protection regulation (GDPR) because, afterall, it is EU law of which the brexiteers want to do away with sooner rather then later, are forgetting one major point: the GDPR as well as the current data protection directive are in principle based on the European Charter of Human Rights (ECHR) article 8.
As it is not expected for the UK to let lose of this charter as well as their EU membership, the basic principles for data protection in a post-brexit UK will be very similar as those for the remaining EU block.
Besides that, any company that wants to do business with the EU needs to be compliant to the GDPR anyway. That is if and when a trade agreement is formalised between the deforcing parties.
On a side-note: the figure presented by a UK senior diplomat of that taking up to 10 years isn’t that far fetched. You only have to look at the timeframe of negotiations for the TTIP and CETA agreements (the former of which probably will not be signed at all) to know that dealing with the EU block is time consuming.
source: ICO Blog (external link)

Florida May Be Breaking Law In Selling Personal Info To Companies


And there I thought that the government, whichever level you are dealing with, is their to protect you as a citizen and not profit from the mandatory relationship you have with that particular branch of government. Apparently that does not hold true for personal data in the US state of Florida if the data being sold is used for statistical purposes.
Still I am glad I’m not living in the sunshine state which in my opinion is getting a bit overcast on protecting it’s citizens’ privacy.
source: CBS Miami (external link)

CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability?


Where as the French data protection agency is clearly waiting for the article 29 working party to come up with guidelines on the mandatory data protection officer, a german DPA has already fined a company for a conflict of interest with their DPO (see below). This is because of the difference in laws between the two countries which the GDPR hopes to get rid of. Still the fact that there are more questions then answers posted on this topic in the public consultation says about enough.
As for data portability, there is a clear distinction between companies wanting to limit this as much as possible for competition and lock-in reasons whilst social groups want people to be able to take their data in their own hands. As for the latter, if data portability is going to be a meaningful tool then the dataset needs to be complete and accurate, a summery is not enough for true portability.
Data protection impact assessments can become an extremely interesting tool to see if companies and governments really looked at the privacy impact to the data subjects. As for applicability on behavioural advertising and profiling I would hope it applies, because if that does apply it would become extremely interesting to see how big social media and adverting firms are going to handle this obligation. As for the suggestion to use an ISO standard for this, I have my reservations as these standars are often too general and often need to be translated into useful implementations. As such it will not become a one-size-fits-all which would make it unsuitable for this purpose.
And finally the part on certification on which I agree it must be done at the European level and only if it isn’t done there can local parties issue certifications. The data protection agencies could be involved in this as well, they are in the end also the parties involved in enforcing the GDPR anyway. What the report and respondence mean by differing between data protection and data security I don’t understand as to me these are one and the same thing. As for revocation, a European register would be helpful where in case of non-compliance the company can be removed, together with a mandatory order to remove any certification notices or certification logo’s on their website or other materials.
What is interesting in general is that apparently each member state is holding it’s own consultations on how to implement the GDPR. Where it was hoped the implementation would be uniformly applicable across the European Union, it seems there may be more differences across the member states then was envisioned.
source: pdpEcho part one (external link) and pdpEcho part two (external link)

Germany: Data Protection Officer must not have a conflict of interests


Let this incident be an example for all companies and branches of government that need to appoint a data protection officer (DPO) under the GDPR. Your DPO is effectively an extension of the data protection agency and as such must have an independent position, have the required privacy law knowledge and must be reliable. The fines for non-compliance are significant.
In a job posting I spotted just before Christmas I read a similar issue with a DPO combined role with the chief information security officer, this job posting was for two municipalities in the Amsterdam area. I would advice them to reconsider there job offering a and heat the warning in this example.
source: Global Compliance News (external link)

EU to Closely Monitor Trump on Data Transfer Compliance


It indeed remains to be seen what happens under a Trump presidency with the privacyshield promises by the US government. Although there are certain exceptions in the agreement that, if used correctly, may still allow for massive surveillance practices to continue.
So what will destroy the privacyshield first: the Trump administration or the European Court of Justice? The next two years will hold the answer for sure I suspect.
source: The Bureau of National Affairs (external link)

Critics: Germany’s GDPR implementation riddled with holes, illegalities


After the Christmas market attack in Berlin last month at least the call for more video surveillance will only grow in strength. Apart from that, the fact that in particular Germany is moving to an implementation of the general data protection regulation that is significantly weakening privacy laws in the country as opposed to the very strict current state of affairs is quite unexpected.
If this however would become a template for GDPR implementations in the other member states as well, it would become worrying. Considering the overall move towards less privacy and more security, a trade-off which in my opinion doesn’t even exist, is not very hopeful for the near future.
As Germany is considering more advanced surveillance laws, the move in the draft implementation law for the GDPR is well in-line with government vision. It would be interesting to see what the implementation wil be like in the UK, considering it’s own investigatory power bill (aka snoopers charter).
source: The Privacy Advisor, IAPP (external link)

Other articles in this series