Data Protection - Spring 2022

A quarterly update with many academic articles surrounding the publication of more European digital policies.

Data Protection - Spring 2022

🇪🇺 European developments

EC 🇪🇺 and US 🇺🇸 reach political agreement in principle on a new Trans-Atlantic Data Privacy Framework

EDPB 🇪🇺 adopted a statement welcoming the effort and "the commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA individuals) when their data are transferred to the U.S. is a positive first step in the right direction". We will know more by the end of the year.

EU 🇪🇺 reaches political agreement on Digital Services Act and the Digital Markets Act

The Digital Services Act ("DSA") establishes accountability standards for online platforms regarding illegal and harmful content. The Digital Markets Act ("DMA") was put forth by the European Commission in 2020 to regulate “contestable and fair markets” in the digital sector. The DMA imposes a set of obligations on “gatekeeper” platforms.

Press corner
Highlights, press releases and speeches
Press corner
Highlights, press releases and speeches

EDPB 🇪🇺 publishes Guidelines on Dark patterns in social media platform interfaces and on the Calculation of Administrative Fines Under the GDPR

Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them | European Data Protection Board
Guidelines 04/2022 on the calculation of administrative fines under the GDPR | European Data Protection Board

Commission 🇪🇺 'seeking to end encrypted communications'

After the EU’s executive body unveiled strict regulations for messaging apps intended to fight the spread of child sexual abuse imagery, critics warn for an attack on privacy.

Council of Europe 🇪🇺 follows suit with own SCC requirement in Convention 108+

Additional protocol to Convention 108 regarding supervisory authorities and transborder data flows (ETS No. 181)

Convention 108 and Protocols
The Convention opened for signature on 28 January 1981 and was the first legally binding international instrument in the data protection field.

EDPS 🇪🇺 opinion on the Proposal for a Regulation on automated exchange for police cooperation ("Prüm II")

While the EDPS understands the need for the law enforcement authorities to benefit from the best possible legal and technical tools to detect, investigate and prevent crimes, he notes that the proposed new Prüm framework does not clearly lay down essential elements of the exchange of data, such as the types of crimes, which may justify a query, and is not sufficiently clear about the scope of data subjects affected by the automatic exchange of data, e.g. whether the databases, subject to a query, contain data only of suspects and/or convicted persons, or also data of other data subjects, such as victims or witnesses.
The EDPS considers in particular that the automated searching of DNA profiles and facial images should be possible only in the context of individual investigations into serious crimes, instead of any criminal offence, as provided for in the Proposal.

Case law

European Court of Justice 🇪🇺: Consumer protection associations may bring representative actions against personal data breaches

A consumer protection association may bring a representative action against the alleged perpetrator of a personal data breach. To bring such a claim, a specific infringement of the right of a data subject to the protection of his or her personal data is not required. In addition, such action may be brought irrespective of whether a data subject has ordered it to be brought. That is the answer given by the ECJ to questions put by a German court in C-319/20 Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände

CURIA - List of results

Conseil d'État 🇧🇪 stopped transfer to US contractor and Russian subcontractor for unclear GDPR compliance

The Belgian Council of State "suspended a decision to choose a US contractor in the context of a public procurement procedure on the ground that the public authority did not sufficiently examine whether the contractor was compliant with the requirements of the GDPR, in particular the provisions on transfers and the further processing by another company, Smart Analytics, based in Russia."

Council of State - 253.677
The Council of State suspended a decision to choose a US contractor in the context of a public procurement procedure on the ground that the public authority did not sufficiently examine whether the contractor was compliant with the requirements of the GDPR, in particular the provisions on transfers …

The CJEU 🇪🇺 clarifies the Judicial Capacity Exemption in the GDPR

The CJEU ruled on the scope of the judicial capacity exemption as concerns SA supervision in the case of X, Z v Autoriteit Persoonsgegevens. The national court asked the CJEU to clarify the scope of the notion of ‘acting in their judicial capacity’ and the restriction on SA supervision in relation to courts (Article 55(3) GDPR). The Court concluded that the supervision by the SA over the legality of the disclosure of court materials to a journalist is likely to interfere with judicial independence. Therefore, the exemption in Article 55(3) GDPR applies.

CURIA - Documents

German court 🇩🇪 rules: CEO to be held personally liable for data privacy violations

According to Freshfields, in a recent German case, a court decided that a CEO was personally liable for a data privacy breach after they hired a detective to investigate possible criminal acts by the plaintiff. Given the potential risks, this case raises a number of issues for companies and their boards to consider. It classified the CEO as a data controller.

Supervisory Authorities

Autoriteit Persoonsgegevens 🇳🇱 fines Dutch Tax Authority EUR 3.7m for blacklisting

The Dutch SA imposed a fine of 3.7 million euros on the Tax and Customs Administration. The highest fine of the SA yet. The Tax and Customs Administration receives this fine because of the illegal processing of personal data in the Fraud Notification Facility (FSV) for years. This was a black list on which the Tax and Customs Administration recorded signals of fraud. This often had major consequences for people who were wrongly on the list.

For instance, the Tax and Customs Administration had no legal basis (basis) for processing the personal data on the list. Without such an AVG basis, the processing of personal data is prohibited.

The personal data were also often incorrect. As a result, people were wrongly registered as possible fraudsters. Furthermore, the security of the list was not in order. And the Tax and Customs Administration's internal privacy supervisor was not involved in the design of the list on time.
Boete Belastingdienst voor zwarte lijst FSV

Autoriteit Persoonsgegevens 🇳🇱 fines Dutch Ministry of Foreign Affairs EUR 565k for poor security of visa applications

The Dutch SA imposed a fine because the ministry has violated the law for years, according to the SA, on a large scale and in a serious manner when granting visas.

Boete voor Buitenlandse Zaken voor slechte beveiliging visumaanvragen

The fine relates mainly to obtaining the user's consent to place cookies on his/her device, which did not meet all the conditions of the GDPR. The two websites violated the GDPR in three ways. One is that the sites placed cookies before visitors can give their consent. Respectively 66 cookies, 48 of which come from third parties and 60 cookies, 44 of which come from third parties. The SA called only two of those cookies 'strictly necessary'. Both websites also place statistical cookies without users being able to give their consent, because the boxes for consent were already ticked in advance. Finally, visitors were not properly informed about the cookies that are placed, including the purposes of third parties.

Onderzoek “cookies op perssites”: Roularta beboet | Gegevensbeschermingsautoriteit
Elastische website

DPC 🇮🇪 fines Meta Platforms (formerly Facebook) EUR 17m for data breaches

The Irish SA found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR.  While the DPC found that the information and supporting documentary evidence provided by Meta Platforms during the course of the inquiry could be considered analogous to industry best practice and the state of the art, Meta Platforms failed to have in place appropriate technical and organisational measures such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.

Irish SA fines Meta Platforms (formerly Facebook) €17M for data breaches | European Data Protection Board

CNIL 🇫🇷 publishes Questions and answers on its formal notices concerning the use of Google Analytics

All data controllers using Google Analytics in a similar way to these organisations must consider this use as illegal under the GDPR.
The CNIL's decision is not the first at the European level: one month before the CNIL, the Austrian data protection authority issued a first decision in January that goes in the same direction as the French authority's.

The CNIL has informed David Libeau that it considers Google's Captcha to "also allow analysis operations by Google" and that "the collection of information would not be for the sole purpose of securing the site".

Questions-réponses sur les mises en demeure de la CNIL concernant l’utilisation de Google Analytics | CNIL
Cette foire aux questions ne vise que les décisions de mise en demeure de la CNIL concernant l’utilisation de Google Analytics à la suite de l’invalidation du Privacy Shield.

Noyb.eu has published a translation of the DSB's 🇦🇹 decision on Google Analytics (PDF)

The SA does not apply the "risk-based approach" on transfers, as recommended by the EDPB. But the SA makes a strong case by going straight to the GDPR:

The success of a complaint of a violation of Art. 44 GDPR therefore does not depend on whether a certain "minimum risk" is present or whether US intelligence services have actually accessed data.
According to the wording of this provision, a violation of Art. 44 GDPR already exists if personal data are transferred to a third country without an adequate level of protection.

In connection with those provisions of the GDPR where a risk-based approach is actually to be followed ("the higher the processing risk, the more measures are to be implemented"), the legislator has also
explicitly and without doubt standardised this. For example, the risk-based approach is provided for in Art. 24(1) and (2), Art. 25(1), Art. 30(5), Art. 32(1) and (2), Art. 34(1), Art. 35(1) and (3) or Art. 37(1)(b)
and (c) GDPR.

Since the legislator has standardised a risk-based approach in numerous places in the GDPR, but not in connection with the requirements of Art. 44 GDPR, it cannot be assumed that the legislator merely "overlooked" this; an analogous application of the risk-based approach to Art. 44 GDPR is therefore excluded.

UODO 🇵🇱 assesses breach not just on negative consequences, but the risk of their occurrence as a reason for breach notification

The Polish SA imposed an administrative fine of over PLN 545k (EUR 120k) on Santander Bank Polska S.A. The reason for this decision was that the Bank breached the provisions of the GDPR by failing to communicate the incident to the data subjects without undue delay. Thus, the Polish SA ordered to communicate the situation and potential consequences related to it to these persons.

In this case, what is relevant is not whether the unauthorized person actually got acquainted with the personal data of other persons, but that there was such a risk (he or she had the opportunity to get acquainted with that data). Consequently, this means that, given the scope of the data, there was a high risk to the rights or freedoms of data subjects.
What is equally important and needs to be emphasized is that the controller made a conscious decision not to communicate the breach to the data subjects.
Not just negative consequences, but the risk of their occurrence as a reason for breach notification
The supervisory authority imposed an administrative fine of over PLN 545,000 (EUR 120,000) on Santander Bank Polska S. A. The reason for this decision was that the Bank breached the provisions of the GDPR by failing to communicate the incident to the data subjects without undue delay. Thus, the Poli…

AEPD 🇪🇸 fines Google EUR 10m for unlawfully transferring right to erasure requests to third party

By looking at this system, the AEPD also found – as the complaint asserted – that Google was sending removal requests, except the ones made under Article 17 GDPR, to the “Lumen Project”. The Lumen Project is a project of the Berkman Klein Center for Internet & Society of the Harvard University which is collecting removal requests from different providers in a publicly accessible database. A typical entry in the database contains a summary of the request and a link to the original content.
AEPD (Spain) - PS/00140/2020
The Spanish DPA issued a fine of €10,000,000 against Google LLC for unlawfully transferring personal data to a third party and for impeding the exercise of the right to erasure.

Garante 🇮🇹 fines processor for engaging subprocessor without authorisation

The Italian SA fined a processor EUR 40k for violating Article 28(2) GDPR by engaging a sub-processor without specific authorisation from the controller.

Garante per la protezione dei dati personali (Italy) - 9768387
The Italian DPA fined a processor €40,000 for violating Article 28(2) GDPR by engaging a sub-processor without specific authorisation from the controller.

Earlier the Italian SA issued a fine of EUR 10k for an IT company due to a data breach and the assignment of a sub-processor without the controller's authorisation, in violation of Articles 32 and 28(2) GDPR respectively.

Garante per la protezione dei dati personali (Italy) - 9754332
The Italian DPA issued a fine of €10,000 against an IT company due to a data breach and the assignment of a sub-processor without the controller’s authorisation, in violation of Articles 32 and 28(2) GDPR respectively.

APD/GBA 🇧🇪 held that mailing small group in CC is not a reportable data breach

The Belgian SA held (PDF), among others, that a controller is not obligated to report a data breach which results from listing the recipients of an email in CC instead of BCC if the email is only received by a small group (16 people).

Datatilsynet 🇩🇰 finds testing is part of security obligations

The Danish SA held that a controller violated Article 32(1) GDPR for not carrying out sufficient tests which could have revealed the security issue which led to a personal data breach on their platform.

Datatilsynet (Denmark) - 2021-431-0138
The Danish DPA held that a controller violated Article 32(1) GDPR for not carrying out sufficient tests which could have revealed the security issue which led to a personal data breach on their platform.

Garante 🇮🇹 fines Clearview AI EUR 20m and bans use of biometric data and monitoring of Italian data subjects

The Italian SA (Garante per la protezione dei dati personali) fined the US-based company Clearview AI EUR 20 million after finding it applied what amounted to biometric monitoring techniques also to individuals in the Italian territory.

ICO 🇬🇧 fines facial recognition database company Clearview AI Inc more than GBP 7.5m and orders UK data to be deleted

The Information Commissioner’s Office (ICO) has fined Clearview AI Inc £7,552,800 for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition.
ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted
The Information Commissioner’s Office (ICO) has fined Clearview AI Inc £7,552,800 for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition. The ICO has also issued an enforceme…

CNIL 🇫🇷 publishes a guide for DPOs

Why and how to appoint a data protection officer? What means should be given to them to accomplish their missions? The CNIL publishes a guide for data protection officers that combines useful knowledge and best practices to help organisations in appointing and supporting DPOs.
The CNIL publishes a guide for DPOs | CNIL
The role of the DPO

Datatilsynet 🇩🇰 publishes Guidance on the use of cloud

In this case, it would not be lawful for the Danish company to transfer the personal data to the US. This is due, in particular, to the fact that the company’s assessment of whether the data falls within the scope of the surveillance programmes under FISA 702 is based solely on the company’s own subjective assessment and not supported by additional objective, reliable and accessible information.

ICO 🇬🇧 publishes AI and Data Protection risk Toolkit

AI and data protection risk toolkit

Literature

Syllabus - Big Data, Human Rights, and Human Security

This course teaches privacy and data protection law in the EU. We discuss the wide use of data about individuals in today’s digital society, the diminishment of privacy due to business models and public services based on online tracking, and the role of the law in these developments

By Sarah Eskens

Blog - The ebb and flow of trans-Atlantic data transfers: It’s the geopolitics, stupid!*

Once EU digital policy has done its work, the world will look very different indeed. The EC well recognizes the value of data transfers where required for running a cross-border business. Companies are advised to implement Schrems II compliance there. These transfers will ultimately be facilitated by the renewed trans-Atlantic transfer agreement when it materializes and is upheld before the EU courts. For the rest, companies will have to wait for how EU policy settles and how this impacts the global service models of the large technology providers.

By Lokke Moerel

The eb and flow of trans-Atlantic data transfers: It’s the geopolitics, stupid!*
There is a call for a rational debate on trans-Atlantic data transfers. Frustrations increase as companies work towards Schrems II compliance by executing mitigating measures to ensure U.S. government entities cannot access their data. Yet, EU data protection authorities (DPAs) continue to block the…

Book - Almost human: law and human agency in the time of artificial intelligence (PDF)

AI's impact on human autonomy, choice and sentience by Andrew Murrary.

Article - All Talk, No Action? The Effect of the GDPR Accountability Principle on the EU Data Protection Paradigm

Tuulia Karjalainen writes:

Accountability is sometimes seen as a significant paradigm shift – as a move away from transparency and choice-based data subject control towards company liability. However, the principle does not truly replace the requirements-based approach in the GDPR. Nevertheless, accountability can effectively contribute to EU data protection law by reinforcing other GDPR obligations. This article analyses the contribution of the GDPR accountability principle to the EU data protection law, and the effectiveness of the principle in the light of its objectives. Although accountability does not radically change the European data protection paradigm, the principle does contribute to increasing controllers’ responsibility and facilitating enforcement.
EDPL - European Data Protection Law Review: All Talk, No Action? The Effect of the GDPR Accountability Principle on the EU Data Protection Paradigm

Report: Automated Decision-Making Under the GDPR – A Comprehensive Case-Law Analysis

Our analysis shows that the GDPR as a whole is relevant for ADM cases and has been effectively applied to protect the rights of individuals in such cases, even in situations where the ADM at issue did not meet the high threshold established by Article 22 GDPR. Among those, we found detailed transparency obligations about the parameters that led to an individual automated decision, a broad reading of the fairness principle to avoid situations of discrimination, and strict conditions for valid consent in cases of profiling and ADM. […]

* Courts and DPAs are looking at the entire organizational environment where ADM is taking place, from the controller’s organizational structure, to reporting lines and the effective training of staff, in order to decide whether a decision was “solely” automated or had meaningful human involvement; and
* Similarly, when assessing the second criterion for the applicability of Article 22, enforcers are looking at whether the input data for an automated decision includes inferences about the behavior of individuals, and whether the decision affects the conduct and choices of the persons targeted, among other multi-layered criteria.

By Sebastião Barros Vale and Gabriela Zanfir-Fortuna

FPF Report: Automated Decision-Making Under the GDPR - A Comprehensive Case-Law Analysis - Future of Privacy Forum
Today, the Future of Privacy Forum launched a comprehensive Report analyzing case-law under the General Data Protection Regulation (GDPR) applied to real-life cases involving Automated Decision Making (ADM). The Report is informed by extensive research covering more than 70 Court judgments, decision…

Article - Information, Privacy, and Just War Theory

Since we cannot assume that information is made available to combatants in a morally neutral manner, we must therefore interrogate the relationship between privacy harms and the acts that they enable in war. Here, I argue that there is ample evidence that we cannot discount the analysis of privacy harms in war, and that analysis of such harms requires us to examine social goods. I develop this point to demonstrate the problems that this poses for aspects of revisionist just war theory; namely, reductivism and individualism. In order to evaluate the moral consequences of privacy harms in war, we must understand the unilateral and adversarial character of balancing privacy harms against social goods in the context of war, which, in turn, requires that we consider social goods and social institutions as objects of moral evaluation.

By Jack McDonald

Information, Privacy, and Just War Theory | Ethics & International Affairs | Cambridge Core
Information, Privacy, and Just War Theory - Volume 34 Issue 3

Article - Dutch Comfort: The limits of AI governance through municipal registers

In this commentary, we respond to a recent editorial letter by Professor Luciano Floridi entitled 'AI as a public service: Learning from Amsterdam and Helsinki'. Here, Floridi considers the positive impact of these municipal AI registers, which collect a limited number of algorithmic systems used by the city of Amsterdam and Helsinki. There are a number of assumptions about AI registers as a governance model for automated systems that we seek to question.

By Corinne Cath and Fieke Jansen.

Dutch Comfort: The limits of AI governance through municipal registers
In this commentary, we respond to a recent editorial letter by ProfessorLuciano Floridi entitled ‘AI as a public service: Learning from Amsterdam andHelsinki’. Here, Floridi considers the positive impact of these municipal AIregisters, which collect a limited number of algorithmic systems used by…

Article - Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites

Modern websites frequently use and embed third-party services to facilitate web development, connect to social media, or for monetization. This often introduces privacy issues as the inclusion of third-party services on a website can allow the third party to collect personal data about the website’s visitors. While the prevalence and mechanisms of third-party web tracking have been widely studied, little is known about the decision processes that lead to websites using third-party functionality and whether efforts are being made to protect their visitors’ privacy.

Article - Goodbye Tracking? Impact of iOS App Tracking Transparency and Privacy Labels

We find that Apple’s new policies, as promised, prevent the col-
lection of the Identifier for Advertisers (IDFA), an identifier for
cross-app tracking. Smaller data brokers that engage in invasive
data practices will now face higher challenges in tracking users – a
positive development for privacy. However, the number of tracking
libraries has – on average – roughly stayed the same in the studied
apps. Many apps still collect device information that can be used to
track users at a group level (cohort tracking) or identify individuals
probabilistically (fingerprinting). We find real-world evidence of
apps computing and agreeing on a fingerprinting-derived identifier
through the use of server-side code, thereby violating Apple’s poli-
cies. We find that Apple itself engages in some forms of tracking
and exempts invasive data practices like first-party tracking and
credit scoring from its new tracking rules. We also find that the new
Privacy Nutrition Labels are sometimes inaccurate and misleading,
especially in less popular apps.

By Konrad Kollnig, Anastasia Shuba, Max Van Kleek, Reuben Binns and Nigel Shadbolt

Blog - Algorithm Centrism in the DSA’s Regulation of Recommender Systems

The proposed Digital Services Act (DSA) would regulate recommender systems with several duties, many of which reflect the same preoccupation with algorithms over outputs. Several of its provisions, I believe, are open to a critique of algorithm-centrism, including its rules on recommender audiences (Article 29 DSA) and uploaders (Article 15 & 17). A more promising systemic approach can however be seen in the rules in the rules on systemic risks (Article 26 & 27) and ad archives (Article 30).

By Paddy Leerssen

Algorithm Centrism in the DSA’s Regulation of Recommender Systems
The regulation of recommender systems is often framed as an issue of algorithmic governance. In this post I want to argue that this focus on recommender algorithms can be restrictive, and to show how one can go about regulating recommender

Blog - Key points on DMA interoperability and encryption

It seems from the final DMA text this kind of metadata might be required by the gatekeepers from interoperating services to continue operating these critical security features. This of course raises privacy issues: the text also specifies “The gatekeeper shall collect and exchange with the provider of number-independent interpersonal communication services that requests interoperability only the personal data of the end users that is strictly necessary to provide effective interoperability and in full compliance with the Regulation (EU) 2016/679 [GDPR] and Directive 2002/58/EC [ePrivacy Directive].”

By Ian Brown

Key points on DMA interoperability and encryption
Key points on how the almost-final interoperability obligation in the EU Digital Markets Act interacts with end-to-end encrypted services.

Article - Data-Powerful

That is why this paper proposes an intersectoral approach to power dynamics: data protection law and consumer law are clearly necessary elements to analyse vulnerability and power, but competition law has a robust jurisprudence on the notion of power. In addition, competition law perspective is complimentary to data protection and consumer law approaches: the first is company based, the second is individual based. But the horizon is the same: protecting the welfare of the “powerless” against unfair abuses of the “powerful”.

By Gianclaudio Malgieri and Antonio Davola

Data-Powerful
Individual vulnerability has triggered a vivid debate in the data protection field. However, the efforts to define and protect vulnerable individuals in data pr

Article - The Flaws of Policies Requiring Human Oversight of Government Algorithms (US)

As algorithms become an influential component of government decision-making around the world, policymakers have debated how governments can attain the benefits of algorithms while preventing the harms of algorithms. One mechanism that has become a centerpiece of global efforts to regulate government algorithms is to require human oversight of algorithmic decisions. Despite the widespread turn to human oversight, these policies rest on an uninterrogated assumption: that people are able to effectively oversee algorithmic decision-making.

By Ben Green

The Flaws of Policies Requiring Human Oversight of Government Algorithms
As algorithms become an influential component of government decision-making around the world, policymakers have debated how governments can attain the benefits

Article - Privacy Harms (US)

The requirement of harm has significantly impeded the enforcement of privacy law. In most tort and contract cases, plaintiffs must establish that they have suffered harm. Even when legislation does not require it, courts have taken it upon themselves to add a harm element. Harm is also a requirement to establish standing in federal court. In Spokeo v. Robins and TransUnion v. Ramirez, the U.S. Supreme Court ruled that courts can override congressional judgment about cognizable harm and dismiss privacy claims.

Caselaw is an inconsistent, incoherent jumble, with no guiding principles. Countless privacy violations are not remedied or addressed on the grounds that there has been no cognizable harm.

By Danielle Keats Citron & Daniel J. Solove

Privacy Harms
The requirement of harm has significantly impeded the enforcement of privacy law. In most tort and contract cases, plaintiffs must establish that they have suff

Tools

Datenschutz Self Assessment Tool

Download - DSAT

Media

NOYB.eu publishes open letter on the new EU-US data deal

The letter outlines several concerns which noyb.eu believes raises questions over the stability of future European Commission adequacy agreements, highlighting the following key areas of concern:

  • Applying a correct proportionality test on US surveillance law under Article 8 Charter of Fundamental Rights of the European Union (CFR)
  • Creating meaningful judicial redress under Article 47 CFR
  • The need to update commercial privacy protections
  • The future of international data transfers
  • Reaction to any new adequacy decision
Open Letter on the Future of EU-US Data Transfers
As more and more details emerge, Max Schrems wrote an Open Letter on the announcement of a new EU-US data transfer framework.

Podcast - Serious Privacy: DPIAs and Negotiations - Dealing with Big Tech (with Sjoera Nas)

Paul Breitbarth and K Royal speak with Sjoera Nas. Sjoera is a long time privacy professional and privacy activist. She became involved with digital rights in the late 1990s and early 2000s, while working for the Dutch internet service provider XS4all, and later for civil rights group Bits of Freedom.
Of DPIAs and Negotiations - Dealing with Big Tech (with Sjoera Nas) - Serious Privacy
This week on Serious Privacy, Paul Breitbarth and K Royal speak with Sjoera Nas. Sjoera is a long time privacy professional and privacy activist. She became involved with digital rights in the late 1990s and early 2000s, while working for the Dutc...

PimEyes: Facial recognition search, or 'Extorting Data Subject Rights for Profit'

PimEyes: Extorting Data Subject Rights for Profit – Privacat Insights

NSO spyware used against Catalan politicans

The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware. At least 63 were targeted or infected with Pegasus, and four others with Candiru. At least two were targeted or infected with both. Victims included Members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations. Family members were also infected in some cases.

Over 200 Spanish mobile numbers ‘possible targets of Pegasus spyware’, among which the Spanish prime minister was also targeted. Data leak reveals scale of potential surveillance by NSO Group client believed to be Morocco.

CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru - The Citizen Lab
The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware, including members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations.
Spanish prime minister’s phone ‘targeted with Pegasus spyware’
Minister for presidency says ‘illicit’ targeting will be investigated by Spain’s highest criminal court

🇳🇱 Nederlandse ontwikkelingen

Artikel - Adequaatheidsbesluiten onder de AVG

Het is op zijn minst twijfelachtig of persoonsgegevens die op basis van toegekende adequaatheidsbesluiten onder de Richtlijn worden doorgegeven aan een derde land, dezelfde mate van gegevensbescherming genieten als gegevens die aan landen worden doorgegeven op basis van een adequaatheidsbesluit dat onder de AVG tot stand is gekomen. Nu bij de meeste gegevensdoorgiften sprake is van digitale verwerkingen waarbij er praktisch geen belemmeringen zijn waar in de wereld deze data wordt verwerkt, kunnen verschillen in de mate van oorspronkelijke toetsing, monitoring en het ontbreken van vaste evaluatiemomenten afbreuk doen aan de daadwerkelijke bescherming die een adequaatheidsbesluit in theorie zou moeten bieden; namelijk een ‘essentially equivalent’ niveau van bescherming als binnen de EER.

Door Simone Fennell en Remy van den Boom

Adequaatheidsbesluiten onder de AVG - OpenRecht

SURF adresseert risico's uit DPIA op Zoom

Zoom past privacy aan na intensief overleg met SURF
Na intensief overleg met SURF wijzigt Zoom de software en de privacy-afspraken voor alle education en enterprise gebruikers in Europa

Jurisprudentie

Rechtbank Midden-Nederland: Verdere verwerking doorgeven persoonsgegevens van FIOD aan Belastingdienst is rechtmatig

18. De rechtbank heeft hiervoor geoordeeld dat het doel van de verdere verwerking, nadat de persoonsgegevens onder de FIOD zijn gaan berusten, het heffen en innen van belastingen was. Dat is een ander doel dan het strafrechtelijke doel waarvoor de gegevens oorspronkelijk zijn verzameld. Een dergelijke verdere verwerking van de persoonsgegevens voor een ander doel moet voldoen artikel 6, vierde lid, van de AVG. Daarin staat dat die verdere verwerking onder meer rechtmatig is als zij berust op een Unierechtelijke of lidstaatrechtelijke bepaling die in een democratische samenleving een noodzakelijke en evenredige maatregel vormt om de doelstellingen van artikel 23, eerste lid, van de AVG te waarborgen. Een van deze doelstellingen is (onder e) een belangrijke doelstelling van algemeen belang van de Unie of een lidstaat, met name een belangrijk economisch of financieel belang van de Unie of van een lidstaat, met inbegrip van fiscale aangelegenheden.
ECLI:NL:RBMNE:2022:1771, Rechtbank Midden-Nederland, UTR 21/3403

Rechtbank Rotterdam: Geheimhoudingsplicht advocaat beperkt het inzagerecht

Artikel 41 lid 1 UAVG bepaalt onder meer dat de verwerkingsverantwoordelijke de verplichtingen en rechten, bedoeld in de artikelen 12 tot en met 21 en artikel 34 van de verordening, buiten toepassing kan laten voor zover zulks noodzakelijk en evenredig is ter waarborging van de rechten en vrijheden van anderen. Ingevolge artikel 10a sub e van de Advocatenwet draagt de advocaat in het belang van een goede rechtsbedeling zorg voor de rechtsbescherming van zijn cliënt. Daartoe is de advocaat bij de uitoefening van zijn beroep vertrouwenspersoon en neemt hij geheimhouding in acht binnen de door de wet en het recht gestelde grenzen. Ingevolge artikel 11a van de Advocatenwet is de advocaat, voor zover niet bij wet anders is bepaald, ten aanzien van al hetgeen waarvan hij uit hoofde van zijn beroepsuitoefening als zodanig kennis neemt tot geheimhouding verplicht. (r.o. 3.6)

Pas gepubliceerd doordat deze zienswijze onlangs is bekrachtigd in hoger beroep door het Hof Den Haag.

ECLI:NL:RBROT:2020:13357, Rechtbank Rotterdam, C/10/591473 / HA RK 20-144

Rechtbank Amsterdam: AP mag prioriteren bij afhandeling klachten

Verweerder heeft op zitting toegelicht dat zij jaarlijks tienduizenden klachten ontvangt en beschikt over een beperkte capaciteit. Verweerder kan klachten vaak niet, of niet op alle onderdelen, uitgebreid onderzoeken en moet daarin keuzes maken. Daarbij maakt verweerder gebruik van prioriteringscriteria. De rechtbank overweegt dat verweerder deze ruimte heeft op grond van artikel 57, eerste lid, onder f, van de AVG, waarin is neergelegd dat de inhoud van de klacht wordt onderzocht in de mate waarin dat gepast is.
ECLI:NL:RBAMS:2022:349, Rechtbank Amsterdam, AWB 21/3724

Rechtbank Gelderland: Telemarketeer dient te informeren, inzage te geven en persoonsgegevens te verwijderen onder dwangsom. Schadevergoeding via dagvaarding in plaats van verzoekschrift.

In deze zaak gaat het ten eerste - kort gezegd - om de vraag welke persoonsgegevens Zakelijk Energie Beheer van [verzoeker] heeft, van wie zij die heeft verkregen en met wie zij die heeft gedeeld. Vervolgens wil [verzoeker] dat zijn gegevens bij Zakelijk Energie Beheer en bij die derden worden gewist. Daarnaast is de vraag of [verzoeker] recht heeft op schadevergoeding ex art. 82 AVG. (r.o. 4.1)
ECLI:NL:RBGEL:2022:1351, Rechtbank Gelderland, C/05/393140 / HA RK 21-165

Rechtbank Rotterdam: Schadevergoeding van 250 euro door het onrechtmatig rondsturen van Excellijst met gevoelige persoonsgegevens

ECLI:NL:RBROT:2022:1420, Rechtbank Rotterdam, 9436020

Kort geding rechter Amsterdam: Nieuwsmedium dient persoonsgegevens over vermissing in oud krantenartikel niet herleidbaar te maken

Als in het voor publiek via internet vrij toegankelijke archief de naam van [eiseres] wordt vervangen door haar initialen en haar gezicht onherkenbaar wordt gemaakt, is zij immers niet meer vindbaar via zoekmachines op het (openbare) internet, wat nu nog wel het geval is. Anderzijds blijft het artikel, bij deze beperkte ingrepen, in hoofdzaak intact. Bovendien is aannemelijk dat het technisch mogelijk is om het volledige artikel voor een bepaald publiek (bijvoorbeeld slechts op aanvraag) beschikbaar te houden, indien [gedaagde] dat voor de archieffunctie nodig en wenselijk acht. (r.o. 4.7)
ECLI:NL:RBAMS:2022:2342, Rechtbank Amsterdam, C/13/715674 / KG ZA 22-264

Rechtbank Den Haag: Na ingetrokken verzoek van inmiddels verwijderde persoonsgegevens dient verweerster proceskosten te vergoeden

ECLI:NL:RBDHA:2022:3353, Rechtbank Den Haag, C/09/621334 / HA RK 21-463

Gerechtshof 's-Hertogenbosch: Onderbouwing van de verwerking van persoonsgegevens van leerlingen met betrekking tot sociaal-emotionele ontwikkeling in een leerlingvolgsysteem, onderwijskundig rapport en door observaties van de leerkracht

ECLI:NL:GHSHE:2022:1511, Gerechtshof 's-Hertogenbosch, 200.304.406_01

Overheid

Kamerbrief bij PwC-rapporten over FSV bij de Belastingdienst

In handleidingen voor de analisten aan de Poort heeft PwC beslisregels
aangetroffen waarbij frauderisico’s worden gebaseerd op
persoonskenmerken, zoals nationaliteit en leeftijd dan wel met
persoonlijke kenmerken samenhangende fiscale factoren (zoals giften aan
moskeeën). Ook is een document aangetroffen met een daderprofiel.
Deze voorbeelden zijn op 24 februari jl. met uw Kamer gedeeld.
Kamerbrief bij PwC-rapporten FSV: MKB en query’s aan de Poort
Staatssecretaris Van Rij (Financiën - Fiscaliteit en Belastingdienst) stuurt 2 rapporten over de Fraudesignaleringsvoorziening (FSV) van de Belastingdienst naar de Tweede Kamer. Het gaat om een rapport over de effecten van door de directie MKB opgevoerde FSV-registraties en het rapport “Query’s aan …

Besluit op een verzoek om informatie over de aanwezigheid en het gebruik van gegevens over (dubbele) nationaliteit, afkomst, geboorteplaats en andere persoonsgegevens in systemen bij of onder de Belastingdienst.

1e deelbesluit Wob-verzoek gebruik persoonsgegevens door Belastingdienst
Besluit op een verzoek om informatie over de aanwezigheid en het gebruik van gegevens over (dubbele) nationaliteit, afkomst, geboorteplaats en andere persoonsgegevens in systemen bij of onder de Belastingdienst. Het gaat om een verzoek op basis van de Wet openbaarheid van bestuur (Wob). 1e deelbesl…

De Fraudesignaleringsvoorziening (FSV) van de Belastingdienst en het gebruik van de FSV hebben een vorm van institutioneel racisme mogelijk gemaakt. Dit zijn structurele mechanismen die een nadeel opleveren voor bepaalde groepen mensen op grond van hun afkomst.

Kamerbrief over Fraudesignaleringsvoorziening en vraagstuk institutioneel racisme
Staatssecretaris Van Rij (Fiscaliteit en Belastingdienst) komt per brief terug op vragen en verzoeken vanuit de Tweede Kamer over de Fraudesignaleringsvoorziening (FSV) van de Belastingdienst, en of gebruik van de FSV een vorm van institutioneel racisme heeft mogelijk gemaakt. Dit zijn structurele m…

Besluit op Wob-verzoek over Privacy Impact Assessment van Landelijke Aanpak Adreskwaliteit

Besluit op een verzoek om de Privacy Impact Assessment (PIA) van de Landelijke Aanpak Adreskwaliteit (LAA) in te zien, die onder de Rijksdienst voor Identiteitsgegevens (RvIG) valt. Het verzoek is gedaan op basis van de Wet openbaarheid van bestuur (Wob).

Besluit op Wob-verzoek over Privacy Impact Assessment van Landelijke Aanpak Adreskwaliteit
Besluit op een verzoek om de Privacy Impact Assessment (PIA) van de Landelijke Aanpak Adreskwaliteit (LAA) in te zien, die onder de Rijksdienst voor Identiteitsgegevens (RvIG) valt. Het verzoek is gedaan op basis van de Wet openbaarheid van bestuur (Wob). Besluit op Wob-verzoek over Privacy Impact …

Media

Artikel - Ze bedoelden het wél zo – het racisme kan onmogelijk ontkend worden

archive.ph