Social media users may soon be able to easily transfer their personal information to competing platforms. On October 22, 2019, a bipartisan group of U.S. senators (Mark R. Warner (D-VA), Josh Hawley (R-MO), and Richard Blumenthal (D-CT)) introduced the Augmenting Compatibility and Competition by Enabling Service Switching Act (ACCESS Act), a bill aimed at encouraging market-based competition among today’s major social media platforms by requiring the largest of these tech companies to allow users to move their data from one service to another.

The bill, should it become law, would be regulated and enforced by the Federal Trade Commission (FTC), and would require large communications platforms (products or services with over 100 million monthly active users in the U.S.) to:

  • Make users’ personal data portable, by allowing users to retrieve and/or transfer their personal data in a structure and machine-readable format.
  • Maintain interoperability with other platforms, including competing companies.
  • Give users the ability to designate a trusted third-party service to manage their privacy, content, online interactions, and account settings.


Continue Reading Bipartisan social media data portability bill introduced in U.S. Senate

A few days before the entry into force of the GDPR, the CNIL imposed a 250,000 euros penalty to the company Optical Center for failure to secure personal data on its website – where a breach occurred, allowing access to invoices and purchases orders containing personal and sensitive data of customers. Further to Optical Center’s appeal, the French Highest administrative Court (“Council of State”), confirmed the sanction but reassessed the amount of the penalty to 200,000 euros in a recent decision dated 17 April 2019.

Contrary to the U.S in particular, the sanctions pronounced for data breaches remain in France in the hands of the regulator, the CNIL. Given that the sanctions pronounced took place before the entering into force of the GDPR, the CNIL was limited in its sanction powers, which, compared to applicable standards at that time, can be seen as severe. Another factor played a role: Optical Center had already been imposed a 50,000 euros penalty for a similar data breach on 5 November 2015, which was confirmed on 19 June 2017 by the Council of State.

Continue Reading The Highest French administrative Court slightly reduces the amount of a penalty imposed by the CNIL: is this the tip of the iceberg ?

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.

Background: a wave of awareness among users at the EU level shows a new face of data protection

In a notice dated November 2018,[2] the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.

The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.

As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”

Continue Reading First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

On 16 November 2018, the European Data Protection Board (EDPB) adopted draft guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines).

Last week we published a blog on these guidelines, focusing on when the GDPR applies to non-European Union (EU) controllers and processors. This week, we focus on when non-EU controllers and processors who come within the scope of the GDPR must appoint an EU representative.

GDPR requires that non-EU controllers or processors of personal data of individuals located in the EU appoint EU-based representatives (EU representative), unless they are exempt. The guidelines divide this requirement into four distinct sections.

Continue Reading Does GDPR require non-EU companies to nominate EU representatives? EDPB issues guidance

The European Data Protection Supervisor (EDPS) published an Opinion on 5 October 2018 regarding the European Commission’s legislative package “A New Deal for Consumers”. In the Opinion, the EDPS calls for closer alignment between consumer and data protection rules in the EU.

Background

The Commission’s package, adopted earlier this year, includes two legislative proposals:

(1) a Directive on better enforcement and modernisation of EU consumer protection rules; and

(2) a Directive on representative actions for the protection of the collective interests of consumers.

The aim of this package is to modernise existing rules and provide better redress opportunities for consumers.

Continue Reading A new deal for consumers: EDPS publishes Opinion

On 6 July 2018, the Information Commissioner’s Office (ICO) issued an enforcement notice against AggregateIQ for failing to comply with the General Data Protection Regulation 2016/679 (GDPR). The enforcement notice was issued as part of the ICO’s investigation into whether personal data was misused by both sides during the Brexit referendum.

AggregateIQ

The terms of the enforcement notice require AggregateIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”, within 30 days of the date of the notice.

AggregateIQ contracted with UK political organisations to receive personal data of UK individuals during the Brexit campaign. In particular, AggregateIQ contracted with a number of pro-Brexit groups, including Vote Leave, BeLeave, Veterans for Britain and the DUP Vote to Leave campaign. AggregateIQ processed this personal data to target individuals with political advertising messages on social media.

Continue Reading ICO takes enforcement action against Brexit campaigners

The Information Commissioner’s Office (ICO) has published new guidance on international data transfers (the guidance) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).

Ex-EU personal data transfers

The GDPR restricts the transfer of personal data to non-EU countries or international organisations.

The ICO has clarified that a transfer is restricted if:

  • The GDPR applies to the processing of in-scope personal data. GDPR Articles 2 and 3 set out the GDPR’s scope. The ICO states that the GDPR generally applies “if you are processing personal data in the EU”. The GDPR may also apply “in specific circumstances if you are outside the EU and processing personal data about individuals in the EU”.
  • An organisation sends personal data, or makes it accessible, to a receiver to which the GDPR does not apply. This will usually be because the receiver is located outside of the EU.
  • The receiver is a separate organisation or individual. The receiver could be an affiliate or subsidiary company, but not an employee of the transferring organization.

Transfer or transit?

The ICO states that transit of personal data is not the same as a transfer of personal data. If personal data is just electronically routed between EU countries via a non-EU country, no restricted transfer has taken place. The ICO gives the example of personal data transferring between Irish and French controllers through a server in Australia. No restricted transfer occurs where there is no intention that the personal data can be accessed or manipulated during transit.

Continue Reading ICO issues new guidance on international data transfers under GDPR

The Upper Tribunal (Administrative Appeals Chamber) in IC v Miller [2018] UKUT 229 (AAC) has rejected an appeal brought by the Information Commissioner (IC), which was in relation to a First-Tier Tribunal (FTT) decision finding that “small data” (i.e., data concerning five or fewer individuals or households) was not exempt from disclosure under the Freedom of Information Act 2000 (FOIA).

The FTT decision

A request for disclosure under FOIA was made to the Ministry of Housing, Communities and Local Government (MHCLG) (then named Department for Communities and Local Government (DCLG)). The request for information concerned data held by local authorities with regards to homelessness between 2009 and 2012, which had not been published by the MHCLG. The MHCLG refused to disclose the data.

The matter went to the FTT, which found that the small data did not constitute “personal data”, as defined by section 1(1) of the DPA 1998, and it was not exempt from disclosure under section 40(2) of FOIA.

The IC appealed the FTT’s decision on various grounds, including that in relation to small data, the information was exempt from disclosure under section 40(2) of FOIA.

Continue Reading Upper Tribunal says “small data” is not exempt under FOIA

The General Data Protection Regulation ((EU) 2016/9679) (GDPR) came into effect on 25 May 2018. One of the key principles centres on integrity and confidentiality of personal data. Article 5(1)(f) of the GDPR provides that personal data shall be:

“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (emphasis added)”

The GDPR goes a little further than the previous data protection framework (that is, under the EU Data Protection Directive 95/46/EC) and provides some description of the technical and organisational measures expected to achieve a level of security appropriate to the risk associated with the processing of personal data (see Article 32 of the GDPR). Inevitably, however, decisions around security will need to be made by the controller and/or processor – and it will therefore be for them to determine what is “appropriate”.

We have seen that the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) have published ‘security outcomes’ aiming to provide some further guidance on the security of processing personal data.

On 18 May 2018, the NCSC and ICO published a set of technical security outcomes considered to represent “appropriate measures” under Article 5(1)(f). This guidance describes an overall set of outcomes that are considered ‘appropriate’ to prevent personal data being accidentally or deliberately compromised.

Continue Reading ICO and NCSC issue guidance on security outcomes under GDPR

On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.

What is a personal data breach?

Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:

  • Confidentiality breach: unauthorised or accidental disclosure or access to personal data
  • Integrity breach: unauthorised or accidental alteration of personal data
  • Availability breach: unauthorised or accidental loss of access or destruction of personal data

WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.

When do you need to notify the supervisory authority?

Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.

WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:

  • Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
  • Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
  • Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately


Continue Reading Article 29 Working Party publishes guidelines on personal data breach notification