EDPB: New certification guidelines as a tool for data transfers
On June 16, the European Data Protection Board introduced a set of new guidelines on certification as a tool for transfers of personal data to third countries in the absence of an adequacy agreement. Complementing guidelines 1/2018 which provide more general guidance on certification, the new guidelines consist of four parts covering, respectively, 1) purpose, scope and the different actors involved, 2) implementing guidance on accreditation requirements for certification bodies, 3) specific certification criteria for demonstrating the existence of appropriate safeguards, and 4) the binding and enforceable commitments to be implemented.
The full text of the new guidelines will shortly be available on the EDPB website, at which point public consultation will be open until the end of September.
Google Analytics: Italy joins in general ban
Following the examples set by the French and Austrian Data Protection Authorities, the Italian DPA, Garante, has now also imposed a ban on data transfers to the U.S. based on the use of Google Analytics. This is the result of a Garante decision to the effect that Caffeina Media, a company against which a complaint had been filed, does not offer appropriate safeguards for transfers of data to the U.S. The practical scope of this verdict, however, goes beyond application to one specific media company, affecting, instead, all public and private Italian website owners who are currently using Google Analytics. Based on this Garante ruling, they will in the near future no longer be allowed to do so.
NSO Group: use of Pegasus spyware by EU member states
At least five member states of the European Union are using the Pegasus espionage software. This is what, according to the Politico news agency, NSO Group legal advisor Chaim Gelfand on June 21 told representatives of the PEGA commission, a panel of 38 members of the European Parliament investigating the use of spyware in the EU. As yet, Gelfand has not mentioned specific countries. Pegasus spyware, which originates from the Israelian surveillance company NSO Group, facilitates access to the complete range of messages, emails, pictures and contacts, plus microphones, cameras and other media on a targeted individual’s smartphone. For some time now, human rights organisations have been urging NSO Group to terminate sales of the Pegasus software, arguing that spyware is particularly popular with repressive regimes seeking to control critical reporters and civil rights activists. Gelfand’s statement now confirms that Pegasus is also being used by countries within the European Union.
Consumer associations file complaints against Google for user deception
Tech giant Google is deceiving consumers who register for a Google account. This is the gist of a claim by several European Consumer Associations who are accusing the American company of looking for ways to exploit their users’ personal data. Consumer associations falling under the BEUC umbrella organisation are filing a complaint with the privacy watchdogs of their respective countries, arguing that Google, contrary to a general GDPR requirement, is not offering its users privacy by design and privacy by default. In total, ten European consumer associations are now taking action in an effort to force Google to comply with the GDPR.
European Commission issues warning to Dutch DPA
The Dutch data protection authority Autoriteit Persoonsgegevens (AP), in the opinion of the European Commission (EC), has been applying overly strict interpretations to certain aspects of the GDPR and in doing so, may have risked obstruction of the principle of free enterprise within the EU. Now, the EC is requesting the AP to use a modicum of leniency in its application of the GDPR. This is the key message in a letter from the EC to which Dutch newspaper NRC has had access. In both instances referred to by the EC, the issue is an apparent interpretation of the legal basis of ‘legitimate interest’, where the AP holds that commercial interest never qualifies. In its letter, the EC points out the existence of European jurisprudence demonstrating that there is every reason to include commercial motivations in the overall scope of the legitimate interest concept. In short, the EC is asking the Dutch authority to reconsider its position.
Privacy concerns cause Microsoft to cancel face recognition research
Using face recognition technology to study emotional states and analyse uniquely identifying characteristics, is taking innovation one step too far, in the opinion of Microsoft. The company’s concerns are related to privacy risks and the danger of inappropriate use of the technology. Therefore, as Microsoft has announced in a blog, the decision has been made to immediately pull the plug on further research into the potential of automated face recognition for the purposes mentioned above.
Dispute on the personal nature of location data
Privacy interest group NOYB is going to court seeking resolution of a dispute on the data access rights held by telecommunication businesses under the GDPR.
Some European data protection authorities are still insisting that location data do not qualify as personal data in the sense of the GDPR. On June 21, NOYB (None of your Business), established by privacy activist Max Schrems, announced its intention to appeal a decision by the Spanish DPA (AEPD) to support Virgin Telco’s refusal to grant customers access to location data the company has stored about them.