Skip to main content

News

Europrivacy News

ECCP to present Europrivacy at CPDP conference on May 24

CPDP-ECCP

The European Centre for Certification and Privacy (ECCP) will present Europrivacy at the CPDP conference in Brussels on Tuesday, May 24 at 16:00 CEST 
 
We are delighted to announce our participation in the session “Data Protection Certification – International Perspective and Impact”, chaired by Mr Luca Bolognini, member of the International Board of Experts (ECCP) and President of the Italian Institute for Privacy and Data Valorization (IIP).  
 
The session will provide an overview of the latest developments in data protection certification in Europe and internationally and introduce the recent evolution in the domain of data protection certification. On behalf of ECCP, its President and Chair of the International Board of Experts, Dr Sébastien Ziegler, will present an innovative model of data processing compliance certification coming from the European research to address both Art. 42 GDPR requirements and non-EU regulations compliance requirements.  
 
Represented by Mr Peter Kimpian, Ms Chiara Romano, Ms Catherine Lennman, Mr Fabrice Naftalski, and Dr Sébastien Ziegler, and chaired by Mr Luca Bolognini, the expert panel will discuss and shed light on the following points: 
 

  • What are the lessons learned and opportunities with data protection certification? 
  • What is the potential for international recognition of data protection certification? 
  • What are the differences between universal, specific, and hybrid certification mechanisms? What are their benefits and disadvantages? 
  • What challenges do organizations face following the adoption of the GDPR? 
  • What are the current state-of-the-art certification solutions for certifying and demonstrating GDPR compliance?  

Find out more about the session and the conference at: https://www.cpdpconferences.org/panels/tuesday-24-may-2022-grid

ECCP becomes an official member of the International Accreditation Forum (IAF)

IAF_ECCP

We have the great pleasure and honour to announce that the European Centre for Certification and Privacy (ECCP) has been officially accepted as a member of the International Accreditation Forum (IAF). A formal welcome ceremony is planned at the next IAF general assembly in Montreal in October 2022. 

Joining IAF is a great opportunity for ECCP to actively support international cooperation. It will also contribute to enhancing the international recognition of the Europrivacy certification scheme on data protection and will facilitate the accreditation process of qualified certification bodies.

ECCP supports the 5th edition of the Digital Law, Technology and Data Protection Congress in São Paulo

congress

ECCP is pleased to support the 5th edition of the Digital Law, Technology and Data Protection Congress taking place on June 9th – 10th in São Paulo, Brazil. ECCP’s President and Chair of the Europrivacy International Board of Experts, Dr Sébastien Ziegler, will take the floor at the Opening of the Data Protection part of the congress on June 10th, together with Renato Opice Blum, Eric Hilgendorf, and Julian Maranhão. 

The Digital Law, Technology and Data Protection Congress is organized by Opice Blum Academy and aims at bringing together top-tier experts in Digital Law and Privacy to allow participants to learn about the market’s latest and more relevant themes, as well as to exchange with other professionals and cultivate business relationships. 

The topics at this year’s congress editions include:

  • Innovation, diversity and digital inclusion
  • Blockchain 
  • Cybersecurity 
  • PIX and Open Banking 
  • Privacy and Data Protection 
  • Metaverse and Hyperverse
  • and more! 

Do not miss the opportunity to learn from high-level experts, associate your brand with one of Brazil’s most trusted and high-quality companies for corporative digital education, as well as to get connected with potential business partners, and interact with national and international specialists. 

Save your spot now at: https://cddtpd.com.br

Europrivacy presented in the session "Data Protection Certification for International Data Transfer" at eCommerce Week 2022

UNCTAD

Europrivacy was presented in the session „Data Protection Certification for International Data Transfer” which took place on April 27th at 16:00 CET during eCommerce Week 2022. 

This year’s edition, themed “Data and Digitalization for Development”, put a dedicated focus on data and cross-border data flows and highlighted their crucial role in economical and social development. 

The panel “Data Protection Certification for International Data Transfer” recognized that the evolution of data protection regulations is directly impacting cross-border data flows and trade-related activities. Certification mechanisms have been integrated by several regulations to facilitate cross-border data transfer with data controllers and processors located in third countries. While these legal provisions come with specific requirements, new models of data protection certifications are emerging that can contribute to extending the geographic scope of such certifications. 

Chaired by Dr. Sébastien Ziegler, Director of Mandat International and Chairman of the Europrivacy International Board of Experts, expert speakers Luca Bolognini, Prof. Romeo Kadir, Adrian Quesada Rodriguez, and Renato Opice Blum presented the latest developments in this domain, including the APEC Privacy Framework and the Europrivacy certification scheme.

ECCP delighted to support and attend the first edition of the Privacy Symposium

PS picture

ECCP is delighted to support and attend the first edition of the Privacy Symposium. 

With 78 sessions, the Privacy Symposium conference gave the floor to 245 experts in data protection, including national authorities, European institutions, and international organizations. It brought together about 500 registered participants plus 350 remote participants, in line with its ambition to support international dialogue, cooperation and knowledge sharing. 
 
It was also an opportunity to present Europrivacy innovative approach towards assessing and certifying the compliance of data processing activities with the GDPR and complementary data protection regulations. 
 
From health data protection to artificial intelligence and quantum computing, the conference demonstrated how important it is to bring together the legal experts, the practitioners and the research community. It highlighted the potential of joining forces to support and enhance data protection across borders and technologies.
 
The conference also made clear that most participants share the same fundamental values and vision across countries and regions, with a strong potential to learn from each other, and to enhance personal data protection by working together. 
 
Hosting the conference in Venice has been highly inspiring in this human and intellectual encounter. It brought new perspectives on privacy and data protection and contributed to set the foundations of new collaboration bridges. 
 
We look forward to attending the next edition in 2023 in Venice again!

EDPB News

EDPB publishes new register containing One-Stop-Shop decisions

The European Data Protection Board (EDPB) has published a new register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 European General Data Protection Regulation (GDPR)) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up until early June, LSAs have adopted 110 final OSS decisions. The register includes access to the decisions as well as  summaries of the decisions in English prepared by the EDPB Secretariat. The register will be valuable to data protection practitioners who will gain access to information showcasing how SAs work together to enforce the GDPR in practice. The information in the register has been validated by the LSAs in question and in accordance with the conditions provided by its national legislation.

The register is accessible here

Thirty-second plenary session: Statement on the interoperability of contact tracing applications, statement on the opening of borders and data protection rights, response letters to MEP Körner on laptop camera covers and encryption and letter

During its 32nd plenary session, the European Data Protection Board (EDPB) adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 European General Data Protection Regulation (GDPR) - and a letter to CEAOB on PCAOB arrangements.

The EDPB adopted a statement on the interoperability of contact tracing applications, building on the EDPB Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. The statement offers a more in-depth analysis of key aspects, including transparency, legal basis, controllership, data subject rights, data retention and minimisation, information security and data accuracy in the context of creating an interoperable network of applications, that need to be considered on top of those highlighted in the EDPB Guidelines 04/2020.

The EDPB emphasises that the sharing of data about individuals that have been diagnosed or tested positively with such interoperable applications should only be triggered by a voluntary action of the user. Giving data subjects information and control will increase their trust in the solutions and their potential uptake. The goal of interoperability should not be used as an argument to extend the collection of personal data beyond what is necessary.

Moreover, contact tracing apps need to be part of a comprehensive public health strategy to fight the pandemic, such as testing and subsequent manual contact tracing for the purpose of improving effectiveness of the performed measures.

Ensuring interoperability is not only technically challenging and sometimes impossible without disproportionate trade-offs, but also leads to a potential increased data protection risk. Therefore, controllers need to ensure measures are effective and proportionate and must assess whether a less intrusive alternative can achieve the same purpose.

The EDPB adopted a statement on the processing of personal data in the context of reopening the Schengen borders following the COVID-19 outbreak. The measures allowing a safe reopening of the borders currently envisaged or implemented by Member States include testing for COVID-19, requiring certificates issued by health professionals and the use of a voluntary contact tracing app. Most measures involve processing of personal data.

The EDPB recalls that data protection legislation remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. The EDPB stresses that the processing of personal data must be necessary and proportionate, and the level of protection should be consistent throughout the EEA. In the statement, the EDPB urges the Member States to take a common European approach when deciding which processing of personal data is necessary in this context.

The statement also addresses the GDPR principles that Member States need to pay special attention to when processing personal data in the context of reopening the border. These include lawfulness, fairness and transparency, purpose limitation, data minimisation, storage limitation, security of data and data protection by design and by default. Moreover, the decision to allow the entrance into a country should not only be based on the automated individual decision making technologies. In any case, such decisions should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision. Automated individual decision measures should not apply to children.

Finally, the EDPB highlights the importance of a prior consultation with competent national supervisory authorities when Member States intend to process personal data in this context.

The EDPB adopted a response to a letter from MEP Moritz Körner on the relevance of encryption bans in third countries for assessing the level of data protection when personal data are transferred to countries where these bans exist. According to the EDPB, any ban on encryption or provisions weakening encryption would seriously undermine compliance with GDPR security obligations applicable to controllers and processors, be that in a third country or in the EEA. Security measures are one of the elements the European Commission must take into account when assessing the adequacy of the level of protection in a third country.

A second letter to MEP Körner addresses the topic of laptop camera covers. MEP Körner highlighted that this technology could help comply with the GDPR and suggested new laptops should be equipped with it. In its reply, the Board clarifies that while laptop manufacturers should be encouraged to take into account the right to data protection when developing and designing such products, they are not responsible for the processing carried out with those products and the GDPR does not establish legal obligations for manufacturers, unless they also act as controllers or processors. Controllers must evaluate the risks of each processing and choose the appropriate safeguards to comply with GDPR, including the privacy by design and by default enshrined in Article 25 GDPR.

Finally, the EDPB adopted a letter to the Committee of European Auditor Oversight Bodies (CEAOB). The EDPB received a proposal from the CEAOB, which gathers the national auditor oversight bodies at EU level, to cooperate and receive feedback on negotiations of draft administrative arrangements for the transfer of data to the US Public Company Accounting Oversight Board (PCAOB). The EDPB welcomes this proposal and indicates that it is available to hold an exchange with the CEAOB to clarify any potential questions on data protection requirements related to such arrangements in light of the EDPB Guidelines 2/2020 on Art. 46 (2) (a) and 46 (3) (b) GDPR for transfers of personal data between EEA and non-EEA public authorities. The exchange could also involve the PCAOB if the CEAOB and its members deem it beneficial for their work on these arrangements.

The agenda of the 32nd plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Thirty-first Plenary session: Establishment of a taskforce on TikTok, Response to MEPs on use of Clearview AI by law enforcement authorities, Response to ENISA Advisory Group, Response to Open Letter NYOB

During its 31st plenary session, the European Data Protection Board (EDPB) decided to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU, and adopted a letter with regard to the use of Clearview AI by law enforcement authorities. In addition, the EDPB adopted a response to the ENISA advisory group and a letter in response to an Open Letter from NOYB.

The EDPB announced its decision to establish a taskforce to coordinate potential actions and to acquire a more comprehensive overview of TikTok’s processing and practices across the EU.

In response to MEP Körner’s request regarding TikTok, the EDPB indicates that it has already issued guidelines and recommendations that should be taken into account by all data controllers whose processing is subject to the European General Data Protection Regulation (GDPR), in particular when it comes to the transfer of personal data to third countries, substantive and procedural conditions for access to personal data by public authorities or the application of the GDPR territorial scope, in particular when it comes to the processing of minors’ data. The EDPB recalls that the GDPR applies to the processing of personal data by a controller, even if it is not established in the Union, where the processing activities are related to the offering of goods or services to data subjects in the Union.

In its response to MEPs regarding Clearview AI, the EDPB shared its concerns regarding certain developments in facial recognition technologies. The EDPB recalls that under the Law Enforcement Directive (EU) 2016/680, law enforcement authorities may process biometric data for the purpose of uniquely identifying a natural person only in accordance with the strict conditions of Articles 8 and 10 of the Directive.

The EDPB has doubts as to whether any Union or Member State law provides a legal basis for using a service such as the one offered by Clearview AI. Therefore, as it stands and without prejudice to any future or pending investigation, the lawfulness of such use by EU law enforcement authorities cannot be ascertained.

Without prejudice to further analysis on the basis of additional elements provided, the EDPB is therefore of the opinion that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regime.

Finally, the EDPB refers to its guidelines on the processing of personal data through video devices and announces upcoming work on the use of facial recognition technology by law enforcement authorities.

In response to a letter from the European Union Agency for Cybersecurity (ENISA) requesting that the EDPB nominate a representative to the ENISA Advisory group, the Board appointed Gwendal Le Grand, Deputy Secretary-General CNIL, as representative. The Advisory Group assists the Executive Director of ENISA with drawing up an annual work programme and ensuring communication with the relevant stakeholders.

The EDPB adopted a response to an Open Letter by NOYB regarding cooperation between the Supervisory Authorities and the consistency procedures. In its letter, the Board indicates it has been working constantly on the improvement of the cooperation between the Supervisory Authorities and the consistency procedures. The Board is aware that there are issues requiring improvement, such as the differences in national administrative procedural laws and practices, together with the time and resources needed to resolve cross-border cases. The Board reiterates it is committed to finding solutions, where these lie within its competence.

The agenda of the 31st plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Thirtieth Plenary session: EDPB response to NGOs on Hungarian Decrees and statement on Article 23 GDPR

During its 30th plenary session, the European Data Protection Board (EDPB) adopted a statement on data subject rights in connection to the state of emergency in Member States. The Board also adopted a letter in response to a letter from Civil Liberties Union for Europe, Access Now and the Hungarian Civil Liberties Union (HCLU) regarding the Hungarian Government’s Decree 179/2020 of 4 May.

The EDPB recalls that, even in these exceptional times, the protection of personal data must be upheld in all emergency measures, thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded.

In both the statement and the letter the EDPB reiterates that the European General Data Protection Regulation (GDPR) remains applicable and allows for an efficient response to the pandemic, while at the same time protecting fundamental rights and freedoms. Data protection law already enables data-processing operations necessary to contribute to the fight against the COVID-19 pandemic.

The statement recalls the main principles related to the restrictions on data subject rights in connection to the state of emergency in Member States:

•    Restrictions which are general, extensive or intrusive to the extent that they void a fundamental right of its basic content cannot be justified.
•    Under specific conditions, Article 23 GDPR allows national legislators to restrict via a legislative measure the scope of the obligations of controllers and processors and the rights of data subjects when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard important objectives of general public interest of the Union or of a Member State, such as in particular public health.
•    Data subject rights are at the core of the fundamental right to data protection and Article 23 GDPR should be interpreted and read bearing in mind that their application should be the general rule. As restrictions are exceptions to the general rule, they should only be applied in limited circumstances.
•    Restrictions must be provided for ‘by law’, and the law establishing restrictions should be sufficiently clear as to allow citizens to understand the conditions in which controllers are empowered to resort to them. Additionally, restrictions must be foreseeable for persons subject to them. Restrictions imposed for a duration not precisely limited in time, which apply retroactively or are subject to undefined conditions, do not meet the foreseeability criterion.
•    The mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects; rather, any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.  
•    The emergency state, adopted in a pandemic context, is a legal condition, which may legitimise restrictions of data subject rights, provided these restrictions only apply insofar as it is strictly necessary and proportionate in order to safeguard the public health objective. Thus, restrictions must be strictly limited in scope and in time, since data subject rights can be restricted but not denied. Additionally, the guarantees provided for under Article 23(2) GDPR must fully apply.
•    Restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights and the obligations incumbent to data controllers and processors, without any clear limitation in time, would equate to a de facto blanket suspension of those rights and would not be compatible with the essence of the fundamental rights and freedoms.

Furthermore, the EDPB announced it will issue guidelines on the implementation of Article 23 of the GDPR in the coming months.

The agenda of the 30th pleanry is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

Twenty-eighth Plenary session: Art. 64 GDPR Opinion on draft SCCs submitted by the SI SA, Publication register of Art. 60 GDPR (OSS) Decisions

Brussels, 20 May - During its 28th European Data Protection Board (EDPB) plenary session, the EDPB adopted an Art. 64 European General Data Protection Regulation (GDPR) opinion on the draft Standard Contractual Clauses submitted by the Slovenian Supervisory Authority (SA) and decided on the publication of a register containing ‘one-stop-shop’ decisions.

The EDPB adopted its opinion on the draft Standard Contractual Clauses (SCCs) for controller-processor contracts submitted to the Board by the Slovenian Supervisory Authority. The opinion aims to ensure the consistent application of Article 28 GDPR, which imposes an obligation on controllers and processors to enter into a contract or other legal act stipulating the parties’ respective obligations. According to Article 28(6) GDPR, these contracts or other legal acts may be based, in whole or in part, on standard contractual clauses adopted by a Supervisory Authority. In the opinion, the Board makes several recommendations that need to be taken into account in order for these draft SCCs to be considered as Standard Contractual Clauses. If all recommendations are implemented, the Slovenian SA will be able to adopt this draft agreement as Standard Contractual Clauses pursuant to Article 28(8) GDPR.

The EDPB will publish a register containing decisions taken by national supervisory authorities following the One-Stop-Shop cooperation procedure (Art. 60 GDPR) on its website.

Under the GDPR, Supervisory Authorities have a duty to cooperate on cases with a cross-border component to ensure a consistent application of the regulation - the so-called one-stop-shop (OSS) mechanism. Under the OSS, the Lead Supervisory Authority (LSA) is in charge of preparing the draft decisions and works together with the concerned SAs to reach consensus. Up to end of April 2020, LSAs have adopted 103 final OSS decisions. The EDPB intends to publish summaries in English prepared by the EDPB Secretariat. The information will be made public after the validation of the LSA in question and in accordance with the conditions provided by its national legislation.

The agenda of the 28th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.

EDPB adopts letter on Polish presidential elections data disclosure & discusses recent Hungarian government decrees in relation to the coronavirus during the state of emergency

During its 26th plenary session, the European Data Protection Board (EDPB) adopted a letter in response to requests from MEPs Metsola and Halicki regarding the Polish presidential elections taking place via postal vote. Additionally, an exchange of information took place on the recent Hungarian government decrees in relation to the coronavirus during the state of emergency
 
In its response to the MEPs Metsola and Halicki, the EDPB indicates that it is aware that data of Polish citizens was sent from the national PESEL (personal identification) database to the Polish Post by one of the Polish ministries and acknowledges that this issue requires special attention.

The Board underlines that, according to the European General Data Protection Regulation (GDPR), personal data, such as names and addresses, and national identification numbers (such as the Polish PESEL ID), must be processed lawfully, fairly and in a transparent manner, for specified purposes only. Public authorities may disclose information on individuals included in electoral lists, but only when this is specifically authorised by Member State law. The EDPB underlined that the disclosure of personal data – from one entity to another – always requires a legal basis in accordance with EU data protection laws. As previously indicated in the EDPB statement on the use of personal data in political campaigns (2/2019), political parties and candidates - but also public authorities, particularly those responsible for public registers - must stand ready to demonstrate how they have complied with data protection principles. The EDPB also underlined that, where elections are conducted by the collection of postal votes, it is the responsibility of the state to ensure that specific safeguards are in place to maintain the secrecy and integrity of the personal data concerning political opinions.

EDPB Chair, Andrea Jelinek, added: “Elections form the cornerstone of every democratic society. That is why the EDPB has always dedicated special attention to the processing of personal data for election purposes. We encourage data controllers, especially public authorities, to lead by example and process personal data in a manner which is transparent and leaves no doubt regarding the legal basis for the processing operations, including disclosure of data.”

However, the EDPB stresses that enforcement of the GDPR lies with the national supervisory authorities. The EDPB is not a data protection supervisory authority in its own right and, as such, does not have the same competences, tasks and powers as the national supervisory authorities. In the first instance, the assessment of alleged GDPR infringements falls within the competence of the responsible and independent national supervisory authority. Nevertheless, the EDPB will continue to pay special attention to the developments of personal data processing in connection to democratic elections and remains ready to support all members of the Board, including the Polish Supervisory Authority, in such matters.

During the plenary, the Hungarian Supervisory Authority provided the Board with information on the legislative measures the Hungarian government has adopted in relation to the coronavirus during the state of emergency. The Board considers that further explanation is necessary and has thus requested that the Hungarian Supervisory Authority provides further information on the scope and the duration, as well as the Hungarian Supervisory Authority’s opinion on the necessity and proportionality of these measures. The Board will discuss this further during its plenary session next Tuesday.

The agenda of the 26th plenary is available here

Note to editors:
Please note that all documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.