data privacy

Law made Easy

[Disclaimer: This note is for general information only. It is NOT to be substituted for legal advice or taken as legal advice. The publishers of the blog shall not be liable for any act or omission based on this note]

Note: This article aims at discussing the domestic laws in EU countries which implement GDPR and various guidelines released by data protection authorities to align with the respective country’s legal regime with GDPR.

INTRODUCTION


Due to violations of privacy attributable to the misuse of data by large and even some well-known organizations, a Data Protection Law/Data Privacy Law has become imperative. This need has been felt across the globe. Concerns over loss of privacy and misuse of data led to the enactment of the General Data Protection Regulation (“GDPR”) which came into force on May 25, 2018, as plausibly one of the toughest laws governing online privacy.  GDPR is considered to be a milestone and is an essential step to strengthen an individual’s right in the digital age. It is designed to protect the personal information of individuals and to restrict organisations using personal data of their consumers. The Regulations reflects a paradigm shift in the understanding of the personal data and collection of data by controllers.

GDPR provides number of ways to protect the data such as rectification, deletion etc in case the data subject[1] fears misuse of its data. It has a direct effect across all EU member States and covers all EU “established” entities and certain non-EU “established” entities. Under the former, if an entity is operating in the EU through one of its establishments, and is processing the information of EU data subjects, irrespective of whether the processing is occurring in the EU or not, such entity is covered under the ambit of the GDPR. Till now, around 28 countries have passed the national legislation in line with GDPR.

PRINCIPLES

GDPR provides strict data protection principles that are to be complied by the Data Controller and Processor[2], while dealing with personal data. The Controller[3] must make sure that the personal data is:

  • used fairly, lawfully and transparently;
  • used for specified, explicit purposes;
  • used in a way that is adequate, relevant and limited to only what is necessary;
  • accurate and, where necessary, kept up to date;
  • kept for no longer than is necessary; and
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

DATA PROTECTION LEGISLATION IN EU MEMBER STATES

AUSTRIA

CZECH REPUBLIC

LUXEMBOURG
Federal Act concerning the Protection of Personal Data (DSG)

 

Supervisory Authority:

Austrian Data Protection Authority

 Act No. 110/2019 Coll. on the Processing of Personal Data

 

Supervisory Authority:

Office of Personal Data Protection (UOOU)

 Act of 1st August on the Organization of the National Data Protection Commission and General Data Protection Framework

 Supervisory Authority

National Data Protection Commission

 

 BELGIUM

CROATIA

FRANCE
Protection of Natural Persons regarding the Processing of Personal Data

 

Supervisory Authority: Gegevensbeschermingsautoriteit

  

Law on Implementation of the General Data Protection Regulation

 

Supervisory Authority: Croatian Data Protection Personal Agency

 

  

Law n°2018-493 of June 20, 2018

 

Supervisory Authority:

CNIL (Commission nationale de l’informatique et des libertés_

GERMANY

 

IRELAND

DENMARK
 

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG)

 

Supervisory Authority: The Federal Commissioner for Data Protection and Freedom of Information

 

 Data Protection Act 2018

 

Supervisory Authority: The Data Protection Commission

  

Danish Data Protection Act

 

Supervisory Authority: The Danish Data Protection Agency (Datatilsynet)

 

FINLAND

                  ITALY

NETHERLANDS
 

Data Protection Act – ‘HE 9/2018 vp

 

Supervisory Authority: Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)

 

 Legislative Decree No. 101/2018

 

Supervisory Authority: Italian Data Protection Authority (Garante per la protezione dei dati personali)

  

Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming)

 

Supervisory Authority: Dutch Data Protection Authority (Autoriteit Persoonsgegevens )

 

 

POLAND

              SLOVAKIA

 

SPAIN
 

Personal Data Protection Act

 

Supervisory Authority: President of the Office for Personal Data Protection

 

 Protection of Personal Data (Act No. 18 of 2018)

 

Supervisory Authority: Office of Personal Data Protection

  

Organic Law 3/2018 of December 5

 

Supervisory Authority: Spanish Data Protection Agency (Agencia Española de Protección de Datos)

 

SWEDEN

  

SWITZERLAND

 

  

UNITED KINGDOM

 
Data Protection Act (2018:218)

Supervisory Authority: Swedish Data Protection Authority

 

 Swiss Federal Data Protection Act

Supervisory Authority: Information Commissioners Office

 

  

Data Protection Act 2018

 

Supervisory Authority: Information Commissioners Office

 

ROMANIA

PORTUGAL

 
 

Law no. 190/2018

Supervisory Authority: National Supervisory Authority for Personal Data Processing

 

  

Law no. 58/2019, of 08 of August

Supervisory Authority: National Data Protection Authority (CNPD)
UNITED KINGDOM (“UK”)

The Information Commissioners Office (“ICO”) is the body responsible for implementing the Data Protection Act and providing further guidance’s to create awareness regarding rights, role and responsibilities under the Act. Some of the important guidance’s released by ICO are discussed below:The Data Protection Act 2018 is the implementation of the GDPR which came into effect on May 25, 2018. The Act makes the data protection laws fit for the digital age in which an ever-increasing amount of data is being processed. It also empowers people to take control of their data and supports businesses and organisations in the United Kingdom through the change.

  1. Guidance on Contracts: The guidance discusses contracts and liabilities between controllers and processors. It provides the provisions in a contract which can be included in contract between controllers and processors. It also helps processors to understand their new responsibilities and liabilities under the GDPR.
  2. Guidance on Controllers and processors: The Guide provides a ready reckoner checklist that helps controllers, processors and joint controllers to easily identify their roles. Additionally, it also outlines some of the responsibilities of the controllers when using a processor. In addition to its contractual obligations to the controller, a processor has some direct responsibilities under the GDPR and makes a processor liable in case of failure in meeting any of the obligations mentioned in the contract.
  3. Encryption: The ICO has updated its GDPR guidance in order to provide an advice on compliant use of encryption to protect personal data. This guidance helps in understanding the importance of encryption as an appropriate technical measure for protecting the personal data an organisation holds whether as a controller or a processor. Following things which are required to be taken into consideration while implementing encryption:
  • choosing the right algorithm;
  • the right key size;
  • the right software; and
  • keeping the key secure.
  1. Passwords : The ICO has updated the guidance on the use of passwords in order to protect data. The Guidance talks about the use of Passwords and the level of security which is required while choosing a password. It recommends using a suitable hashing algorithm or other mechanism offering similar protection.
  2. Exemptions: The GDPR and the Data Protection Act, 2018 (‘DPA’) sets out certain exemptions for some of the rights and obligations. Relying on exemptions depends on case-to-case basis but it cannot be routinely followed. The exemptions in the DPA relieve one from some of their obligations under the Act, such as:
  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.
  1. International transfers : The guidance provides clarification regarding
  • where a transfer of personal data is considered a ‘restricted transfer’; and
  • which mechanisms can be deployed in this case to transfer personal data.
  1. Personal Data Breaches : The Guidance outlines breach notification requirements under the GDPR, including what information needs to be included in a notification, and when organizations are required to notify supervisory authorities and those affected.
BELGIUM

On September 5, 2018, the Law of 30 July 2018 on the Protection of Natural Persons regarding the Processing of Personal Data (the “Act”) entered into force and abolished the Law of 8 December 1992 on privacy protection which regulated processing personal data in Belgium. The Act applies to the processing of personal data in connection with the activities of an establishment from a controller or processor on Belgian territory, whether the processing on Belgian territory takes place or not. The Act significantly broadens the scope for data processing related to criminal offences and convictions. It determines that associations and foundations for which the processing of sensitive data is necessary for the purposes of achieving their statutory objectives can make an exception for processing of such data.

The Data Protection Authority (Gegevensbeschermingsautoriteit) is supervisory authority that monitors the protection of privacy and the use of personal data in the country.

CROATIA

The Law on Implementation of the General Data Protection Regulation (the ‘Act’) provides for the implementation of GDPR on the protection of individuals regarding the processing of personal data and on the free movement of such data. The Act is not applicable to the processing of personal data carried out by the competent authorities for preventing, investigating, detecting or prosecuting criminal offenses or carrying out criminal sanctions, including protection against public safety threats and their prevention, as well as in the area of ​​national security and defence.

As per the Act, the processing of employees’ biometric data is permitted for recording working hours and controlling access to premises where the employees have provided their consent. The Act also restricts processing of personal data of employees through a video surveillance system and provides that it may only be carried out if the conditions laid down by the regulations governing occupational safety are met, and if the employees have been adequately informed in advance of such measure.

Croatian Data Protection Personal Agency is responsible for carrying out administrative and professional tasks related to personal data protection.

DENMARK

The Danish Data Protection Act has been passed by the Danish parliament. The Act supplements and implements GDPR on the protection of individuals with respect to the processing of personal data and on the free exchange of such data. The law and GDPR is applicable to all processing of personal data made wholly or partly by automatic data processing and for other non-automated processing of personal data which is or will be contained in a register. According to the Act, the processing of personal data is permitted in the employment context if the data subject consented or the processing is necessary for certain purposes.

The Danish Data Protection Agency (Datatilsynet) exercises surveillance over the processing of data to which the Act applies. The Agency primarily deals in specific cases on the basis of inquiries from public authorities or private individuals or cases taken up by the agency on its own initiative.

FRANCE

Law n°2018-493 of June 20, 2018 on the protection of personal data was promulgated on June 20, 2018 and was published in the Official Journal on June 21, 2018.

The purpose of the Law was to adapt Law n° 78-17 of January 6, 1978 on information technology, data files and liberties (‘French Data Protection Act’) following the GDPR that entered into force on May 25, 2018  and Directive  2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties that ought to be transposed into domestic law.

The CNIL is the responsible authority for informing individuals of their rights accorded to them by the French Data Protection Act. Some of the guidance’s issued by CNIL in furtherance of Data Protection Act are discussed below:

  1. CNIL Guidance on Collection and Transmission of Data to Data Brokers: Many companies collecting data directly from individuals, whether on online or paper forms, transmit this information to “commercial partners” or more generally to other organizations, so that they send out prospection through SMS or email. This transmission must comply with a series of conditions, including those posed by the RGPD, to be valid and allow people to maintain control over their personal data.

 

  1. Standards for DPO certification : In order to identify the skills and know-how of the Data Protection Officer (DPO), the CNIL adopts two standards for DPO certification.
  • a certification reference system that sets the conditions for the admissibility of applications and the list of 17 skills and know-how expected to be certified as a DPO;
  • an accreditation framework that sets out the criteria applicable to organizations wishing to be authorized by the CNIL to certify the DPO’s competencies based on the certification framework developed by the CNIL.
  1. Deliberation n ° 2018-326 of 11 October 2018: CNIL adopted guidelines on data protection impact assessments (DIPs) provided for in the GDPR.
  • The Guidelines describe three examples of processing operations requiring a DPIA provided by Article 35(3) of the GDPR. The Guidelines also list nine criteria of the Article 29 Working Party identified as useful in determining whether a processing operation requires a DPIA, if that processing does not correspond to one of the three examples provided by the GDPR;
  • The Guidelines provide that an AIPD must be conducted before the implementation of a treatment presenting a high risk for the rights and freedoms of the natural persons concerned; it must be reviewed regularly, in any case every three years, to ensure that the level of risk remains acceptable;
  • The Guidelines specify that data controllers may rely on the CNIL’s industry standards, compliance with a standard will allow to consider that there is no high residual risk while the processing is In the case of dismissal, it will be necessary to lead the controller concerned to, at least, question the level of residual risk that may require the mandatory consultation of the board.
FINLAND

On 13 November 2018 the Finnish Parliament approved the Data Protection Act – ‘HE 9/2018 vp (the ‘Act’). The Act supplements GDPR and repealed the old Finnish Personal Data Act (Henkilötietolaki 523/1999).

The Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) remains the national data protection authority under the GDPR, supervising data protection in Finland. However, in e-privacy matters, the Finnish Communications Regulatory Authority continue to act as the supervisory authority. The new legislation also introduces an internal advisory board in the Data Protection Ombudsman’s office. The board is given power to issue advisory statements on data protection legislation upon the Data Protection Ombudsman’s request.

GERMANY

Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) entered into force on May 25, 2018. The Act is applicable to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system unless such processing is conducted by natural persons during a purely personal or domestic activity.

The Federal Commissioner for Data Protection and Freedom of Information is the authority responsible for supervising Data Protection activities. Some of the guidance’s released by the Authority are discussed below:

  • Guidance on the privacy requirements of app developers and app providers: The orientation aid is aimed at developers and providers of mobile applications (apps). It reveals data protection and technical requirements and makes them understandable by means of striking examples.
  • Cryptographic methods: Based on the realization that absolute data security cannot be achieved in practice, the principles of “adequacy” and “necessity” have been enshrined in data protection laws. This means that appropriate security measures must be taken depending on the need for protection of the personal data concerned. The present guidance on the use of cryptographic procedures has been developed by a Working Group on Technical and Organizational Data Protection Issues of the Conference of Federal Data Protection Officers.
IRELAND

Data Protection Act 2018 was signed into law on 24 May 2018, to coincide with the GDPR. The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

The Data Protection Commission is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the GDPR, and has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive.  The Commission recently released certain responsibilities for the Organisations to carry out under GDPR.

  1. Responsibilities of Organisations under the General Data Protection Regulation : The Authority provided information about organisational obligations under data protection legislation and the General Data Protection Regulation, including transparency with service users and how to respond to an individual who is exercising their data protection rights. More detailed information provided regarding:
  • your obligations under data protection;
  • how to respond to an individual exercising their rights;
  • how to make a notification to the Data Protection Commission in cases where your organisation or business has breached personal data.
ITALY

Italy adopted Legislative Decree No. 101/2018 which came into effect on September 4, 2018, concerning the provisions for the adaptation of the national legislation to the GDPR on the protection of individuals regarding the processing of personal data and rules to the free movement of such data.

The Decree sets the minority threshold in relation to the offer of information society services to 14 years. For children under that age, the processing of their data still requires parental consent. The Decree provides the specific conditions for the lawful processing of genetic data, biometric data or data concerning health. The Italian Supervisory Authority is tasked with such adoption, at least every two years. As per the Decree, existing practices in relation to the subject rights of deceased persons remain primarily unchanged. These rights can be exercised by those who have a proper interest or who act to protect the data subject or relevant family interests.

The Italian Data Protection Authority (Garante per la protezione dei dati personali) is an independent administrative authority established by Privacy Law. It is the supervisory authority responsible for monitoring application of the General Data Protection Regulation and the national legislation.

CODE OF CONDUCT:

Code of Ethics and Conduct in Processing Personal Data for Business Information Purposes : This Code of conduct sets out the adequate safeguards and arrangements to process personal data by protecting data subjects´ rights that must be in place in pursuing business information purposes; this is aimed to ensure, on the one hand, certainty and transparency in business relations along with adequate knowledge and circulation of business and economic information and, on the other hand, quality, relevance, accuracy and topicality of the processed personal data.

NETHERLANDS

The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) applies in the Netherlands from 25 May 2018.

Dutch Data Protection Authority [Autoriteit Persoonsgegevens (‘AP’)] is the independent administrative body that has been appointed by law as the supervisory authority for regulating the processing activities of personal data. Some of the publications of AP are discussed below:

  1. AP’s Recommendations for Register of Processing : On 28th November 2018, the Netherlands Authority for the Protection of Personal Data (AP) provided 5 concrete recommendations that organizations should consider when maintaining their registers of processing.
  • Organizations must state the duration and the purpose of processing personal data. Under European privacy legislation, it is not allowed to store personal data longer than necessary for the purpose with which they were collected. Organizations must also be able to explicitly mention the purpose why they collect this data.
  • Contact details of the controller must be included in the register.
  • Organization should provide a well-organized file of all processing activities carried out in relation to personal data, thereby enabling the users to easily navigate through it.
  • Location or the place where personal data is stored must be stated clearly in the register. This information is relevant when people submit a request for access or deletion.
  • Organizations must specify the goal of each processing activity. Only a mere enumeration of the processing activity, department wise, in combination with a summary of the various purposes of the processing is not sufficient
  1. Policy rules prioritization complaints investigation Authority Personal Data : The Dutch Data Protection Authority published policy rules regarding the prioritization of the investigation of complaints. Pursuant to the GDPR, every data subject has the right to lodge a complaint with the Dutch Data Protection Authority if it is violative of their rights provided in GDPR. It also follows from the GDPR that the Dutch Data Protection Authority must in principle investigate and respond to each complaint. The Dutch Data Protection Authority is free to make an assessment regarding the intensity of the investigation of a complaint.
POLAND

The Personal Data Protection Act entered into force on 25 May 2018 to help the implementation of the GDPR in Poland.

The President of the Office for Personal Data Protection is a competent authority for the protection of personal data on the territory of Poland, created by the Act of 10 May 2018 on the protection of personal data. Some of the guidelines adopted or released by the Authority are discussed below:

  1. Guideline 1/2018 regarding certification and determination of certification criteria in accordance with Article 42 and 43: The EU guidelines on certification have been adopted by Poland. The Guidelines explore the rationale for certification as an accountability tool; It also explains the key concepts of the certification provisions in Articles 42 and 43 and the scope of what can be certified and the purpose thereof.
  2. Protection of personal data at the workplace : The Guide indicates how to process personal data both during recruitment and during the whole period of employment. It is not limited to employment based on an employment relationship. It also treats other, more and more popular forms of employment, such as civil law contracts.
  3. Tips for data controllers – how to apply the GDPR: The Personal Data Protection Office prepared 10 tips for data controllers to help them to apply the GDPR rules on a daily basis such as:
  • Establish the proper basis for collecting and using personal data;
  • Comply with the information obligation in accordance with the new rules;
  • Communicate in a transparent way;
  • Always respect the rights of people;
  • Remember that consent can be withdrawn at any time;
  • Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated;
  • Do not create unnecessary documentation;
  • You have the right to profile, but remember about limitations;
  • Invest in a professional DPO;
  • Watch out for cheaters.
SLOVAKIA

The Protection of Personal Data (Act No. 18 of 2018) regulates the protection of the rights of natural persons against wrongful interference with their private data. The Act regulates the rights, duties and liabilities in connection with personal data processing and establishment, scope of powers and organization of the Office for Personal Data Protection of the Slovak Republic.

Office of Personal Data Protection is the supervisory authority responsible for the implementation of the Act. Some of the guidelines released by the authority are discussed below:

  1. Methodological Guideline no. 2/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on legality of processing. The principle of legality also expresses the requirement for fair and lawful processing and must be in accordance with the law of the Union, the law of the member the State and good morals, so as not to be violative of the fundamental rights and freedoms of the persons concerned.
  2. Methodological Guideline no. 3/2018: Office for Personal Data Protection of the Slovak Republic issued the guideline on the obligations of the e-shop operator from the point of view of personal data protection. The obligations are as follows:
    • to allow the operator to legally process the customer’s personal data, it must have an appropriate legal basis;
    • customers have the right to be informed about the terms of processing, how they are processing their applications for the exercise of the rights of the persons concerned, etc.;
    • data obtained should be processed by the operator only for a specific, expressly stated and legitimate purpose, furthermore they cannot be processed in a manner which is not compatible with such a purpose;
    • operator should process only the personal data that is necessary to achieve a specific purpose of processing;
    • operator must process correct and up-to-date personal data;
    • operator must keep personal data only for the necessary time to achieve the purpose of processing;
    • operator must guarantee the adequate security of the processed personal data; and
    • operator must be able to show compliance with the previous one the principles of processing.
SPAIN

The Organic Law 3/2018 of December 5 guarantees the digital rights of citizens and employees, beyond the GDPR. The law includes some specifications about data subjects’ rights. The new rule recognises a set of “digital rights” (or rights in the context of the Internet) to every individual, starting with the net neutrality right (or the right to be granted with Internet access without being discriminated for technical and/or economic reasons) and ending with the right to a digital testament.

Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD) is the public law authority overseeing compliance with the legal provisions on the protection of personal data and enjoying an absolute independence from the Public Administration. The guides released or adopted by the Agency are discussed below:

  1. Practical Guide of risk analysis for the treatment of personal data: The guide is aimed at data controllers/processors for the processing of personal data and which may affect data security breaches. It provides the interpretation of the RGPD regarding the obligation to notify the competent authority through appropriate channel. It aims to cover the wide range of Spanish business, small, medium or large companies of all kinds, companies with large data treatments and companies with reduced treatments and that, in the same way, can be of help to those in charge and in charge of treatments of the Public Administrations involved in the tasks of management of the gaps of security.
  2. Guide for the Person responsible for the processing of personal data: The guide presents systematically the main issues that organizations should be considered for the application of the RGPD. It is designed to help those responsible and those in charge to adapt the new obligations during the transition period. A ready recknor Checklist is included which organizations can use to determine if they have given the necessary steps to be able to make a correct application of the RGPD.
  3. Guide for the management and notification of security breaches: The guide aims to be useful for anyone who wants or needs to familiarise themselves with the issues regarding the management and notification of security breaches. It is designed for different data controllers processing personal data who could be affected by data security breaches, with the aim of enabling understanding of the GDPR regarding its requirement to notify the competent authority and, when relevant, the data subjects, so that the competent authority is notified through the correct channel, with useful and accurate information for statistical and monitoring purposes, and the new GDPR demands are met.
SWEDEN

The Data Protection Act (2018:218) entered into force on May 25, 2018. It provides for the processing of social security numbers and processing of data pertaining to criminal offences. The Act is applicable to the processing of personal data carried out within the framework of activities carried out at the premises of the personal data controller or personal data assistants in Sweden. The law is also applicable to the processing of personal data carried out by personal data controllers who are not established in Sweden, but in a place where Swedish law applies according to international law.

The Swedish government has designated the Swedish Data Protection Authority to be the supervisory authority under the GDPR.

SWITZERLAND

The Swiss Federal Data Protection Act (‘Act’) and the Data Protection Ordinance (‘Ordinance’) regulate data processing activities across the country. The Act is applicable in any of the following circumstances:

  • The data subject has its habitual residence in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.
  • The data controller or processor (as the potentially infringing party) is a Swiss resident.
  • Damage resulting from a data breach is sustained in Switzerland, provided that the data processor can anticipate that damage may be sustained in Switzerland.

The Federal Data Protection and Information Commission is the Authority responsible for supervising the data protection activities. The Commission recently released a guide for technical and organisational measures for the introduction of data protection risks and measures which can be taken to ensure protection for personal data.

  1. Guide for technical and organizational measures – This guide is an introduction to the data protection risks that can arise in connection with modern IT systems. It intends to help the reader implementing measures and ensuring optimum and appropriate protection for personal data. The guide is primarily intended for IT systems managers and those who are directly involved in the management of personal data, whether they are technicians or not. The guide is structured around four main topics – data access, data lifecycle, data transmission and right to information.
 AUSTRIA

The Federal Act concerning the Protection of Personal Data (DSG) has considerably amended the Data Protection Act 2000 in order to implement GDPR. The Act regulates processing of personal data, appointment of data protection officers, maintaining confidentiality of data, investigation or prosecution of criminal offenses and rights of data subject in order to modify, rectify or delete.

Based on Art 8 GDPR, the Act provides that children may consent to data processing in the course of information society services starting with 14 years – instead of 16 years as stipulated by the GDPR. Art 10 GDPR generally provides that criminal data may only be processed “under the control of official authority”, unless otherwise authorised by the Member States. The Austrian legislator closed the potential gap by providing that criminal data may also be processed based on legitimate interests pursued by the controller.[4]

CZECH REPUBLIC 

Czech Republic enacted the Act No. 110/2019 Coll. on the Processing of Personal Data incorporating the provisions of GDPR. The law came into effect on April 24, 2019. It replaces the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of GDPR and also processing of the data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order.

The Office for Personal Data Protection published various Guidance material for the implementation of the Law. Some of them are mentioned below:

  1. Data Breach Notification Guidance[5]: The Office for Personal Data Protection (‘UOOU’), published a guidance on data breach notifications. Key features of the guidance are provided below:
  2. outlines that any breach of personal data security that may result in a risk to the rights and freedoms of individuals must be reported;
  3. provides examples of such incidents, including an attack on a computer in which personal data is processed which results in the leakage of personal data, as well as the loss of paper documents containing personal data that was a part of manually kept records;
  • provides that where an infringement is unlikely to result in a high risk to the rights and freedoms of data subjects, such as if it becomes impossible to trace a paper document that was or should have been part of a manually kept record, no notification must be made;
  1. lists what should be included in the notification, as well as the exceptions to the obligation to report data breaches to affected individuals.
  2. DPIA Methodology[6]: The Office for Personal Data Protection (‘UOOU’) published a methodology for conducting Data Protection Impact Assessments (‘DPIAs’). Key points discussed in Methodology are:
  3. contains questions and answers, information on who needs to carry out a DPIA and when this is required, and outlines the four stages of a DPIA;
  4. provides that the data controller needs to ascertain whether a DPIA needs to be carried out with respect to the personal data obtained, the legal basis for processing, data retention periods, and data transfers;
  • highlights that the data controller should, when carrying out a DPIA, provide a systematic description of the intended processing activities, follow a risk assessment procedure through identifying assets, vulnerabilities, and threats related to the processing of personal data, and determine the level of risk following a DPIA;
  1. includes examples of vulnerabilities such as insufficient maintenance of supporting information and communication technologies, and insufficient physical protection of personal data.
LUXEMBOURG

 On 16 August 2018, the Luxembourg Government adopted and published the Law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of GDPR and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The Law repeals the law of 2 August 2002 on the protection of persons regarding the processing of personal data.

ROMANIA

The Parliament of Romania adopted Law No. 190/2018 implementing the General Data Protection Regulation. The Law regulates special rules for the processing of certain categories of personal data, derogations from the GDPR, provisions regarding data protection officers (‘DPO’) and certification bodies, as well as provisions on the applicable sanctions for public and private entities. 

Conclusion: Critique of GDPR

As is evident from the EU countries’ domestic laws, GDPR is a privacy legislation that serves as a guideline for the upcoming laws on data privacy. GDPR strengthens individual privacy rights and increases the obligations of companies towards personal data. Also, it has uncurbed power that is also to say that like most of its counterparts, it is not toothless, since it not only provides for obligations towards the organisations but also has provisions to impose heavy penalties on breach of any of the obligations of organizations.

The largest sanctions have been imposed under privacy laws by CNIL where the restricted committee imposed a heavy financial penalty of around €50 million[7] against the company GOOGLE LLC, for lack of transparency, inadequate information and lack of valid consent regarding the ads’ personalization. The decision by the CNIL came like a warning that tough enforcement actions are not just in the theory and therefore, the organizations must take the privacy laws seriously.

Recently, some of the major fines were imposed in the year 2020, such as:

  • In April 2020, the Dutch Data Protection Authority imposed its largest fine €725,000 (US$ 821,600 million) to date to an unknown company for illegally using employees’ fingerprint scans for its attendance records over the period of 10 months. As per the GDPR, biometric data is classified as sensitive information and subjected to stringent protections.[8]
  • On December 07, 2020, the French Data Protection Authority issued two fines totalling €100 million against Google LLC, Google Ireland Limited and Amazon for cookie violations. In an audit, it was revealed that cookies, many of which were used for marketing purposes, were automatically placed on user equipment without affirmative action.[9]
  • On December 07, 2020, the Norwegian Data Protection Authority (‘Datatilsynet’) sent a notice of an infringement to the Norwegian Sports Confederation (‘NIF’) and imposed fine amounting to NOK 2.5 million (approx. €236,000) following the disclosure of the personal data of 3.2 million Norwegians after an error that took place when testing a cloud solution.[10]

Also, since the digital environment across the world has granted access of private data on a single click, privacy laws have become the talk of the town and its breach could mean heavy penalty for the data controller and processors. The borderless nature of the Internet raises several jurisdictional issues in data protection, therefore, gradually, even non-EU members are bringing in the supplementing laws in line with GDPR to protect the personal data of consumers. India and China have introduced Data Privacy Bills and on the other hand, China has also included data privacy principles in China Civil Code.

The emergent necessity of all the organizations to review their privacy policies and make them in compliance with the national legislation of their respective countries and GDPR, only reflects on the growing acceptance of GDPR, transcending beyond the EU.

† Consultant at Ernst and Young | Data Privacy and Occupational Health and Safety Compliance Professional

[1] Data subjects as “identified or identifiable natural person[s].” In other words, data subjects are just people—human beings from whom or about whom you collect information in connection with your business and its operations.

[2] Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

[3] According to Article 4 of the EU GDPR, a data controller is the entity (person, organization, etc.) that determines the why and the how for processing personal data. A data processor, on the other hand, is the entity that actually performs the data processing on the controller’s behalf.

[4] https://www.dorda.at/en/publications/new-austrian-data-protection-act-implementing-gdpr-passed-austrian-parliament Last accessed on December 11, 2020.

[5] https://www.uoou.cz/vismo/zobraz_dok.asp?id_org=200144&id_ktg=5020&n=poruseni-zabezpeceni

[6] https://www.uoou.cz/vismo/dokumenty2.asp?id_org=200144&id=46497

[7]Deliberation of the restricted formation n ° SAN – 2019-001 of January 21st, 2019 pronouncing a financial penalty against the company GOOGLE LLC

[8] https://cisomag.eccouncil.org/four-biggest-gdpr-fines-of-2020/ Last accessed on December 11, 2020.

[9] https://www.cnil.fr/en/cookies-financial-penalties-60-million-euros-against-company-google-llc-and-40-million-euros-google-ireland Last accessed at December 14, 2020

[10]https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2020/varsel-om-overtredelsesgebyr-til-norges-idrettsforbund/

Op EdsOP. ED.

We are living in a digital age, much more so after the onset of Covid-19. Business, meetings, interaction, banking, even education has shifted to online mode. Every person is accessing and sharing so much of data that it is very scary as one never knows who hands your data lands up in.

With this, concerns about data privacy have become more important than ever before in everyone’s mind.

Data can be classified into two categories as personal and non-personal. With the advancement of digital technology, there is a tremendous upsurge in storage, handling and processing of data by companies and humans in digital format.

It reflects the need to establish distinct regulatory mechanism for handling and processing of personal and non-personal data to preserve the confidentiality and secrecy of such data.

The Central Government is on course to develop a mechanism for regulating the collection, storage and usage of personal data and non-personal data separately.

Work on the non-personal data bill is going in parallel with the Personal Data Protection Bill, 2019. The Central Government had constituted a panel to develop a draft report on non-personal data governance.

The prime job of panel is to perform extensive research and to study all vital aspects associated with governance and regulation of non-personal data.

According to the draft report, non-personal data means data which is not personal. The panel has submitted its report to Central Government for review. The Central Government has invited comments from general public along with all stakeholders concerned by 13-8-2020 in this regard.

The idea of seeking comments from public is to give final shape to draft in progress to address all concerns and issues related to non-personal data in a comprehensive method.

An interesting outcome of the research by panel is that companies with largest data pools are unbeatable and have techno-economic advantages over small-medium companies.

According to available statistics, few startups established during the period (1990-2000) has emerged as larger corporations with economic capacity of USD 1 trillion market due to their stronghold in collection and analysis of users’ data.

Some interesting facts about larger corporations:

(a) 60% of internet advertising market in the United States is being dominated by Google and Facebook.

(b) 37% of online e-commerce market controlled by Amazon in United States.

These statistics reflects the power of right collection and processing of data.

According to the draft report, companies which are gathering and collecting data beyond certain limits will come under the ambit of a “data business” and have to register as “data business” in India. Such companies need to report the method of data collection and mode of data usage to regulatory authority.

Development of a data sharing framework is critical to:

(a) address and resolve privacy concerns in a timely manner;

(b) condense the side effects related to non-personal data processing; and

(c) generate social, public and economic value creation.

Establishment of data sharing platform reflects in transparency in data usage and handling, quantify efficiencies and better quality services.

It is expected that sharing of non-personal data could encourage companies to come up with new and innovative services and products to cater the needs of public at large.

Establishment of regulatory authority is a decisive connection in non-personal data governance – such authority should be empowered with the right set of legal and administrative tools to monitor data sharing acts of companies, collection and reviewing of data from companies and to resolve data privacy-related disputes.

Certain companies are misusing the data for their benefit causing considerable data privacy issues to the users — it is about time to develop distinct laws and mechanism for handling, processing and usage of personal and non-personal data to curb misuse of personal and non-personal data by companies.

Inception of separate laws for regulation of personal and non-personal data along with right implementation would result in:

(a) streamline the process of data handling and collection;

(b) make companies collecting and processing data more accountable and responsible;

(c) improve transparency standards in collection and usage of data; and

(d) provide more control to users on the aspect of collection and usage of their data.

*Bhumesh Verma is Managing Partner at Corp Comm Legal and can be contacted at bhumesh.verma@corpcommlegal.in. **Paruchuri Baswanth Mohan, Research Associate and can be contacted at  paruchuribaswanthmohan@gmail.com

Hot Off The PressNews

Supreme Court: While hearing Facebook Inc’s petition asking Supreme Court to hear all cases related to demands for linking Aadhaar to social media accounts and tracing the source of WhatsApp messages, the Court said that there has to be a balance between privacy and how to govern. The court, hence, issued notice to Facebook, Twitter, Google, YouTube, the centre and Tamil Nadu asking for their response by September 13 on whether the petitions should be transferred from high courts across India to the Supreme Court. Various cases are being heard by the high courts of Madras, Bombay and Madhya Pradesh and Orissa.

The Court said,

“There is a conflict between privacy and how the government should run the country when crimes are committed. There has to be a balance… under what condition information can be given and to whom,”

Facebook and WhatsApp, asking that all petitions be transferred to the top court, said it was a matter of high magnitude and affected the privacy of the entire nation.

On Monday, the Tamil Nadu government had told the Supreme Court that social media profiles of users need to be linked with Aadhaar numbers to check the circulation of fake, defamatory and pornographic content as also anti-national and terror material. However, Facebook Inc resisted the state’s suggestion on grounds that the sharing of the 12-digit Aadhaar number, the biometric unique identity, would violate privacy policy of users.

Facebook Inc said it cannot share the Aadhaar number with a third party as the content on its instant messaging WhatsApp was end-to-end encrypted and no one can access it.

The Tamil Nadu government, which is deep into a case related to the deadly Blue Whale game, argued that the centre was struggling to find out who the creator of the game was and who gives directions. Attorney General KK Venugopal, representing Tamil Nadu, said,

“Someone says he is a young person from Russia. A number of people have died in India playing the Blue Whale. Let the Madras High Court continue with its hearing,”

The Supreme Court said,

“We are aware of Blue Whale. What is happening in dark web is worse than Blue Whale. The idea of the Madras High court expanding the issue was that if need be, shouldn’t the intermediary inform the police about details of person for crime detection? We are not examining the merits of the case, only dealing with the transfer of the cases to the Supreme Court.”

(Source: NDTV)

Case BriefsSupreme Court

Supreme Court: In the light of the data privacy concerns raised before the Court in the matter relating to Whatsapp data sharing with it’s parent company Facebook, the 5-judge bench of Dipak Misra, CJ and Dr. AK Sikri, Amitava Roy, AM Khanwilkar and MM Shantanagoudar, JJ asked Senior Advocates Kapil Sibal and Arvind Datar, appearing for Whatsapp and Facebook, to file affidavits with regard to the assertions made by the petitioners within 4 weeks.

Additional Solicitor General Tushar Mehta brought to the Court’s notice that a committee headed by Former Supreme Court judge, Justice B N Srikrishna, was being formed to deliberate on a data protection framework for India keeping in mind the need to ensure growth of the digital economy while keeping personal data of citizens secure and protected. He further submitted there was a possibility that the law shall be passed regulating the data protection once the committee submits it’s report. Arvind Datar also submitted that the 9-judge bench, in Justice KS Puttaswamy v. Union of India, 2017 SCC OnLine SC 996, had expressed the view that there should be a law with regard to data protection.

Refusing to pass any interim order restraining the respondent from sharing the data with the third party, the Court said that it will consider passing interim order after the affidavits are filed and if the assertions made in the affidavit would not require any kind of intervention by this Court, this Court may not pass any interim order. The matter will next be taken up on 20.11.2017. [Karmanya Singh Sareen v. Union of India, 2017 SCC OnLine SC 1051, order dated 06.09.2017]