EDPS comments on potential data mishandling by Europol in breach of its own Regulation
According to a letter dated on September 17, the European Data Protection Supervisor (EDPS) stated that Europol might have infringed its own data protection rules (as stipulated in the currently applicable Europol Regulation), by storing and processing personal data of data subjects beyond its remit.
Pursuant to its own distinct Regulation, Europol may process personal data only on ‘suspects, potential future criminals, contacts and associates, victims, witnesses and informants’. Accordingly, Europol may process the minimum necessary amount of personal data of the foregoing categories of data subjects. According to the EDPS, those two rules might have been violated by Europol.
In the context of an inquiry, conducted by the EDPS last year, the Supervisor found that Europol held a database of more than 2 million gigabytes in 2019. The data contained in the database was received from EU countries and could potentially include data of innocent individuals and minors.
Given the large amount of the data, the EDPS could not clarify and establish whether Europol had actually infringed the Regulation’s rules. To this end, the Supervisor has mandated Europol to adopt a plan on improving its data handling practices, until 17 November, and implement it within four months.
See more here
UK government provides guidance on data processing activities and transfers after Brexit
The UK government has published guidance for organisations and entities regarding their data processing activities, including data transfers, after the transition period. The government elaborates on the steps that the concerned entities may follow in the field of data protection from 1 January 2021.
As regards the applicability of GDPR after the end of the transition period, the government clarified that the Regulation will remain applicable in conjunction with the Data Protection Act 2018 while technical amendments will take place in order to be implemented properly under the UK legislation.
The scope of the guidance covers organisations that receive or transfer personal data from/to the EEA, including EU, or operate in the EEA. Albeit the assessment process regarding the adequacy decision for the UK is still ongoing, the guidance provides steps to be followed in a non-adequacy-decision scenario. Hence, to continue lawfully receiving personal data from organisations and business within the EU/EEA, UK organisations should adopt alternative data transfer mechanisms, in particular Standard Contractual Clauses (SCCs).
On the other hand, data transfers from the UK to the EU, EEA, Gibraltar and third countries that possess an adequacy decision from the EU Commission, can continue without hindrance for the moment. In addition, eleven third countries, that have been deemed adequate by the EU Commission, will continue the unrestricted data transfers to the UK.
See more here
Washington State Attorney General publishes annual Data Breach Report
On 28 October 2020, the Attorney General of Washington issued the annual Data Breach Report, underlining a significant increase in the number of the affected, by data breach, individuals as well as the number of ramsonware incidents.
In particular, according to the report, the overall number of Washington residents impacted by a data breach rose by 67%, with the data breaches resulting from malicious attack accounting for 65%. In addition, the number of ramsonware incidents was tripled compared to that of 2019, affecting more than 100,000 individuals.
The Report concerned data breach notifications submitted to the General Attorney’s Office between July 24, 2019 and July 23, 2020. The most commonly compromised personal information was financial information and social security numbers while the majority of the reported breaches originated from businesses. The average lifecycle of breaches was 148 days.
The Report follows the legislative amendments that took effect on March 2020 regarding data breach notification law. According to the latter, the definition of ‘personal information’ has been expanded including more categories of consumer data. Finally, companies and organisations are subject to stricter and more detailed notification requirements while the deadline to notify consumers has been shortened to 30 days (instead of 45 as previously applicable).
See more here
EU Council Presidency’s Conclusions on Artificial Intelligence and Digital Change
On October 21st, the EU Council Presidency Conclusions on the Charter of Fundamental Rights in the context of AI and Digital Change was published. To this end, the Presidency stressed the need to deploy responsible and human-centric AI for the fostering of economy, European solidarity, democracy and the rule of law while the high European ethical standards should be safeguarded.
The Presidency of the EU Council recalled the binding nature of the Charter, mandating Member States to comply with its provisions when implementing EU law, in particular in the light of the challenges posed to fundamental rights arising from developments such as the COVID-19 pandemic. Digital technologies, including AI, can play a strategic role combatting the latter. However, according to the Council, connectivity and inclusion should be ensured. To this end, the Council welcomed the Commission’s plan to establish an AI ecosystem based on trust and European fundamental principles, benefiting all European societies.
However, underlying and subsequent challenges such as opacity, bias, unpredictability and autonomy of AI systems should be mitigated and addressed, in order to ensure the compatibility of such systems with the fundamental rights and facilitate the enforcement of the rule of law. According to the Council, effective mitigation measures may include the imposition of requirements on the design, development, deployment and use of AI systems. In addition, the establishment of common technical standards could empower trust and confidence over such systems.
Finally, the Council recommends that any undertaken legal and regulatory reform in this field, should seek striking a fair balance between the involved interests but also facilitate innovation and leave room for technical and socio-technical developments.
See more here
EDPS’s Strategy for EU Institutions’ compliance with the Schrems II Ruling
The CJEU’s ruling on Schrems II case, issued earlier this summer, triggered a series of consequences in the field of data transfers to any third country, including those between public authorities. To this end, the European Data Protection Supervisor has published a strategic document for the monitoring of EU institutions’ (EUIs) compliance with the Schrems II ruling.
Aiming to ensure that any international data transfer, in particular those to the US, carried out in compliance with the EU data protection law, the EDPS has developed an action plan with steps, actions and enforcement measures. The latter are categorised into short and medium-term. As regards the former, the Supervisor has highlighted as first priority the re-assessment of controller to processor and processor to sub-processor contracts, as currently in force, focusing in particular on those involving data transfers to the US.
In the context of medium-term actions, the Supervisor will provide guidance and adopt enforcement measures for data transfers to third countries on a case-by-case basis. In addition, EUIs will be required to perform Transfer Impact Assessments (TIAs) in order to assess their data transfers and identify on an ad-hoc basis whether the essentially equivalent level of protection is ensured at the third country in question while the findings and/or deviations should be reported to the EDPS.
In the meantime, the EDPS has recommended European Institutions and Agencies avoid data transfers to the US in the context of new processing activities or new outsourcing agreements with service providers in the US.
See more here