Relevant privacy headlines
Please find a compilation of the latest relevant privacy headlines below.
EU and US reach preliminary agreement on international data transfers
On March 25, the US President and European Commission President announced a preliminary agreement on a new framework for transatlantic dataflows. As the final legal text is not yet completed, the actual content of the framework has not been disclosed. However, the European Commission President claims it will enable predictable and reliable dataflows between the EU and the US, protecting privacy and civil rights. The potential framework is eagerly awaited as data transfers between the EU and US have been a complex issue since the European Court of Justice invalidated the Privacy Shield-agreement.
The Swedish Authority for Privacy Protection (IMY) fines bank
IMY has imposed a fine of SEK 7 500 000 on a bank.
According to the General Data Protection Regulation (GDPR), data controllers are obligated to inform data subjects of the processing of their personal data. After reviewing the information made available by the bank on its website, IMY concluded it was insufficient and non-compliant with the GDPR. For example, with regards to one of the services provided by the bank, no information concerning the purpose and legal basis of the processing was stated. Additionally, the information regarding the recipients of personal data was incomplete and misleading. Furthermore, data subjects was neither informed of to which countries outside the EU/EEA personal data was transferred, nor where they could receive additional information concerning the safeguards undertaken in connection with such transfers. In its decision, IMY also highlighted the lack of sufficient information on data subjects’ rights. The decision is available here.
IMY fines the Swedish Customs
IMY has imposed a fine of SEK 300 000 on the Swedish Customs.
Several employees within the Swedish Customs have used the cloud service Google Photos on their staff mobile phones. As a result, photos related to criminal investigations was uploaded to the US cloud service. According to IMY, appropriate technical and organisational measures should have been undertaken by the Swedish Customs to avoid the incident. For example, clear guidelines regulating employees' use of staff mobile phones should have been adopted and technical restrictions preventing the download of certain apps should have been in place. In view of the foregoing, IMY concluded the Swedish Customs had violated the Swedish Criminal Data Act (Sw: Brottsdatalag (2018:1177)).
However, IMY also identified some mitigating circumstances. Among other things, only a few employees had used the cloud service after receiving the authority’s approval and all personal data uploaded to the service had been deleted. Due to this, IMY stressed that the amount of the imposed fine is considerably lower than what would have been justified without the mitigating circumstances. The decision is available here.
National data protection authorities will investigate the usage of cloud services in the public sector
The European Data Protection Board (EDPB) recently initiated their first coordinated enforcement action. The action stems from the Coordinated Enforcement Framework (CEF) which provides a structure for coordinating recurring annual actions by EDPB’s supervisory authorities. As a result, 22 national data protection authorities within the EU (including IMY) will investigate the usage of cloud services in the public sector.
In particular, the investigation aims to highligt public bodies' compliance challenges with the GDPR in connection with the usage of cloud services, including the processes and safeguards involved in procuring cloud services, challenges related to international transfers and the use of accompanying measures and provisions governing the relationship between controller and processor. As a first step, 80 public bodies across the EU has received a questionnaire addressing their usage of cloud services. The results will be analyzed on a national level and thereafter, national data protection authorities will decide on potential further national supervision and enforcement actions. In Sweden, the questionnaire does not constitute a supervisory measure. Instead, it aims to provide IMY with a better understanding of the use of cloud services so that appropriate national measures can be developed in the future.
A report addressing the final outcomes will be published by the EDPB before the end of 2022. IMY’s press release is available here.
EDPB adopts final version of guidelines on the usage of Codes of Conducts in connection with transfers of personal data to countries outside the EU/EES
Transfers of personal data to countries outside the EU/EES for which the European Commission has not issued a decision on an adequate level of protection, is solely permitted in specific situations or if appropriate safeguards have been undertaken. Standard Contractual Clauses is the most common safeguard, but Codes of Conducts may also be used. A Code of Conduct is a set of rules approved by a national data protection authority and may be developed by associations or other bodies representing categories of data controllers or data processors. It is voluntary to sign up to a Code of Conduct, but once an organization do, it becomes legally binding. EDPB has now adopted its final Guidelines 04/2021 on Codes of Conduct as tools for transfers.
In its guidelines, the EDPB lists 17 elements which a Code of Conduct developed for third country transfers must address. For example, the code must ensure a right for data subjects to enforce the rules of the code in their roles as third parties. This includes a possibility to lodge a complaint before national data protection authorities and competent courts within the EU. Additionally, the code must include a warranty that a at the time of adhering to the code, the importing controller or processor has no reason to believe that the laws applicable to the processing of personal data in the third country, will prevent it from fulfilling its obligations under the code.
The final guidelines listing all 17 elements required, is available here.
The Deloitte Privacy Team has extensive experience in the privacy field and regularly advices on data protection and information security matters. You are very welcome to contact us if you need our help or if you have any questions.