Update | New Trans-Atlantic Data Privacy Framework
The European Data Protection Board (EDPB) welcomed the announcement of a political agreement in principle between the European Commission and the United States on 25 March on a new Trans-Atlantic Data Privacy Framework.
The EDPB emphasizes that this announcement does not establish a legal framework for EEA data exporters to send data to the United States. Data exporters must continue to take the appropriate steps to comply with the Court of Justice of the European Union’s (CJEU) case law, particularly the Schrems II decision of July 16, 2020.
The EDPB plans to carefully analyze the improvements that the new framework may bring in the light of EU law, CJEU case law, and past Board recommendations.
The EDPB will examine whether personal data collected for national security purposes is limited to what is strictly necessary and appropriate.
The EDPB will also investigate how the newly announced independent redress mechanism respects EEA citizens’ right to an effective remedy and a fair trial.
The EDPB will evaluate whether any new organization created as part of this mechanism has access to relevant information, including personal data, and whether it can make binding decisions on intelligence services.
The EDPB will also review whether this authority’s decisions or inaction can be challenged in court.
The French Data Protection Authority (CNIL) has released a series of resources for evaluating artificial intelligence (AI) systems in light of the GDPR, aimed at both the general public and specialists. A relevant checklist for analyzing an AI system’s impact on data subject rights is one of the resources. Reported here → (in French)
New Latvian Cookie Guidelines advise the thorough assessment of a DPIA if a website delivers content that could be connected to a specific category of personal data (such as a dating website or a website providing information on health services) and more. Read the guide →
Consumers protection Association sues Google over a cookie banner. North Rhine-consumer Westphalia’s protection association has stated that it has filed a lawsuit against Google in Berlin Regional Court. The criticism is directed at the cookie banner as well as the design. Click here to read more → (in German)
Danske Bank was referred to the police by the Danish Data Protection Agency (Datatilsynet) and fined 10 million Danish kroner ($1.47 million) for violating the European Union’s General Data Protection Regulation (GDPR). Reported here → (in Danish)
The Belgian privacy authority (AP) has penalized Brussels airports Zaventem and Charleroi for checking the temperature of passengers. To identify those infected with coronavirus, airports began checking passengers’ temperatures in 2020. In a statement on Monday, the country’s privacy authority said that the screening violated privacy rules, fining the airports in Zaventem and Charleroi €200,000 and €100,000, respectively. Read about it here →
3) New and Upcoming Legislation
New EU data-sharing rules aim to spur innovation and assist start-ups and enterprises in using big data. The Data Governance Act, passed by Parliament on April 6, 2022, proposes to increase data sharing in the EU so that businesses and start-ups can access more data to build new goods and services. Reported here →
4) Strong Impact Tech
The National Institute of Standards and Technology (NIST) in the United States released a Request for Information (RFI) titled ‘Assessing and Improving NIST’s Cybersecurity Resources: Cybersecurity Framework and Risk Management of the Cybersecurity Chain.’ The RFI Request for Information (RFI) emphasized the relevance of international viewpoints in helping NIST modernize its resources. The RFI will seek feedback on aligning or complementing NIST’s cybersecurity framework with existing international frameworks.
After its existing approach was found to violate EU legislation, Hamburg’s top data protection commissioner supported Google’s intention to include a “reject all” button on cookie banners. See here for further reading →
Other key information from the past weeks
European Data Protection Supervisor issues a reprimand to the European Border and Coast Guard Agency (Frontex) for moving to the cloud without a proper data protection assessment.