Privacy corner – an overview of recent developments
The transfer of information to third countries continues to be a significant focus for the data protection authorities and it seems that a new Privacy Shield may become a reality soon. Another interesting recent development is that a CEO in Germany has been found personally responsible for breaches of the GDPR. New Privacy Shield?
By Eva Jarbekk
The United States and the European Union have preliminarily agreed to continue transatlantic data flows that had been jeopardised by the Schrems II case. This has been rumoured for some time but became public knowledge on Friday 25 March 2022. This may be a great comfort to many struggling with their transborder data flows, but it remains to be seen if the new agreement really is good enough to be trusted. The text of the agreement is not yet public.
Max Schrems commented as follows: "The final text will need more time. Once this arrives we will analyze it in depth, together with our U.S. legal experts. If it is not in line with EU law, we or another group will likely challenge it."
He has even said that, if the agreement shows not to be give adequate protection, he will see to that the question is sent to the ECJ within months. Hopefully, the authorities will make an effort to make this new Privacy Shield work. However, even if this agreement is good enough for transfers to the US, this will not solve transborder issues with a variety of other important countries such as India. More information on this issue is available here.
A new decision from US jeopardizes the new Privacy Shield?
A recent decision from the U.S. Supreme Court makes it easier for the US government to invoke "state secrets" in spying cases. It is difficult to determine how this will affect the new transborder flow agreement, but this suggests that it may be more difficult to reach a new Privacy Shield agreement with the US, as the US government will legitimately be able to access more data.
22 data authorities implement co-ordinated investigation on the public sector's use of cloud services
As part of the European Data Protection Board's (EDPB) Coordinated Enforcement Framework, twenty-two data authorities in Europe have launched a co-ordinated investigation on the public sector's use of cloud services. The purpose of this investigation is to map the public's use of cloud services, in order that general guidelines can be formulated on how the public sector can use cloud services.
This is the first co-ordinated investigation conducted under the "umbrella" Coordinated Enforcement Framework, an initiative that was launched by the EDPB in October 2020.
New Danish guide on cloud computing
The Danish Data Protection Authority (DDPA) has published a new guide on cloud computing that is worth reading. Section 3.5 is of particular interest as this deals with third country data transfers.
The DDPA review the challenges with the US FISA 702, EO 12.333 and the Cloud Act in a very good and understandable manner. However, the conclusions they draw are exactly the same as those of the EDPB in its guide on third country transfers. Something else had been sensational.
There are several examples in the new guide that provide good, practical advice. For instance, example 10 clearly states that one needs to place less emphasis on information that is in the public space, but this has been said and written many times before. At the same time, they write, as has also been said before, that back-end systems can register information that is not in the public space, and then the question is whether there is any help in this at all.
The Dutch Data Protection Authority publishes DPIA on Microsoft Teams, OneDrive Sharepoint and Azure AD
The Microsoft double key encryption gets positive reviews in the DPIA. We will return to this matter at a later date, but for those who are particularly interested in evaluating Microsoft products, the DPIA's report is available here.
About the personal liability of CEOs
A CEO of a company in Germany was recently held to be personally liable for breach of privacy due to activities he had initiated in his role as CEO. An important consequence of this case is that one should understand that a company's "risk acceptance" can often entail violations of the law. We have recently written a review about this case in DN.