fbpx

Free tools and resources for Data Protection Officers!

Category Archives for "Legislation"

ICO Blog Post on AI and Solely Automated Decision-Making

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR.

That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”).

Source: ICO Blog Post on AI and Solely Automated Decision-Making

EDPB Publishes Guidelines on the Contractual Legal Basis for Data Processing of Online Services

On April 12, 2019, the European Data Protection Board (EDPB) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects.

The Guidelines discuss how the “contract” legal basis applies in the context of online services or “information society services,” defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

Source: EDPB Publishes Guidelines on the Contractual Legal Basis for Data Processing of Online Services

EDPB seeks comments on its Guidelines on the processing of personal data for online services 

The European Data Protection Board welcomes comments on the Guidelines 2/2019 on on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects. Such comments should be sent to EDPB by 24/05/2019 at the latest.

More infoemation: Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects | European Data Protection Board

Content Groups Warn FTC Over ‘Troubling’ Application of EU Privacy Law

The FTC is reviewing privacy regulations and has been holding a series of hearings, including one scheduled for Tuesday and Wednesday.

Groups representing producers, filmmakers and other content creators are warning the Federal Trade Commission over the unintended consequences of adopting sweeping online privacy laws akin to those in the European Union.

They contend that the sweeping measure restricts the availability of domain name data from a database overseen by the Internet Corporation for Assigned Names and Numbers. They say that such information is critical to enforcement of online infringement.

Source: Content Groups Warn FTC Over ‘Troubling’ Application of EU Privacy Law – Variety

How Privacy Laws Are Changing To Protect Personal Information

There is growing movement to establish and even harmonize privacy laws to reduce the data governance deficit and promote the right to privacy and economic competitiveness.

Changes to privacy laws are being fuelled in part by growing public concerns with the idea of unfettered data accumulation and use. Regulation, often slow to adapt to the pace of innovation, is starting to catch up with the extent of personal information being transmitted every minute.

Full article: How Privacy Laws Are Changing To Protect Personal Information

Finland Approves Act On The Secondary Use Of Social And Health Care Personal Data

The Finnish Parliament has approved the new general Act on the Secondary Use of Social Welfare and Health Care Data in March 2019.

The new Act codifies the relevant legislation and broadens the possibilities to, under certain conditions, utilize and combine for secondary purposes personal data collected in relation to public or private social and health care operations.

Source: Finland: Parliament Approves New Act On The Secondary Use Of Social And Health Care Personal Data

EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

The European Commission has published a Recommendation on cybersecurity in the energy sector.

The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here ). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.

Source: EU Commission Issues Recommendation on Cybersecurity in the Energy Sector

Franch DPA Issues Standard Regulation For Biometric Systems In The Workplace

CNIL has adopted on 10 January 2019, further to a sectorial consultation with public bodies and private organisations, its first standard regulation that lays down legally binding rules applicable to data controllers subject to French Law, who use biometric systems to control access to premises, devices and applications at work.

The Regulation prescribes specific requirements for the processing, by a public or private employer, of biometric data to control accesses to work premises, to information systems or applications used in the context of business tasks entrusted to data subjects (i.e., employees, agents, interns and contractors).

Given the particular sensitivity of biometric data, the Regulation sets out stringent obligations to data controllers regarding the conditions of processing of such biometric data in the workplace.

Full article: France: The First Cnil Standard Regulation For Biometric Systems In The Workplace

Association of German Supervisory Authorities issues paper on broad consent for research

On April 3, 2019, the Association of German Supervisory Authorities (“Datenschutzkonferenz” or “DSK”) issued a paper  on the interpretation of “broad consent” for scientific research in Recital 33 of the GDPR and the interplay with the definition of consent and the principle of purpose limitation.

According to the DSK, broad consent should only be used in exceptional circumstances when it is not possible to establish at the outset the expected scope of the research. Moreover, the DSK suggests that a broad consent can be fixed at a later stage of the research by narrowing down the scope of the research once that scope is clearer – i.e., deliberately not using the obtained flexibility.

Ful article: Association of German Supervisory Authorities issues paper on broad consent for research

European Commission Releases Study on GDPR Data Protection Certification Mechanisms

European Commission has published a final report “Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation
(EU) 2016/679”.

The overall aim of the study is to support the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Articles 42 and 43 GDPR.

More specific the purpose of the assignment is to: i) accompany the establishment of data protection certification mechanisms and of data protection seals and marks pursuant to Art. 42 and 43 GDPR and ii) collect all relevant information for the Commission in view of the possible implementation of Art. 43(8) GDPR on the requirements for the data protection certification mechanisms and of Article 43(9) GDPR on the technical standards for certification mechanisms and data protection seals and marks, and for mechanisms to promote and recognise those certification mechanisms, seals and marks.

Read report: Data Protection Certification Mechanisms: Study on Articles 42 and 43 of the Regulation (EU) 2016/679

1 2 3 108
>