17th Newsletter -> 29 October - 4 November 2016


UK to Implement GDPR 


The Secretary of State Karen Bradley MP recently stated that in May 2018 the UK will still be a member of the EU and therefore it would be expected and quite normal for it to opt into the General Data Protection Regulation. After the implementation the Secretary suggests to look at how to help British business with data protection while maintaining high levels of protection for members of the public.

This week the UK Information Commissioner Elizabeth Denham in her blog post welcomed the view of the UK government on the GDPR. The main reason is that both the ICO and the UK government have pushed for reform of the EU law for several years. To help organisation adapt to the new legislation the ICO will first publish a revised timeline setting out what areas of guidance they will be prioritising over the next six months. 


Read the UK IC Blog Post HERE


Read the Full Secretary’s Statement HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



Art. 29 WP Issues an Opinion on EU - U.S. Umbrella Agreement


The Article 29 Working Party (WP) has issued a statement about the so-called EU-U.S. Umbrella Agreement, which sets out to create a high-level data protection framework for the transatlantic cooperation on criminal law enforcement. The WP acknowledges the legitimate ground for exchange of data for cooperation between law enforcement authorities and it generally welcomes the Agreement as it “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the US, some of which were concluded before the development of the EU data protection framework.”

Despite the positive side of the Agreement the WP requested further assurances and answers from the U.S. government on: 

- the scope of redress rights granted by the U.S. Judicial Redress Act, 

- how records from US law enforcement agencies are exempted from the application of the Privacy Act, and 

- the compatibility of these practices with the Umbrella Agreement. 


Furthermore, the WP suggests to further define the concepts of “personal data” and “data processing”, which are differently defined by the EU and U.S. law, the data retention period, the restrictions on individuals’ access rights, and access right mechanism. Once the Umbrella Agreement is approved by the European Parliament, the WP stated that it will continue to monitor its implementation and oversight measures to ensure that the rights afforded are effective. 


Read more HERE


Read the Full WP Statement HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



Norwegian DPA Exposes the Shortfalls of Mobile Health Devices


The Norwegian Data Protection Authority (DPA) has examined six different mobile health on they communicate privacy related matters to their customers. The devices allow the users to monitor blood pressure, blood sugar, pulse and the level of oxygen in blood. Importantly the examined devices are easily available for Norwegian consumers and sends data to an app on the users' mobile phones.

The research revealed the following:

- Five of the six devices failed to adequately explain to customers how their personal data was collected, used and disclosed;

- Four of the six devices did not have a privacy policy;

- Whereas some devices did not offer any information on how personal data was processed, we also found that others provided at least some relevant information;

- None of the devices adequately explained to the users how their personal data was stored; and

- None of the devices adequately explained to the users how they could delete their data.


Read more HERE


Read the Full Report HERE (In Norwegian)

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________



DRI Challenges Whether the Irish DPC is an Independent Authority


Privacy group Digital Rights Ireland (DRI) have initiated the court proceedings against the Irish State challenging whether the office of the Data Protection Commissioner is an independent data protection authority under EU law. DRI claim that Ireland has failed to properly implement EU data protection law, or to follow the requirements of the Charter of Fundamental Rights by failing to ensure the commissioner is genuinely independent from the Government. The privacy group cited case law of infringement proceedings taken by the European Commission against other countries for failure to fulfil an obligation under the EU treaties - Commission v Hungary, Commission v Germany and Commission v Austria. The Court of Justice of the European Union in those cases explicitly ruled that data protection authorities must act impartially and must remain free from any external influence, including that of the state. 


Read more HERE


Read the DRI Statement HERE

_______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________