THE PRIVACYPERFECT BLOG

Begin november 2021 heeft de Autoriteit Persoonsgegevens (AP) een paper gepubliceerd waarin zij waarschuwt voor privacyrisico’s in het onderwijs. Volgens de AP digitaliseert het onderwijs, wat veel kansen maar ook risico’s met zich meebrengt. Hoewel de Algemene Verordening Gegevensbescherming (AVG) inmiddels zo’n 3 jaar geleden in werking is getreden, worstelen veel onderwijsinstellingen met het naleven van de AVG. Dat onderwijsinstellingen steeds verder digitaliseren maakt het voldoen aan de privacyregelgeving alleen maar ingewikkelder. Onderwijsinstellingen creëren bijvoorbeeld steeds meer datastromen met (gevoelige) informatie over leerlingen en studenten. De Vereniging van scholen in het voortgezet onderwijs (VO-raad) onderstreept deze bevindingen en benadrukt dat scholen voorzichtig dienen om te gaan met de persoonsgegevens van leerlingen, studenten en hun ouders. De bescherming van persoonsgegevens van kinderen is essentieel gezien hun kwetsbare positie. Echter liggen er ook datalekken op de loer wanneer men zoveel persoonsgegevens verwerkt. Helaas zijn er de afgelopen jaren tal van voorbeelden geweest waarin dit pijnlijk duidelijk werd. 

TikTok is facing a second mass claim in the Netherlands: the Take Back Your Privacy foundation
(TBYP) and the Consumentenbond laid down a damages claim of a staggering 1,5 billion euros. They
assert that TikTok is illegally collecting and trading children’s private information who are using the
social media platform. But what is the basis of the case, how is it progressing, and what can you as a
parent do to ensure your child's personal information remains private?

Interview with Friederike van der Jagt, Chairwoman of the Take Back Your Privacy foundation and
Damiën Berkhout, lawyer of the foundation and partner at Scott + Scott Attorneys at Law LLP.

Back in April 2021, we wrote that if your website is accessible in France (and hey, aren’t they all?), chances are website owners had to bring their cookie consent practices in line with new French rules or face the wrath of France's data protection supervisor, the Commission nationale de l'informatique et des libertés, (CNIL), which had automated audits to periodically analyze cookie deposit practices. 

The European Data Protection Board (EDPB) adopted, on 18 June 2021, the final version of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. 

The recommendations were first adopted for public consultation in November 2020, following the Cåourt of Justice of the European Union (CJEU) judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II) in which it invalidated the EU-US Privacy Shield, making EU-US data transfers using the PrivacyShield non-compliant overnight. The Court also subscribed additional supplementary measures for using possible replacement transfer mechanisms, making  the load on organisations even heavier. 

The release of new standard contractual clauses (SCC) for safeguarding personal data being transferred out of the EU did not come as a surprise in data protection circles, but it certainly will be a lot of work to read through the documents and renegotiate current contracts with customers and suppliers.

As businesses increase their use of outsourcing, organisations are entrusting more of their business processes to third-parties and business partners, so they can focus on what they do best. This means they must ensure these third-parties are managing both privacy and security well, or risk  business uncertainties, legal liabilities and reputational damage. The risk of cyber attacks and data breaches from third-party vendors must be identified and mitigated. 

A DPA is a written agreement between an organisation (‘data controller’) and a third-party organisation handling personal data for the controller (‘data processor’) that ensures that all processing tasks are carried out in accordance  with both the EU’s General Data Protection Regulation (‘GDPR’).

The processing of personal data is almost always an issue in commercial relationships, to a greater or lesser extent. But even more so when concerning IT solutions. IT is, after all, by its very nature used for automated processing of data and many of those data qualify as personal data. Information is considered ‘personal data’ if a party has the means to trace the data back to an identifiable individual. This can therefore be data about the organization's own employees as well as data about customers or prospects. 

Users of the Dutch app CoronaMelder who become infected with the coronavirus will now temporarily not be able to send alerts in the coming days. This was decided by Dutch Minister Hugo de Jonge (Public Health) on Wednesday after a privacy issue with Android phones came to light. The same vulnerability likely also impacts other countries’ contact tracing apps, but no other action is known as of time of writing. Millions worldwide have downloaded contact tracing apps using Apple’s and Google’s framework, thought to be anonymous: The Dutch app was downloaded 4,8 million times, and the U.K.’s National Health Services’ app has at least 16 million users.

As the dust has settled somewhat, organizations are still very busy implementing alternative data transfer mechanisms after the revolutionary "Schrems II" decision invalidated PrivacyShield (which allowed free transfer of personal data between the EU and US). During this, one important tool remains often overlooked: data protection impact assessment (‘DPIA’).

On 14 April 2021 the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions.

It is not a done deal, but the report by the EU wide umbrella organisation for privacy protection seems to be one more significant hurdle cleared for EU-UK data flows.

There are two opinions since there are two draft adequacy decisions, one dealing with law enforcement and national security and the second dealing with more general data protection and data transfer matters.