130 Matching Annotations
  1. Apr 2023
    1. Given the broad aim of the right of access, the aim of the right of access is notsuitable to be analysed as a precondition for the exercise of the right of accessby the controller as part of its assessment of access requests. Thus, controllersshould not assess “why” the data subject is requesting access, but only “what”the data subject is requesting (see section 3 on the analysis of the request) andwhether they hold personal data relating to that individual (see section 4).Therefore, for example, the controller should not deny access on the groundsor the suspicion that the requested data could be used by the data subject todefend themselves in court in the event of a dismissal or a commercial disputewith the controller9.

      This is very interesting, and the FT (Copies du dossier médical) case will be one to watch.

      Details: https://www.dpcuria.eu/details?reference=C-307/22

  2. Feb 2023
    1. such processing can still be associated with increased risks because it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in a third country.

      So even if you don't need to consider Chapter V, consider Chapter 5.

      I wish the EDPB would just come out and say they want to splinter the internet already. It would be faster.

    2. if the same controller or processor is processing data outside the EU without disclosing it to another controller or processor (e.g. where an employee of an EU controller travels abroad and has access to the data of that controller while being in a third country or in case of direct collection from individuals in the EU under Article 3(2) GDPR), the processing activity should not be regarded as a transfer under Chapter V of the GDPR
    3. The GDPR does not provide for a legal definition of the notion “transfer of personal data to a thirdcountry or to an international organisation

      The understatement of the millennia

    4. Similarly, for atransfer of personal data to a controller or processor in a third country who is already subject to theGDPR for the given processing, it has to be noted that the GDPR already applies in its entirety
    5. Example 12: Controller in the EU uses a processor in the EU subject to third country legislationThe Danish Company X, acting as controller, engages Company Y established in the EU as a processoron its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y isprocessing the data of Company X exclusively in the EU and there is no one outside the EU, includingthe parent Company Z, who has access to the data. Additionally, it follows from the contract betweenCompany X and Company Y that Company Y shall only process the personal data on documentedinstructions from Company X, unless required to do so by EU or Member State law to which CompanyY is subject. Company Y is however subject to third country legislation with extraterritorial effect,which in this case means that Company Y may receive access requests from third country authorities.Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), thedisclosure of data from the controller Company X to the processor Company Y does not amount to atransfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility thatCompany Y receives access requests from third country authorities and should Company Y comply withsuch request, such disclosure of data would be considered a transfer under Chapter V. Where CompanyY complies with a request in violation of the controller’s instructions and thus Article 28 GDPR,Company Y shall be considered an independent controller of that processing under Article 28(10)GDPR. In this situation, the controller Company X should, before engaging the processor, assess thesecircumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providingsufficient guarantees to implement appropriate technical and organisational measures so that theprocessing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract orlegal act governing the processing by the processor.

      Not a transfer until the USG triggers a request, in which case Company Y becomes an independent controller ... though who is the data being transferred to? The USG on compelled order?

    6. Some examples of how personal data could be “made available” are by creating an account, grantingaccess rights to an existing account, “confirming”/”accepting” an effective request for remote access,embedding a hard drive or submitting a password to a file. It should be kept in mind that remote accessfrom a third country (even if it takes place only by means of displaying personal data on a screen, forexample in support situations, troubleshooting or for administration purposes) and/or storage in acloud situated outside the EEA offered by a service provider, is also considered to be a transfer,provided that the three criteria outlined in paragraph 9 above are met.

      Everything is a transfer.

    7. Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in athird countryThe Irish Company X, which is a subsidiary of the parent Company Y in a third country, disclosespersonal data of its employees to Company Y to be stored in a centralised HR database by the parentcompany in the third country. In this case the Irish Company X processes (and discloses) the data in itscapacity of employer and hence as a controller, while the parent company is a processor. Company Xis subject to the GDPR pursuant to Article 3(1) for this processing and Company Y is situated in a thirdcountry. The disclosure therefore qualifies as a transfer to a third country within the meaning ofChapter V of the GDPR.

      The EDPB says "Hahaha, get wrecked"

    8. n addition, this second criterion cannot be considered as fulfilled when there is no controller orprocessor sending or making the data available (i.e. no “exporter”) to another controller or processor,such as when data are disclosed directly by the data subject15 to the recipient.

      No transfer when an action is done directly by a data subject to/from a recipient.

    9. Example 8: Employee of a controller in the EU travels to a third country on a business tripGeorge, employee of A, a company based in Poland, travels to a third country for a meeting bringinghis laptop. During his stay abroad, George turns on his computer and accesses remotely personal dataon his company’s databases to finish a memo. This bringing of the laptop and remote access ofpersonal data from a third country, does not qualify as a transfer of personal data, since George is notanother controller, but an employee, and thus an integral part of the controller (A).19 Therefore, thetransmission is carried out within the same controller (A). The processing, including the remote accessand the processing activities carried out by George after the access, are performed by the Polishcompany, i.e. a controller established in the Union subject to Article 3(1) of the GDPR. It can, however,be noted that in case George, in his capacity as an employee of A, would send or make data availableto another controller or processor in the third country, the data flow in question would amount to atransfer under Chapter V; from the exporter (A) in the EU to such importer in the third country.

      Ah, the employee example. Which of course goes sideways if you start to look at contractors, things get gross.

      Also, 'make the data available' is broad.

    10. Chapter V does not apply to “internal processing”, i.e. where data is not disclosed bytransmission or otherwise made available to another controller or processor, including where suchprocessing takes place outside the EU

      They actually seem to clarify that intra-group processing activities here aren't covered, provided it's truly "internal" - I suspect that if the processing includes contractors, this goes out the window.

    11. Such instruments should, forexample, address the measures to be taken in case of conflict of laws between third country legislationand the GDPR and in the event of third country requests for disclosure of data.

      But how? in the DPA? The point of the transfer mechanism (e.g., SCCs / BCRs) is to be standard. You can't modify them.

      This sounds like a thing the EDPB/EC need to do not controllers/processors directly.

    12. Another situation worth mentioning in this context is when a controller in the EU uses a processor inthe EU subject to third country legislation and there is a possibility that the processor will receivegovernment access requests and, thus, a transfer of personal data will take place if the processor actson such reques

      This is the US Cloud ACT / FISA 702 clause

    13. Example 6: Processor in the EU sends data back to its controller in a third countryXYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers,all of them data subjects not located in the EU, to the processor ABC Ltd. for processing in the EU, onbehalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, iscovered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is establishedin the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regardedas a transfer of personal data and therefore Chapter V applies.

      Ugh. So the fact that the processing is done in the EU, even of non-EU data subjects still triggers a transfer event. This just broadens the scope of TRAs and other contractual obligations. Useful to refer back to people who like to argue that the GDPR doesn't apply.

    14. Example 3: Controller in a third country receives data directly from a data subject in the EU (but notunder Article 3(2) GDPR) and uses a processor outside the EU for some processing activitiesMaria, living in Italy, decides to book a room in a hotel in New York using a form on the hotel website.Personal data are collected directly by the hotel which does not target/monitor individuals in the EEA.In this case, no transfer takes place since data are passed directly by the data subject and directlycollected by the controller. Also, since no targeting or monitoring activities of individuals in the EEAare taking place by the hotel, the GDPR will not apply, including with regard to any processing activitiescarried out by non-EEA processors on behalf of the hote

      Key distinguishing point here is that no 'targeting or monitoring activities of individuals in the EEA are occurring"

    1. Expert Opinionon theCurrent State of U.S. Surveillance Law and AuthoritiesfromProf. Stephen I. Vladeck,University of Texas School of Law

      Vladeck Opinion

    2. section 702 is compulsory in the sense that, when the United States hasissued a directive to an electronic communication service provider that is authorizedby its annual certification to the FISA Court under section 702, the provider musteither (1) comply; or (2) challenge the directive in the FISA Court

      FISA 702 Orders are compulsory - you either comply, or challenge.

    3. If the provider challenges thedirective in court and loses, its failure to comply with the ensuing court order isexpressly punishable by contempt — which could include significant (accumulating)fines. See 50 U.S.C. § 1881a(i)(4)(G)

      Contempt is how a 702 request is enforced. Question is, has there been a contempt order ever declared?

    1. In expressing disagreement with the proposed literal interpretation of Article 13(1)(c) GDPR set outin the Preliminary Draft Decision, Facebook submitted that “Facebook Ireland’s interpretation directlytracks the actual wording of the relevant GDPR provision which stipulates only that two items ofinformation be provided about the processing (i.e. purposes and legal bases). It says nothing aboutprocessing operations.”102 Facebook submitted that because, in its view, Article 13(1) GDPR applies “atthe time data is collected”, and therefore refers only to “prospective processing”. It submits that, onthis basis, Article 13(1)(c) GDPR does not relate to ongoing processing operations, but is concernedsolely with information on “intended processing”.103 Facebook’s position is therefore that Article13(1)(c) GDPR is future-gazing or prospective only in its application and that such an interpretation issupported by a literal reading of the GDPR

      This is both a ballsy, and utterly stupid argument. The kind of argument that well-paid lawyers will make in order to keep getting paid.

    2. In light of this confirmation by the data controller that it does not seek to rely on consent in thiscontext, there can be no dispute that, as a matter of fact, Facebook is not relying on consent as thelawful basis for the processing complained of. It has nonetheless been argued on the Complainant’sbehalf that Facebook must rely on consent, and that Facebook led the Complainant to believe thatit was relying on consent

      Here Helen bitchslaps Max by noting that despite what they hope and wish for, FB is relying on contract, and not consent.

    3. For these reasons, I conclude that, as a matter of fact, Facebook did not rely, or purport torely, on the Complainant’s consent as a legal basis for the processing of personal data under theTerms of Service

      First conclusion: No consent. It's 6(1)(b) time.

    4. On this basis, the issues that I will address in this Draft Decision are as follows: Issue 1 – Whether clicking on the “accept” button constitutes or must be considered consentfor the purposes of the GDPR Issue 2 – Reliance on Article 6(1)(b) as a lawful basis for personal data processing Issue 3 – Whether Facebook provided the requisite information on the legal basis forprocessing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner.

      Key issues identified in the draft opinion. Compare later if this differs in final.

    5. Data Policy and related materialsometimes, on the contrary, demonstrate an oversupply of very high level, generalised information atthe expense of a more concise and meaningful delivery of the essential information necessary for thedata subject to understand the processing being undertaken and to exercise his/her rights in ameaningful way. Furthermore, while Facebook has chosen to provide its transparency information byway of pieces of text, there are other options available, such as the possible incorporation of tables,which might enable Facebook to provide the information required in a clear and concise manner,particularly in the case of an information requirement comprising a number of linked elements. Theimportance of concision cannot be overstated nonetheless. Facebook is entitled to provide additionalinformation to its user above and beyond that required by Article 13 and can provide whateveradditional information it wishes. However, it must first comply with more specific obligations under theGDPR, and then secondly ensure that the additional information does not have the effect of creatinginformation fatigue or otherwise diluting the effective delivery of the statutorily required information.That is simply what the GDPR requires.

      DPC again schools facebook in reality.

    1. Where several operators are jointly responsible for the same processing, the law does not require each of them to have access to the personal data concerned.
    1. If you are a publisher, you better toss aside those ‘secret’ service provider data protection addendum and get ready to embrace ‘public’ joint-controller agreements with Facebook and other providers of plugins.

      ... How many orgs are actually doing this though?

    2. The CJEU came to the conclusion that non-for-profit consumer associations can sue for potential violations of data protection laws on behalf of a data subject not only under the GDPR but also under the former Data Protection Directive 95/46/EC.

      Kinda wonder how many class actions will be brought. Can class actions go against SAs as well?

    1. Where information that a controller would otherwise be required to provide to a datasubject pursuant to subsection (1) includes personal data relating to another individualthat would reveal, or would be capable of revealing, the identity of the individual, thecontroller—(a)shall not, subject to subsection (8), provide the data subject with the informationthat constitutes such personal data relating to the other individual, and(b)shall provide the data subject with a summary of the personal data concernedthat—(i)in so far as is possible, permits the data subject to exercise his or her rightsunder this Part, and

      There's a right to provide a summary where it would be hard to avoid revealing the identity of another individual.

    2. Subject to subsection (2), a controller, with respect to personal data for which it isresponsible, may restrict, wholly or partly, the exercise of a right of a data subjectspecified in subsection (4)

      Can restrict, but must be necessary and proportionate (and under one of the restriction rights)

    3. Subsection (1) shall not apply—(a)in respect of personal data relating to the data subject that consists of anexpression of opinion about the data subject by another person given inconfidence or on the understanding that it would be treated as confidential, or(b)to information specified in paragraph (b)(i)(III)of that subsection in so far as arecipient referred to therein is a public authority which may receive data in thecontext of a particular inquiry in accordance with the law of the State.

      Access doesn't need to include opinions made in confidence, or information obtained by a public authority who recieves data in the context of a particular inquiry.

    1. Considering the above120 and in light of the specific circumstances of the processing, the EDPB finds that the IE SA could not have concluded in paragraph 115 of the Draft Decision that the contact information processing may be regarded as necessary for the performance of a contract between Meta IE and child users.

      Holding. Not necessary.

      "As a consequence, the EDPB finds that Meta IE could not have relied on [[Article 6(1)(b)]] GDPR as a legal basis for the contact information processing.”

    2. As noted by the IE SA, the HTML publication of contact information was not considered necessary by Facebook’s Security Team and was subsequently discontinued117. The EDPB considers that the analysis of the principle of data minimisation (Article 5(1)(c) GDPR) is relevant for the necessity assessment on the basis of Article 6(1)(b) GDPR118. Consequently, the EDPB further finds that such analysis should have complemented the LSA’s assessment on the necessity of the processing for the performance of the contract, with specific regard to the publication of the contact information in the HTML source code on the Instagram website. The EDPB considers that the IE SA could not have concluded that the publication of the contact information of child users in the HTML source code may be regarded as

      EDPB rightly smacks the IE SA around a bit for generally cocking this all up.

    3. Assessment of processing on the basis of Article 6(1)(f) GDPR‌

      Now we're moving on to #legitimate_interests and Article 6(1)(f)

    1. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. 2Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence

      Where to bring a claim - Either the Member state where the Controller/Processor is base,d or the data subject's habitual location.

    1. Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.

      Ties in with Article 77 of teh GDPR

    1. Request to know” means a consumer request that a business disclose personalinformation that it has collected about the consumer pursuant to Civil Code sections1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:(1) Specific pieces of personal information that a business has collected about theconsumer;(2) Categories of personal information it has collected about the consumer;(3) Categories of sources from which the personal information is collected;(4) Categories of personal information that the business sold or disclosed for abusiness purpose about the consumer;(5) Categories of third parties to whom the personal information was sold ordisclosed for a business purpose; and(6) The business or commercial purpose for collecting or selling personalinformation

      Narrower than the GDPR

    2. shall be reasonably necessary and proportionate to achieve the purpose(s) for which thepersonal information was collected or processed

      Reasonable & proportionality. Set to expectations of what a consumer would expect of use.

      Cannot be used for other disclosed purposes if they are compatible with what's reasonably expected. This is Article 5 lite.

    3. A business shall not collect categories of personal information other than those disclosed inits notice at collection in accordance with the CCPA and section 7012. If the businessintends to collect additional categories of personal information or intends to use the personalinformation for additional purposes that are incompatible with the disclosed purpose forwhich the personal information was collected, the business shall provide a new notice atcollection.

      Notice provisions. Not very different from GDPR.

    4. “Disproportionate effort” within the context of a business responding to a consumer requestmeans the time and/or resources expended by the business to respond to the individualizedrequest significantly outweighs the benefit provided to the consumer by responding to therequest. For example, responding to a consumer request to know may requiredisproportionate effort when the personal information which is the subject of the request isnot in a searchable or readily-accessible format, is maintained only for legal or compliancepurposes, is not sold or used for any commercial purpose, and would not impact theconsumer in any material manner. In contrast, the benefit to the consumer of responding toa request to correct inaccurate information that the business uses and/or sells may be highbecause it could have a material impact on the consumer, such as the denial of services oropportunities. Accordingly, in order for the business to claim “disproportionate effort,” thebusiness would have to demonstrate that the time and/or resources needed to correct theinformation would be significantly higher than that material impact on the consumer. Abusiness that has failed to put in place adequate processes and procedures to comply withconsumer requests in accordance with the CCPA and these regulations cannot claim thatresponding to a consumer’s request requires disproportionate effort

      This will be absolutely abused to get out of fulfilling any DSARs.

    1. rocessing of special categories of personal data 45. Subject to compliance with the Data Protection Regulation and any other relevant enactment or rule of law, the processing of special categories of personal data shall be lawful to the extent the processing is— (a) authorised by section 41 and sections 46 to 54 , or (b) otherwise authorised by Article 9.

      scd #specialcategoriesdata

    1. collecting and checking the content of declarations of private interests, of personal data that are liable to disclose indirectly the political opinions, trade union membership or sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.

      Second question: If you collect it, can you infer from it?

    2. those provisions cannot be interpreted as meaning that the processing of personal data that are liable indirectly to reveal sensitive information concerning a natural person is excluded from the strengthened protection regime prescribed by those provisions, if the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure are not to be compromised.

      And here's the key element for indirect/inferred data. In order for Article 9 to matter, it must also include data that infers SCD.

  3. Oct 2022
    1. Disclosures required under Article 2 shall also:(1) Use a format that makes the disclosure readable, including on smaller screens, ifapplicable.(2) Be available in the languages in which the business in its ordinary course providescontracts, disclaimers, sale announcements, and other information to consumers inCalifornia.(3) Be reasonably accessible to consumers with disabilities. For notices provided online,the business shall follow generally recognized industry standards, such as the WebContent Accessibility Guidelines, version 2.1 of June 5, 2018, from the World WideWeb Consortium, incorporated herein by reference. In other contexts, the businessshall provide information on how a consumer with a disability may access the policy inan alternative format.(c) For websites, a conspicuous link required under the CCPA or these regulations shall appearin a similar manner as other links used by the business on its homepage. For example, thebusiness shall use a font size and color that is at least the approximate size or color as otherlinks used by the business on its homepage.(d) For mobile applications, a conspicuous link shall be accessible within the application, suchas through the application’s settings menu. It shall also be included in the business’sprivacy policy, which must be accessible through the mobile application’s platform page ordownload page

      An improvement over the GDPR's Section 12 -- disability, visibility on smaller screens, normal font size/color, conspicuous on mobile.

    2. Financial incentive” means a program, benefit, or other offering, including payments toconsumers, related to for the collection, deletion, retention, or sale, or sharing of personalinformation. Price or service differences are types of financial incentive

      Wonder why they crossed out 'deletion ' here.

    3. “Categories of sources” means types or groupings of persons or entities from which abusiness collects personal information about consumers, described with enough particularityto provide consumers with a meaningful understanding of the type of person or entity. Theymay include the consumer directly, advertising networks, internet service providers, dataanalytics providers, government entities, operating systems and platforms, social networks,and data brokers

      The categories of sources are a bit different -- more akin to where the data comes from, rather than who the data is shared with.

  4. Sep 2022
    1. by allowing child users to switch to a business account, FB-I supported childusers’ “fundamental rights to conduct a business, express themselves,communicate, and engage with information relevant to their interests andpassions, while building community and their own businesses, brands, orinitiatives”; and• by allowing child users to switch to business accounts without additionalapproval mechanisms, FB-I complied with the principle of data minimisation andprevented unnecessary barriers to the use of business accounts

      Fucking LOL

  5. Aug 2022
    1. According to settled case-law, for the purpose of interpreting a provision of EU law it is necessary to consider not only its wording but also its context and the objectives of the legislation of which it forms par

      When looking at provisions, you need to consider not only wording, but context. So, context does matter, at least with regard to legislative intrepretation.

    2. must be interpreted as precluding national legislation that provides for the publication online of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to his or her spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, or concerns any transaction concluded during the last 12 calendar months the value of which exceeds EUR 3 000.

      Final ruling on Q 1

    3. the public disclosure, online, of name-specific data relating to the declarant’s spouse, partner or cohabitee, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, and mention of the subject of transactions the value of which is greater than EUR 3 000 are liable to reveal information on certain sensitive aspects of the data subjects’ private life, including, for example, their sexual orientation. Furthermore, since it envisages such public disclosure of name-specific data relating to persons other than the declarant in his or her capacity as a public sector decision maker, the processing of personal data that is provided for in Article 10 of the Law on the reconciliation of interests also concerns persons who do not have that capacity and in respect of whom the objectives pursued by that law are not imperative in the same way as for the declarant.

      Here, it's not only disclosing potentially sensitive information, but also penalizing individuals who lack any public oversight / authority role whatsoever (the spouses/cohabitees/family)

    4. Nor does it appear that the systematic publication, online, of the list of the declarant’s transactions the value of which is greater than EUR 3 000 is strictly necessary in the light of the objectives pursued.

      and publication of the declarant's transactions over a certain amount is WAY excessive.

    5. and information relating to the activities of the declarant’s spouse, cohabitee or partner to be set out in the declarations of private interests, the public disclosure, online, of name-specific data relating to the spouse, cohabitee or partner of a head of an establishment receiving public funds, and to close relatives, or other persons known by the declarant, liable to give rise to a conflict of interests, seems to go beyond what is strictly necessary

      Similarly, publication of spousal, family, close relatives, or other persons known to the offical is WAY overbroad and goes beyond "what is strictly necessary."

      This could easily be referred to as shared interests of the spouse (generically) or relatives (generically) -- not their specific name.

    6. Therefore, only data the publication of which is actually capable of strengthening the safeguards for probity and impartiality of public officials, preventing conflicts of interest and combating corruption in the public sector may be subject to processing of the kind provided for in Article 10(1) of the Law on the reconciliation of interests.

      Restrictions to public officals and others to prevent conflicts of interest and fighting corruption. Heads of establishment probably not so much.

    7. a potentially unlimited number of persons may consult the personal data at issue.

      One counter to this, of course: Transparency and 'blue sky laws' have merit. Not just from a resource perspective, but also from an educated civil populace. Watchdog organisations, the press, etc., may have fundamental rights that don't seem to be considered by the CJEU. Notably Article 11 of the Charter and Art. 85 GDPR.

    8.  In that regard, the Lithuanian Government has stated before the Court that the obligation to provide a declaration of impartiality, to which those heads are subject under national law, is sufficient to achieve the objectives of the Law on the reconciliation of interests and that, therefore, application of Article 10 of that law to them, which was required until the Law on the reconciliation of interests as amended entered into force on 1 January 2020, went beyond what is strictly necessary in the light of those objectives.

      When the government admits that it's not and that a declaration alone would suffice, it's hard to argue that it was 'strictly necessary' / proportionate to collect (much less publish) the extra data online.

    9. such as the existence of other measures designed to prevent conflicts of interest and combat corruption, and the scale of such conflicts and of the phenomenon of corruption within the public service – and of the nature of the information at issue and the importance of the duties carried out by the declarant, in particular his or her hierarchical position, the extent of the powers of public administration with which he or she may be vested and the powers that he or she has in relation to the commitment and management of public funds.

      The question is, is the most limited / proportionate way to identify and prevent conflicts of interest, or can something else be done that's more limiting? Is it 'strictly necessary' , particularly for heads of establishments with no public authority.

    10.  However, it must be pointed out that a lack of resources allocated to the public authorities cannot in any event constitute a legitimate ground justifying interference with the fundamental rights guaranteed by the Charter.

      Important note: A lack of resources alone is not enough to justify interference with fundamental rights.

    11.   Accordingly, the measure at issue in the main proceedings appears appropriate for contributing to the achievement of the objectives of general interest that it pursues.

      So the publishing of private interests of public authorities and heads of establishments receiving private funds on the Commissions' website may be appropriate

    12. It should indeed be borne in mind that the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights

      I think this will be the key question to consider going forward, re: inferred data.

    13. By its first question, the referring court asks, in essence, whether Article 7(c) and (e) of Directive 95/46 and points (c) and (e) of the first subparagraph of Article 6(1) and Article 6(3) of the GDPR, read in the light of Articles 7 and 8 of the Charter, must be interpreted as precluding a national provision that provides for the placing online of personal data contained in the declaration of private interests that any head of an establishment receiving public funds is required to lodge with the national authority responsible for collecting such declarations and checking their content.

      First question

    14. publication on the internet of matters capable of affecting the adoption of such decisions is not necessary in order to achieve that objective. Communication of the personal data to the bodies envisaged in Article 5 of that law and the monitoring task that is assigned to the organs referred to in Article 22 thereof constitute measures sufficient to ensure that that objective is achieved.

      The requirement to publish this on the internet was extreme and disproportionate to what was necessary (e.g., communicating this to the ethics bodies and oversight bodies)

    15. also reveal certain details of their private life.

      Oh interesting -- it also considers 'presents received' as disclosing information about the declarant's right to private life.

    16.  The Chief Ethics Commission asserts that, in so far as OT was vested with administrative powers in an establishment in receipt of financing from EU structural funds and the budget of the Lithuanian State, he was required to lodge a declaration of private interests, despite his not being an official and even if he did not exercise any powers of public administration. In addition, the Chief Ethics Commission observes that, whilst publication of such a declaration is liable to constitute an interference in the private life of OT and his spouse, that interference is provided for by the Law on the reconciliation of interests.

      I think that's where the broadness question really rears up. If it's not a true public official, and the person cannot exercise any powers of public administration, that makes the collection of data even more tangential.

    17. This is quite broad.

  6. Jul 2022
    1. Facebook cites the above passage from the Fining Guidelines to support its position that“intention” refers to a deliberate breach of the GDPR rather than a deliberate act.132 I note in thisregard that the Fining Guidelines refer to two requirements, “knowledge” and “wilfulness”. Thissuggests a controller must infringe the GDPR both in full knowledge of the infringement’scharacteristics and also in a deliberate manner. Having considered the nature of the infringementsfurther in the context of the Fining Guidelines, I accept Facebook’s submissions that any intentionalbreach must be an intentional and knowing breach of a provision of the GDPR. There is no evidencethat this has taken place.

      After the DPC bans FB transfers, especially if there's strong language about transfers to the US in particular, this is going to be a nightmare from an intent/knowledge standpoint for other controllers.

    2. In relation to processing for which Article 6(1)(b) GDPR is relied on, Articles 5(1)(a), 12(1) and 13(1)(c) havebeen infringed

      Finding 3

    3. Facebook argued that there cannot bean automatic infringement of Article 5(1)(a) GDPR simply because Articles 12(1) and 13(1)(c) GDPRhave been infringed, or in the alternative that nothing further has occurred beyond the infringementsto merit a finding of an infringement of Article 5(1)(a) GDPR

      Again, LOL. There absolutely can. Art. 5 underpins everything.

    4. These are, in my view, clearexamples of the open-ended language that is not conducive to the provision of information in atransparent manner.

      Note to self: "such as" and "things like" won't cut it for teh DPC. Should amend going forward in privacy notices for clients.

    5. In my view,insufficient detail has been provided in relation to the processing operations carried out both in generaland on the basis of Article 6(1)(b) GDPR specifically


    6. My view is Article 13(1)(c) GDPR therefore does require what has been described as the “thirdlink” in this chain: the relevant information for the purposes of Article 13(1)(c) GDPR must be providedby reference to the processing operations themselves. This is supported both by a literal reading of theprovision, having regard to the definition in Article 4(2) GDPR, and the systematic reading I have justset out above

      Yes, Virginia, you need to provide information on the purposes of processing operations. All of them. Even if it's broad categories.

    7. The provision of such information would haveno purpose if provided to the data subject after the personal data has been collected, hence itsomission from Article 14 GDPR

      Fucking DUH.

    8. However, whatArticle 13 does clearly require is that the purposes and legal bases must be specified in respect of theintended processing. Purposes and legal bases cannot simply be cited in the abstract and detachedfrom the personal data processing they concern.

      DPC smacks FB back into reality.

    9. That is to say, each “layer” of the documents in question wereassessed in isolation for their individual compliance before a final “cumulative” view was expressed.

      Layered investigation approach

    10. While I accept that, as a general rule, the EPDB considers that processing for onlinebehavioural advertising would not be necessary for the performance of a contract for onlineservices, in this particular case, having regard to the specific terms of the contract and the natureof the service provided and agreed upon by the parties, I conclude that Facebook may in principlerely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision ofits service, including through the provision of behavioural advertising insofar as this forms a corepart of that service offered to and accepted by users

      FB Can rely on contract.

    11. It is important to highlight, as the Investigator has,68 that in the same case the CJEUheld that processing beyond the most minimal to meet the objective will still meet the necessitytest if it renders a lawful objective “more effective”

      Processing doesn't need to be the bare minimum to be necessary.

    12. Put very simply, the Complainant is advancing a narrow and purpose-based interpretationof Article 6(1)(b) GDPR, that argues that the data processing should be the least invasive processingpossible in order to fulfil the objective of the contract (here, what the overall contract sets out todo, rather than only what the contract says).

      An absolutely minimalist, absolutist position, similar to the Dutch DPA on LI.

    13. There is no question that “one ground hasnormative priority over the others”.29 This position is reflected in the Guidance of the Article 29Working Party, which, although not legally binding, is nonetheless instructive in considering this

      One lawful basis has normative priority over the others. Though that doesn't mean you can only have one.

  7. Jun 2022
    1. it is orhas become subject to laws or practices not in line with the requirements under Clause 14(a). Thisincludes situations where the laws of the third country change after the initial assessment, or wherethe data importer becomes subject to a measure (such as a disclosure request) in the third countrythat indicates an application of such laws in practice that is not in line with the initial assessment

      Basically warrant canary.

    2. technical measures to ensure data security,

      Here's yet more confirmation that 'supplementary measures' really do mean technical controls, and really we're talking about encryption / anonymization / pseudonymization if the data can't be easily recreated. That's it.

    3. The parties must clarify to which specific data transfers they intend to apply the SCCs, in particularthe categories of personal data that are transferred and the purpose(s) for which they aretransferred (Annex I.A and B). Moreover, the parties need to clarify their respective roles (as “dataexporter” or “data importer”), including in case of subsequent changes based on the (optional)docking clause (Clause 7), and, for data exporters located outside the EU but covered by the GDPR(Article 3(2)), indicate their representative in the EU designated pursuant to Article 27 of the GDPR.The parties also need to indicate the competent supervisory authority/authorities, in accordancewith Clause 13 (Annex I.C, see question 38 for more information on choosing the competentauthority

      Need to include specificitiy in the annexes.

    4. For all modules, this must be a domestic legal regime that allows for “third party-beneficiary rights”within the meaning of Clause 3. This means that the chosen law must allow private parties to createcontractually rights that can be invoked by the individuals concerned, i.e. the data subjects whosepersonal data will be transferred based on the SCCs

      i.e., not the US.

    5. Special rules apply if your data has been transferred by a service provider in the EEA that acts onbehalf a non-EEA entity. In this case, you have the possibility to lodge a complaint directly with thedata importer (i.e. the controller outside of the EEA) or, if available, an independent disputeresolution body (see Module 4, Clause 11)

      Interesting! I missed this.

  8. May 2022
    1. t is therefore for the parties to determine this period taking intoconsideration the particular circumstances of the data processing at stake

      Up to the parties to determine timeliness of notification keepign in mind 'without undue delay'

    2. Yes. Under clause 7.7 ‘Use of sub-processors’ the parties have to choose one of two options:OPTION 1: PRIOR SPECIFIC AUTHORISATION or OPTION 2: GENERAL WRITTEN AUTHORISATION. Inboth cases, the processor has to provide the name(s) of the individual sub-processor(s) to thecontroller so that the latter is enabled to decide on the authorisation of the selected sub-processor(

      Another key point. I need to remember this when dealing with processors who don't feel like providing this information.

    3. One or several new parties may adhere to the SCCs with the consent of all the pre-existing parties.The formalisation of such consent is not regulated by the SCCs, but should be done in accordancewith relevant provisions of the national law governing the SCC

      Of course the process for how to dock ion a new party is not defined...

    4. The parties may not include a general exculpation from liability (i.e. coveringalso the clauses of the contract that incorporate the SCCs) in the commercial contract, as this wouldcontradict this provision of the SCCs. In addition, it would likely prejudice the rights and freedoms ofindividuals, e.g. by reducing the incentive for the parties to ensure compliance with the SCCs

      This is an important point. Need to make sure that other contracts signed between the parties do not contradict what's in the SCCs

    1. These databases should therefore be ready before the Regulation enters into application.

      Oh god, the database of indicators need to be ready before the law goes into effect, which is only months after passage.

    2. may acquire, install and operate,

      May, not must.

    3. since it requires automatically scanning through texts in interpersonal communications. It is important to bear in mind in this regard that such scanning is often the only possible way to detect it and that the technology used does not ‘understand’ the content of the communications but rather looks for known, pre-identified patterns that indicate potential grooming. Detection technologies have also already acquired a high degree of accuracy 32 , although human oversight and review remain necessary, and indicators of ‘grooming’ are becoming ever more reliable with time, as the algorithms learn.

      This is such a misstatement of reality.

    4. The EU Centre shall create, maintain and operate databases of the following three types of indicators of online child sexual abuse: (a)indicators to detect the dissemination of child sexual abuse material previously detected and identified as constituting child sexual abuse material in accordance with Article 36(1); (b)indicators to detect the dissemination of child sexual abuse material not previously detected and identified as constituting child sexual abuse material in accordance with Article 36(1);  (c)indicators to detect the solicitation of children. 2.The databases of indicators shall solely contain: (a)relevant indicators, consisting of digital identifiers to be used to detect the dissemination of known or new child sexual abuse material or the solicitation of children, as applicable, on hosting services and interpersonal communications services, generated by the EU Centre in accordance with paragraph 3; (b)as regards paragraph 1, point (a), the relevant indicators shall include a list of uniform resource locators compiled by the EU Centre in accordance with paragraph 3; (c)the necessary additional information to facilitate the use of the indicators in accordance with this Regulation, including identifiers allowing for a distinction between images, videos and, where relevant, other types of material for the detection of the dissemination of known and new child sexual abuse material and language identifiers for the detection of solicitation of children. 3.The EU Centre shall generate the indicators referred to in paragraph 2, point (a), solely on the basis of the child sexual abuse material and the solicitation of children identified as such by the Coordinating Authorities or the courts or other independent authorities of the Member States, submitted to it by the Coordinating Authorities pursuant to Article 36(1), point (a). The EU Centre shall compile the list of uniform resource locators referred to in paragraph 2, point (b), solely on the basis of the uniform resource locators submitted to it pursuant to Article 36(1), point (b). 4.The EU Centre shall keep records of the submissions and of the process applied to generate the indicators and compile the list referred to in the first and second subparagraphs. It shall keep those records for as long as the indicators, including the uniform resource locators, to which they correspond are contained in the databases of indicators referred to in paragraph 1.

      Tell me you're an EU legislator who has no idea how ML works.

    5. Member States shall ensure that, where their law enforcement authorities receive a report of the dissemination of new child sexual abuse material or of the solicitation of children forwarded to them by the EU Centre in accordance with Article 48(3), a diligent assessment is conducted in accordance with paragraph 1 and, if the material or conversation is identified as constituting child sexual abuse material or as the solicitation of children, the Coordinating Authority submits the material to the EU Centre, in accordance with that paragraph, within one month from the date of reception of the report or, where the assessment is particularly complex, two months from that date.

      Same problems.

    6. specific items of material and transcripts of conversations that Coordinating Authorities or that the competent judicial authorities or other independent administrative authorities of a Member State have identified, after a diligent assessment, as constituting child sexual abuse material or the solicitation of children, as applicable, for the EU Centre to generate indicators in accordance with Article 44(3);

      Doubtful. How will this even work unless they staff the CAs with thousands and thousands of people?

    7. Member States shall ensure that the maximum amount of penalties imposed for an infringement of this Regulation shall not exceed 6 % of the annual income or global turnover of the preceding business year of the provider.


    8. Users shall have the right to lodge a complaint alleging an infringement of this Regulation affecting them against providers of relevant information society services with the Coordinating Authority designated by the Member State where the user resides or is established.

      But how often will this happen? If it's anything like lodging a complaint with a SA, it will go nowhere in the vast majority of cases.

    9. Centre

      Which is to say, there's going to be a lot of false positives here as well.

    10. videos

      What in the everloving hell...

    11. The provider shall inform the user concerned without undue delay, either after having received a communication from the EU Centre indicating that it considers the report to be manifestly unfounded as referred to in Article 48(2), or after the expiry of a time period of three months from the date of the report without having received a communication from the EU Centre indicating that the information is not to be provided as referred to in Article 48(6), point (a), whichever occurs first. Where within the three months’ time period referred to in the second subparagraph the provider receives such a communication from the EU Centre indicating that the information is not to be provided, it shall inform the user concerned, without undue delay, after the expiry of the time period set out in that communication.

      I literally have no idea what this paragraph is requiring here. WHat the hell.

    12. The Coordinating Authority of establishment shall have the power to request the competent judicial authority of the Member State that designated it or another independent administrative authority of that Member State to issue a detection order requiring a provider of hosting services or a provider of interpersonal communications services under the jurisdiction of that Member State to take the measures specified in Article 10 to detect online child sexual abuse on a specific service. 

      This looks wildly broad. Is it just an across the board detection order? Does it lapse?

    1. many billions of messages are sent each day

      Scale challenges.

  9. Nov 2021
    1. XYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers,all of them non-EU residents, to the processor ABC Ltd. for processing in the EU, on behalf of XYZ. ABCre-transmits the data to XYZ. The processing performed by ABC, the processor, is covered by the GDPRfor processor specific obligations pursuant to Article 3(1), since ABC is established in the EU. Since XYZis a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer ofpersonal data and therefore Chapter V applies.

      BUT WHY.

    2. Nevertheless, the Singaporean company will need to checkwhether its processing operations are subject to the GDPR pursuant to Article 3(2).1

      But it won't, because they will argue they are not targeting EU individuals. And if they do, and start barring EU individuals, that will be a nightmare.

    3. This second criterion cannot be considered as fulfilled where the data are disclosed directly and onhis/her own initiative by the data subject10 to the recipient.

      Well that's helpful.

    1. Figure 2: Table of Different Privacy Principles

      Good section to consider incorporating. It lists all the relevant things to consider.


    1. there is ordinarily no need for a member of the represented class to take any positive step, or even to be aware of the existence of the action, in order to be bound by the result.

      No positive step requirement (unlike Group actions)

    2. elief claimed on behalf of the represented class was limited to a declaration of legal rights.

      So basically, a pretty limited form of relief.

  10. Jul 2021
    1. The sixth and final stepwill be for you to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries andto monitorif there have been or there will be any developments that may affect it.

      Step 6: Periodically re-evaluate all of this. at "appropriate intervals' - Accountability requires 'continuous vigilance'

    2. A fifth stepis to takeany formal procedural stepsthe adoption of your supplementary measure may require, depending on the Article46 GDPR transfer tool you are relying on. These recommendationsspecify these formalities. You may need to consult your competent supervisory authorities onsome of them.

      Step 5: Take formal procedrual steps to adopt your supplementary measures -- including executing under Art. 46 transfer tools.

    3. A fourth stepis to identify and adopt supplementary measuresthat are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of theArticle46 GDPRtransfer tool you are relying on or you intend to rely on in the context of your transfer

      Step 4: If the law's against you, apply supplementary measures. They need to be effective though in the country of transfer. Not just in the abstract.

      If NO supplementary measures will do anything, you probably shouldn't be transferring data.

    4. In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.

      And if you're dealing with Russia, or Israel or China or ... probably even the US, TBH, you can't rely on the likelihood that public authorities will access your data, because you honestly don't really know.

    5. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendation

      If you're dealing with heavy gov't surveillance, ya fucked.

    6. A third stepis to assessif there is anything in the law or practice of the third countrythat may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.

      Step 3: If you're relying on Art. 46 - Know the law or practice of the third country you're transferring to. Will appropriate safeguards in the SCCs work? Will contractual comfort/org measures be appropriate? Is encryption/pseudonymimzation your only option?

    7. A secondstep is to verify the transfer toolyour transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions underArticle 45GDPRor under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers you may be able to rely on one of the derogations provided for in Article 49 GDPR,if you meet the conditions.

      Step 2: Verify the transfer mechanism. If it's adequate (Art. 45). IF it needs a BCR/SCC/CofC/etc (Art.46). Can you apply a derogation ? Contract? Consent? Limited LI? (Art. 49).

    8. As a first step, the EDPB advisesyou,exporters,to know yourtransfers

      Step 1: Know your transfers. Map all transfers to third countries. Be aware of flows, who it's going to and whether essentially equivalent protections are possible.

  11. Jun 2021
    1. This mechanism is different from the certification system aimed at ensuring compliance withdata protection rules and principles, outlined in Articles 42 and 43 of the GDPR

      So, like, will it exist when the Regs actually drop? Because that would be different.

    2. In thatregard, individuals’ right of restriction of processing(Article 18 GDPR and Article 20 EUDPR) as well as deletion / erasure of data (Article 16GDPR and Article 19 EUDPR) should always be guaranteed in those cases. Furthermore, thecontroller should haveexplicit obligation to inform data subject of the applicable periods forobjection, restriction, deletion of data etc. The AI system must be able to meet all dataprotection requirements through adequate technical and organizational measures. A right toexplanation should provide for additional transparency.

      Important question: HOW tho?

    3. Data subjects should always be informedwhentheir data is used for AI training and / orprediction,ofthe legal basis for such processing, general explanation of the logic (procedure)and scope of the AI-system

      Basically, a big fuck you to Clearview AI

    4. The reasoningbehind the Proposal seems to omit that when monitoring openareas, the obligations under EUdata protection law need to be met for not just suspects, but for all those that in practice aremonitored.

      Excellent point.

    5. hatthe classificationofan AI systemashigh-riskdoes not necessarily mean that it is lawfulper seand can bedeployed by the user as such

      But it absolutely will get interpreted as such.

    6. not always be possiblefor a provider to assess all usesfor the AI system.Thus, the initial risk assessment will be of a more general nature than the one performed by theuser of the AI system.

      So does that mean that controllers must perform risk assessments for specific uses?

    7. an exhaustive list ofhigh-risk AIsystems.This choice might create a black-and-white effect, with weak attraction capabilitiesof highly risky situations, undermining the overall risk-based approach underlying theProposal. Also,thislist ofhigh-riskAI systemsdetailed in annexes II and III ofthe Proposallackssome types of use cases whichinvolvesignificant risks, such as the use of AI fordetermining the insurance premium, or for assessing medical treatmentsor for health researchpurposes.The EDPB and the EDPS also highlight that thoseannexes will need to be regularlyupdated to ensure that their scope is appropriate.

      Proally should look this annex up.

    8. However, EDPB and EDPS have serious concerns regarding the exclusionof international lawenforcement cooperationfrom the scope set out in Article 2(4) of theProposal

      You spy on my guys with your little AI.

    9. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protectionof natural persons with regard to the processing of personal data by the Union institutions, bodies, offices andagencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No1247/2002/EC, OJ L 295, 21.11.2018, p. 39–98.9Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection ofnatural persons with regard to the processing of personal data by competent authorities for the purposes of theprevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,andon the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119,4.5.2016, p. 89–131.

      Gotta get around to actually reading these.

    10. TheProposalgives an important place to the notion of human oversight (Article 14)

      Article 22 and 25 are gonna get a workout.

    1. as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer.

      This reliable information component is going to make things spicy. I suspect this will be litigated.

  12. May 2021
    1. In contrast to a general export ban, EU law and practice have also allowed cross-border commerce to continue, including the EU/U.S. bilateral trade and investment partnership valued at about 6 trillion euros

      And more importantly, a general lack of enforcement by most DPAs.

    2. On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States


  13. Apr 2021
    1. For the above situations, the European Commission should fulfilits monitoring role,and in case the essentially equivalent level of protection of personal data transferred from the EEAis not maintained, the European Commission should consider amending the adequacy decision to introduce specific safeguards for data transferred from the EEAand/or to suspend the adequacy decision.

      Essentially, continuos monitoring.

  14. Mar 2021
    1. The information must be given by the controller immediately, that is to say, when the data are collected. (¶¶100–101 and ¶¶103–106)

      Can't dick around and provide information after the fact. Need to do this immediately when data is collected.

    2. “it is necessary that that operator and that provider each pursue a legitimate interest, […], through those processing operations in order for those operations to be justified in respect of each of them”.

      ... and both controllers should have a legitimate interest or basis in the law to process data.

    3. Concept of joint-controllers:

      Plugin authors who are collecting data can be 'joint controllers'

    4. Representation of data subjects: Articles 22 to 24 of Directive 95/46 must be interpreted as “not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.” (¶63)

      Data subjects can be represented by consumer orgs.