Tag Archives: European Data Protection Supervisor

Fresh EU data protection compliance guidance for mobile apps, from the EDPS

The European Data Protection Supervisor adopted this week “Guidelines on the protection of personal data processed by mobile applications provided by European Union institutions”.

While the guidelines are addressed to the EU bodies that provide mobile apps to interact with citizens (considering the mandate of the EDPS is to supervise how EU bodies process data), the guidance is just as valuable to all controllers processing data via mobile apps.

The Guidelines acknowledge that “mobile applications use the specific functions of smart mobile devices like portability, variety of sensors (camera, microphone, location detector…) and increase their functionality to provide great value to their users. However, their use entails specific data protection risks due to the easiness of collecting great quantities of personal data and a potential lack of data protection safeguards.”

Managing consent

One of the most difficult data protection issues that controllers of processing operations through mobile apps face is complying with the consent requirements. The Guidelines provide valuable guidance on how to obtain valid consent (see paragraphs 25 to 29).

  • Adequately inform users and obtain their consent before installing any application on user’s smart mobile device
  • Users have to be given the option to change their wishes and revoke their decision at any time.
  • Consent needs to be collected before any reading or storing of information from/onto the smart mobile device is done.
  • An essential element of consent is the information provided to the user. The type and accuracy of the information provided needs to be such as to put users in control of the data on their smart mobile device to protect their own privacy.
  • The consent should be specific (highlighting the type of data collected), expressed through active choicefreely given (users should be given the opportunity to make a real choice).
  • The apps must provide users with real choices on personal data processing: the mobile application must ask for granular consent for every category of personal data it processes and every relevant use. If the OS does not allow a granular choice, the mobile application itself must implement this.
  • The mobile application must feature functionalities to revoke users’ consent for each category of personal data processed and each relevant use. The mobile application must also provide functionalities to delete users’ personal data where appropriate.

The Guidelines invite controllers to “analyse the compliance of its intended processing before implementing the mobile application during the feasibility check, business case design or an equivalent early definition stage of the project”. The controller “should take decisions on the design and operation of the planned mobile application based on an information security risk assessment”.

Other recommendations concern:

  • data minimisation – “the mobile application must collect only those data that are strictly necessary to perform the lawful functionalities as identified and planned”.
  • third party components or services – “Assess the data processing features of a third party component or of a third party service before integrating it into a mobile application”.
  • security of processing – “Apply appropriate information security risk management to the development, distribution and operation of mobile applications” (paragraphs 38 to 41).
  • secure development, operation and testing – “The EU institution should have documented secure development policies and processes for mobile applications, including operation and security testing procedures following best practices”.
  • vulnerability management – “Adopt and implement a vulnerability management process appropriate to the development and distribution of mobile applications” (paragraphs 47 to 51).
  • protection of personal data in transit and at rest – “Personal data needs to be protected when stored in the smart mobile device, e.g. through effective encryption of the personal data”.

 

***

Find what you’re reading useful? Consider supporting pdpecho.

 

 

Analysis of the AG Opinion in the “PNR Canada” Case: unlocking an “unprecedented and delicate” matter

AG Mengozzi delivered his Opinion in the EU-Canada PNR case (Opinion 1/15) on 8 September 2016. While his conclusions clearly indicate that, in part, the current form of the agreement between Canada and the EU “on the transfer and processing of Passenger Name Record data” is not compliant with EU primary law – and in particular with Articles 7, 8 and 52(1) of the Charter[1] and Article 16(2) TFEU[2], the AG seems to accept that PNR schemes in general (involving indiscriminate targeting, profiling, preemptive policing) are compatible with fundamental rights in the EU.

In summary, it seems to me that the AG’s message is: “if you do it unambiguously and transparently, under independent supervision, and without sensitive data, you can process PNR data of all travellers, creating profiles and targeting persons matching patterns of suspicious behaviour”.

This is problematic for the effectiveness of the right to the protection of personal data and the right to respect for private life. Even though the AG agrees that the scrutiny of an international agreement such as the EU-Canada PNR Agreement should not be looser than that of an ordinary adequacy decision or that of an EU Directive, and considers that both Schrems and Digital Rights Ireland should apply in this case, he doesn’t apply in all instances the rigorous scrutiny the Court uses in those two landmark judgments. One significant way in which he is doing this is by enriching the ‘strict necessity test’ so that it comprises a “fair balance” criterion and an “equivalent effectiveness” threshold (See Section 5).

On another hand, AG Mengozzi is quite strict with the safeguards he sees as essential in order to make PNR agreements such as the one in this case compatible with fundamental rights in the EU.

Data protection authorities have warned time and again that PNR schemes are not strictly necessary to fight terrorism, serious and transnational crimes – they are too invasive and their effectiveness has not yet been proven. The European Data Protection Supervisor – the independent advisor of the EU institutions on all legislation concerning processing of personal data, has issued a long series of Opinions on PNR schemes – be it in the form of international agreements on data transfers, adequacy decisions or EU legislation, always questioning their necessity and proportionality[3]. In the latest Opinion from this series, on the EU PNR Directive, the EDPS clearly states that the non-targeted and bulk collection and processing of data of the PNR scheme amount to a measure of general surveillance” (§63) and in the lack of appropriate and unambiguous evidence that such a scheme is necessary, the PNR scheme is not compliant with Articles 7, 8 and 52 of the Charter, Article 16 TFEU and Article 8 ECHR (§64).

The Article 29 Working Party also has a long tradition in questioning the idea itself of a PNR system. A good reflection of this is Opinion 7/2010, where the WP states that “the usefulness of large-scale profiling on the basis of passenger data must be questioned thoroughly, based on both scientific elements and recent studies” (p. 4) and declares that it is not satisfied with the evidence for the necessity of such systems.

The European Parliament suspended the procedure to conclude the Agreement and decided to use one of its new powers granted by the Treaty of Lisbon and asked the CJEU to issue an Opinion on the compliance of the Agreement with EU primary law (TFEU and the Charter).

Having the CJEU finally look at PNR schemes is a matter of great interest for all EU travellers, and not only them. Especially at a time like this, when it feels like surveillance is served to the people by states all over the world – from liberal democracies to authoritarian states, as an acceptable social norm.

General remarks: first-timers and wide implications

The AG acknowledges in the introductory part of the Opinion that the questions this case brought before the Court are “unprecedented and delicate” (§5). In fact, the AG observes later on in the Opinion that the “methods” applied to PNR data, once transferred, in order to identify individuals on the basis of patterns of behavior of concern are not at all provided for in the agreement and “seem to be entirely at the discretion of the Canadian authorities” (§164). This is why the AG states that one of the greatest difficulties of this case is that it “entails ascertaining … not merely what the agreement envisaged makes provision for, but also, and above all, what it has failed to make provision for” (§164).

The AG also makes it clear in the beginning of the Opinion that the outcome of this case has implications on the other “PNR” international agreements the EU concluded with Australia and the US and on the EU PNR Directive (§4). A straightforward example of a possible impact on these other international agreements, beyond analyzing their content, is the finding that the legal basis on which they were adopted is incomplete (they must be also based on Article 16 TFEU) and wrong (Article 82(1)(d) TFEU on judicial cooperation is incompatible as legal basis with PNR agreements).

The implications are even wider than the AG acknowledged. For instance, a legal instrument that could be impacted is the EU-US Umbrella Agreement – another international agreement on transfers of personal data from the EU to the US in the law enforcement area, which has both similarities and differences compared to the PNR agreements. In addition, an immediately affected legal process will be the negotiations that the European Commission is currently undertaking with Mexico for a PNR Agreement.

Even if it is not an international agreement, the adequacy decision based on the EU-US Privacy Shield deal could be impacted as well, especially with regard to the findings on the independence of the supervisory authority in the third country where data are transferred (See Section 6 for more on this topic).

Finally, the AG also mentions that this case allows the Court to “break the ice” in two matters:

  • It will examine for the first time the scope of Article 16(2) TFEU (§6) and
  • rule for the first time on the compatibility of a draft international agreement with the fundamental rights enshrined in the Charter, and more particularly with those in Article 7 and Article 8 (§7).

Therefore, the complexity and novelty of this case are considerable. And they are also a good opportunity for the CJEU to create solid precedents in such delicate matters.

I structured this post around the main ideas I found notable to look at and summarize, after reading the 328-paragraphs long Opinion. In order to make it easier to read, I’ve split it into 6 Sections, which you can find following the links below.

  1. De-mystifying Article 16 TFEU: yes, it is an appropriate legal basis for international agreements on transfers of personal data
  2. A look at the surface: it is not an adequacy decision, but it establishes adequacy
  3. An interference of “a not insignificant gravity”: systematic, transforming all passengers into potential suspects and amounting to preemptive policing
  4. Innovative thinking: Article 8(2) + Article 52(1) = conditions for justification of interference with Article 8(1)
  5. The awkward two level necessity test that convinced the AG the PNR scheme is acceptable
  6. The list of reasons why the Agreement is incompatible with the Charter and the Treaty

……………………………………………………….

[1] Article 7 – the right to respect for private life, Article 8 – the right to the protection of personal data, Article 52(1) – limitations of the exercise of fundamental rights.

[2] With regard to the obligation to have independent supervision of processing of personal data.

[3] See the latest one, Opinion 5/2015 on the EU PNR Directive and see the Opinion on the EU-Canada draft agreement.

***

Find what you’re reading useful? Consider supporting pdpecho.

Here’s how Internet’s inventor wants to reinvent it and why this is great news for privacy

Last May I had the chance to meet Prof. Tim Berners-Lee and one of the lead researchers in his team at MIT, Andrei Sambra, when I accompanied Giovanni Buttarelli, the European Data Protection Supervisor, in his visit at MIT.

Andrei presented then the SOLID project, and we had the opportunity to discuss about it with Prof. Berners-Lee, who leads the work for SOLID. The project “aims to radically change the way Web applications work today, resulting in true data ownership as well as improved privacy.” In other words, the researchers want to de-centralise the Internet.

“Solid (derived from “social linked data”) is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. Solid is modular and extensible and it relies as much as possible on existing W3C standards and protocols”, as explained on the project’s website.

Andrei explains in a blog post that, in a first step, the project finds solutions “to decouple the applications from the data they produce, and then to decouple the data from the actual storage server.”

“This means that applications and servers are interchangeable, and they can be swapped without impacting the most important part – your data. It’s all about freedom of choice.” (Read the entire explanation in this blog post)

I was so excited to find out about the efforts conducted by Prof. Berners-Lee and his team. At the end of the presentation and the discussion, I asked, just to make sure I understood it correctly: “Are you trying to reinvent the Internet?”. And Prof. Berners-Lee replied, simply: “Yes”. A couple of weeks later I saw this article in the New York Times: “The Web’s creator looks to reinvent it” So I did understand correctly 🙂

But why was I so excited? Because I saw first hand that some of the greatest minds in the world are working to bring back control to the individual on the Internet. Some of the greatest minds in the world are not giving up on privacy, irrespective of how many “Privacy is dead” books and articles are published, irrespective of how public and private policymakers, lobbyists and Courts understand at this moment in history the value of privacy and of what Andrei called “freedom of choice” in the digital world.

I was excited because I found out about a common goal us, the legal privacy bookworms/occasional policymakers, and the IT masterminds have: empower the ‘data subject’, the ‘user’, well, the human being, in the new Digital Age, put them back in control and curtail unnecessary invasions of privacy for all kind of purposes (profit making to security).

In fact, my entire PhD thesis was built on the assumption that the rights of the data subject, as they are provided in EU law (rights to access, to erase, to object, to be informed, to oppose automated decision making) are all prerogatives of the individual that aim to give control to the individual over his or her data. So if technical solutions are developed for this kind of control to be practical and effective, I am indeed excited about it!

I also realised that some of the provisions that survived incredible, multifaceted opposition to make it to the new General Data Protection Regulation are in fact tenable, like the right to data portability (check out Article 20 of the GDPR, here).

This is why, when I saw that today the world celebrates 25 years since the Internet went public, I remembered this moment in May and I wanted to share it with you. Here’s to a decentralised Internet!

Later Edit: The man itself says August 23 is not exactly accurate. Nor 25 years! In any case, it was still a good day for me to think about all of the above and share it with you 🙂

IMG_7391

Privacy fears hang over EU-wide patient data system

epSOS is an EU-funded pilot project which is to lay the groundwork for a union-wide system of easily exchangeable patient data, to be in place by 2015.

EUObserver.com writes about the privacy concerns surrounding epSOS project.

“A man from Italy enters a pharmacy in Athens, Greece, to get some medication. Only, he has no prescription. Oh no!

Fortunately, he has an e-prescription. A what? An e-prescription, an online prescription saved under his name on a server in Italy somewhere.

The pharmacist, with the consent of his client, retrieves the prescription over the Internet via so-called national contact points that convert the Italian drug to its Greek equivalent, and all ends well.

The scene is from a promotional video from epSOS.”

  • The benefits are obvious. Today, there are big differences across Europe in the kind of patient data collected and the way in which it is stored. In reality, the man from Italy would have had to visit a doctor in Athens first to get a Greek prescription.
  • But what about the drawbacks? Does an EU-wide system not pose an increased risk to privacy? “It depends,” says Giovanni Buttarelli, assistant European Data Protection Supervisor. It would if it meant the creation of one big central database of personal health records that reveal people’s entire medical history. That would be “simply a monster,” he says. It would be prone to security breaches. “Security is something you can look for, but not ensure.”
  • Better is to introduce access to data on a need-to-know basis – a general practitioner would not have the same access as, say, a neurosurgeon – and to spread out the data over a network of local repositories.
  • “The portability of health data is a necessity for the current world,” says Buttarelli. “You cannot simply say: Okay, let’s go back to paper.”

Read the whole story HERE.