34 Matching Annotations
  1. Jul 2021
    1. The sixth and final stepwill be for you to re-evaluate at appropriate intervals the level of protection afforded to the data you transfer to third countries andto monitorif there have been or there will be any developments that may affect it.

      Step 6: Periodically re-evaluate all of this. at "appropriate intervals' - Accountability requires 'continuous vigilance'

    2. A fifth stepis to takeany formal procedural stepsthe adoption of your supplementary measure may require, depending on the Article46 GDPR transfer tool you are relying on. These recommendationsspecify these formalities. You may need to consult your competent supervisory authorities onsome of them.

      Step 5: Take formal procedrual steps to adopt your supplementary measures -- including executing under Art. 46 transfer tools.

    3. A fourth stepis to identify and adopt supplementary measuresthat are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation impinges on the effectiveness of theArticle46 GDPRtransfer tool you are relying on or you intend to rely on in the context of your transfer

      Step 4: If the law's against you, apply supplementary measures. They need to be effective though in the country of transfer. Not just in the abstract.

      If NO supplementary measures will do anything, you probably shouldn't be transferring data.

    4. In the absence of legislation governing the circumstances in which public authorities may access personal data, if you still wish to proceed with the transfer, you should look into other relevant and objective factors, and not rely on subjective factors such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards.

      And if you're dealing with Russia, or Israel or China or ... probably even the US, TBH, you can't rely on the likelihood that public authorities will access your data, because you honestly don't really know.

    5. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendation

      If you're dealing with heavy gov't surveillance, ya fucked.

    6. A third stepis to assessif there is anything in the law or practice of the third countrythat may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.

      Step 3: If you're relying on Art. 46 - Know the law or practice of the third country you're transferring to. Will appropriate safeguards in the SCCs work? Will contractual comfort/org measures be appropriate? Is encryption/pseudonymimzation your only option?

    7. A secondstep is to verify the transfer toolyour transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions underArticle 45GDPRor under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR for transfers that are regular and repetitive. Only in some cases of occasional and non-repetitive transfers you may be able to rely on one of the derogations provided for in Article 49 GDPR,if you meet the conditions.

      Step 2: Verify the transfer mechanism. If it's adequate (Art. 45). IF it needs a BCR/SCC/CofC/etc (Art.46). Can you apply a derogation ? Contract? Consent? Limited LI? (Art. 49).

    8. As a first step, the EDPB advisesyou,exporters,to know yourtransfers

      Step 1: Know your transfers. Map all transfers to third countries. Be aware of flows, who it's going to and whether essentially equivalent protections are possible.

  2. Jun 2021
    1. This mechanism is different from the certification system aimed at ensuring compliance withdata protection rules and principles, outlined in Articles 42 and 43 of the GDPR

      So, like, will it exist when the Regs actually drop? Because that would be different.

    2. In thatregard, individuals’ right of restriction of processing(Article 18 GDPR and Article 20 EUDPR) as well as deletion / erasure of data (Article 16GDPR and Article 19 EUDPR) should always be guaranteed in those cases. Furthermore, thecontroller should haveexplicit obligation to inform data subject of the applicable periods forobjection, restriction, deletion of data etc. The AI system must be able to meet all dataprotection requirements through adequate technical and organizational measures. A right toexplanation should provide for additional transparency.

      Important question: HOW tho?

    3. Data subjects should always be informedwhentheir data is used for AI training and / orprediction,ofthe legal basis for such processing, general explanation of the logic (procedure)and scope of the AI-system

      Basically, a big fuck you to Clearview AI

    4. The reasoningbehind the Proposal seems to omit that when monitoring openareas, the obligations under EUdata protection law need to be met for not just suspects, but for all those that in practice aremonitored.

      Excellent point.

    5. hatthe classificationofan AI systemashigh-riskdoes not necessarily mean that it is lawfulper seand can bedeployed by the user as such

      But it absolutely will get interpreted as such.

    6. not always be possiblefor a provider to assess all usesfor the AI system.Thus, the initial risk assessment will be of a more general nature than the one performed by theuser of the AI system.

      So does that mean that controllers must perform risk assessments for specific uses?

    7. an exhaustive list ofhigh-risk AIsystems.This choice might create a black-and-white effect, with weak attraction capabilitiesof highly risky situations, undermining the overall risk-based approach underlying theProposal. Also,thislist ofhigh-riskAI systemsdetailed in annexes II and III ofthe Proposallackssome types of use cases whichinvolvesignificant risks, such as the use of AI fordetermining the insurance premium, or for assessing medical treatmentsor for health researchpurposes.The EDPB and the EDPS also highlight that thoseannexes will need to be regularlyupdated to ensure that their scope is appropriate.

      Proally should look this annex up.

    8. However, EDPB and EDPS have serious concerns regarding the exclusionof international lawenforcement cooperationfrom the scope set out in Article 2(4) of theProposal

      You spy on my guys with your little AI.

    9. Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protectionof natural persons with regard to the processing of personal data by the Union institutions, bodies, offices andagencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No1247/2002/EC, OJ L 295, 21.11.2018, p. 39–98.9Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection ofnatural persons with regard to the processing of personal data by competent authorities for the purposes of theprevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,andon the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119,4.5.2016, p. 89–131.

      Gotta get around to actually reading these.

    10. TheProposalgives an important place to the notion of human oversight (Article 14)

      Article 22 and 25 are gonna get a workout.

    1. as part of an overall assessment, including reliable information on the application of the law in practice (such as case law and reports by independent oversight bodies), the existence or absence of requests in the same sector and, under strict conditions, the documented practical experience of the data exporter and/or data importer.

      This reliable information component is going to make things spicy. I suspect this will be litigated.

  3. May 2021
    1. In contrast to a general export ban, EU law and practice have also allowed cross-border commerce to continue, including the EU/U.S. bilateral trade and investment partnership valued at about 6 trillion euros

      And more importantly, a general lack of enforcement by most DPAs.

    2. On April 27, 2021, Portugal's data protection authority, the National Data Protection Commission, ordered Statistics Portugal, in carrying out the national census, to suspend processing of personal data in any third country that lacks adequate privacy protections, including the United States

      Cloudflare

  4. Apr 2021
    1. For the above situations, the European Commission should fulfilits monitoring role,and in case the essentially equivalent level of protection of personal data transferred from the EEAis not maintained, the European Commission should consider amending the adequacy decision to introduce specific safeguards for data transferred from the EEAand/or to suspend the adequacy decision.

      Essentially, continuos monitoring.

  5. Mar 2021
    1. Subsection (1) shall not apply—(a)in respect of personal data relating to the data subject that consists of anexpression of opinion about the data subject by another person given inconfidence or on the understanding that it would be treated as confidential, or(b)to information specified in paragraph (b)(i)(III)of that subsection in so far as arecipient referred to therein is a public authority which may receive data in thecontext of a particular inquiry in accordance with the law of the State.

      Access doesn't need to include opinions made in confidence, or information obtained by a public authority who recieves data in the context of a particular inquiry.

    2. Where information that a controller would otherwise be required to provide to a datasubject pursuant to subsection (1) includes personal data relating to another individualthat would reveal, or would be capable of revealing, the identity of the individual, thecontroller—(a)shall not, subject to subsection (8), provide the data subject with the informationthat constitutes such personal data relating to the other individual, and(b)shall provide the data subject with a summary of the personal data concernedthat—(i)in so far as is possible, permits the data subject to exercise his or her rightsunder this Part, and

      There's a right to provide a summary where it would be hard to avoid revealing the identity of another individual.

    3. Subject to subsection (2), a controller, with respect to personal data for which it isresponsible, may restrict, wholly or partly, the exercise of a right of a data subjectspecified in subsection (4)

      Can restrict, but must be necessary and proportionate (and under one of the restriction rights)

    1. Where several operators are jointly responsible for the same processing, the law does not require each of them to have access to the personal data concerned.
    1. The CJEU came to the conclusion that non-for-profit consumer associations can sue for potential violations of data protection laws on behalf of a data subject not only under the GDPR but also under the former Data Protection Directive 95/46/EC.

      Kinda wonder how many class actions will be brought. Can class actions go against SAs as well?

    2. If you are a publisher, you better toss aside those ‘secret’ service provider data protection addendum and get ready to embrace ‘public’ joint-controller agreements with Facebook and other providers of plugins.

      ... How many orgs are actually doing this though?

    3. The information must be given by the controller immediately, that is to say, when the data are collected. (¶¶100–101 and ¶¶103–106)

      Can't dick around and provide information after the fact. Need to do this immediately when data is collected.

    4. “it is necessary that that operator and that provider each pursue a legitimate interest, […], through those processing operations in order for those operations to be justified in respect of each of them”.

      ... and both controllers should have a legitimate interest or basis in the law to process data.

    5. Concept of joint-controllers:

      Plugin authors who are collecting data can be 'joint controllers'

    6. Representation of data subjects: Articles 22 to 24 of Directive 95/46 must be interpreted as “not precluding national legislation which allows consumer-protection associations to bring or defend legal proceedings against a person allegedly responsible for an infringement of the protection of personal data.” (¶63)

      Data subjects can be represented by consumer orgs.

    1. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. 2Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence

      Where to bring a claim - Either the Member state where the Controller/Processor is base,d or the data subject's habitual location.

    1. Every data subject should have the right to lodge a complaint with a single supervisory authority, in particular in the Member State of his or her habitual residence, and the right to an effective judicial remedy in accordance with Article 47 of the Charter if the data subject considers that his or her rights under this Regulation are infringed or where the supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject.

      Ties in with Article 77 of teh GDPR