The Royal Military Police and the Immigration and Naturalisation Service had previously been found to be in violation of the rules for processing of personal data within the Schengen Information System (SISII). This press release sets out the Authority’s position that these organisations are no longer in violation, due to measures taken.
We are commenting a press release summarising the remaining concerns surrounding the privacy shield arrangement relating to international transfers of personal data from the EU to the US, from the perspective of the Dutch DPA.
<< European privacy regulators, collected in the Article 29 Working Party, during a meeting on 2 and 3 February discussed the implications of the “Schrems ruling ‘of the European Court of Justice for transfers of personal data to other countries. They welcome the fact that the negotiations held between the EU and the US have resulted in agreement on the introduction of a EU-US privacy shield ‘for the deadline the regulators in October. Commissioner Jourová (Justice) undertook within three weeks of the draft decision with all supporting documents to send the European supervisors requesting the European Commission to advise on this. The supervisors will review the content on the basis of those documents or the new agreement meets the requirements of the European Court of Justice and to an additional meeting together.
The content of the documents needed to know exactly what the legal value of the outcome of negotiations and to assess whether it meets the broader concerns that have arisen about the transfer of personal data to the US In their analysis, the supervisors also take the question to what extent the ‘EU-US privacy shield’ other legal bases, such as Standard Contractual Clauses and Binding Corporate Rules for transfer of personal data can reinforce legal. The supervisors will primarily evaluate whether their concerns can be overcome with regard to the legislation in the US by the introduction of a EU-US privacy shield.
The supervisors indicated that existing Standard Contractual Clauses and Binding Corporate Rules may continue to be used in the meantime, but that they will include in their assessment of whether this also applies to the future.
The regulators have in recent weeks assessed the current relevant legislation and the work of US intelligence agencies and the conditions under which appointed an infringement of the fundamental right to personal data protection is justifiable. The supervisors will announced by the European Commission ‘EU-US privacy shield’ analysis according to guarantee this. These guarantees for intelligence activities derive from the case law of the Court of the European Union and the European Court of Human Rights. It’s about:
- The data must be based on clear, precise and accessible rules. This means that it should be clear to those concerned what might happen to their data if they are transferred to other countries.
- The necessity and proportionality must be demonstrated. A balance must be struck between the purpose for which the data are collected and used (national security) and the rights of those involved.
- Some form of independent monitoring should be in the country where the data are processed. This supervision must be effective and impartial. This could be a right-hand or has a different independent body, as long as sufficient possibilities to carry out the necessary checks.
- Data subjects must be able to effectively appeal. Everyone should have the right to assert his rights before an independent body.
Supervisors emphasize that these four safeguards should be both respected when personal data are transferred from the EU to the US and other third countries, and the EU countries themselves. .>>
<<The Authority for Personal Data presented today at the International Privacy Day, the topics on which the regulator focuses in 2016. It involves the following five topics: protection of personal data, big data and profiling, medical data, personal data with the (digital) government and personal data in the employment relationship.
To promote compliance with the Data Protection Act (DPA), the Authority Personal mix of instruments in the field of monitoring, enforcement and communication. She conducts research on suspicion of serious violation of the law that are structural in nature and affect many people. In some cases, the Personal Authority launched an investigation, but it sends a letter or they are on a call. The Authority Personal Information may also impose fines in addition to the cease and desist order since January 1, 2016. Moreover, since these organizations require of serious data breaches immediately report to the supervisor.
The annual Day of the Privacy is brought to life by the Council of Europe with support from the European Commission. The purpose of this day (January 28) is to inform citizens about their rights in the use of their personal data. Meanwhile it is also the Day of privacy in a number of non-European countries, including Canada and the United States.>>
The Dutch data protection authority conducted an investigation into the Immigration and Naturalisation Service (IND) and found that the IND had not always followed the rules of the Schengen Information System II in the processing of alerts on foreigners.
As part of the investigation, the CBP has a performed sampling on a number of files. In nine of the 14 cases examined CBP found that the treatment was not in accordance with the rules in the Schengen Information System (SIS II). For instance, include cases of alerts without mention of the source of a decision or of the underlying reason for the alert.
Nineteen renowned privacy experts from the US and the EU have developed ten practical proposals to increase the transatlantic level of protection of personal data. Most proposals can be implemented within existing different legal systems and are applicable worldwide. It concerns pragmatic bridges that benefit people, companies, governments and supervisory authorities. The experts cooperated in the Privacy Bridges project and present the bridges during the International Privacy Conference at the end of October in Amsterdam.
The Dutch Data Protection Authority (CBP) has a cooperation agreement (Memorandum of Understanding, or MoU) with seven other privacy regulators for exchange of information in GPEN Alert System. Through this system, data protection authorities worldwide, monitor and exchange information on cases if there are cross-border issues.
The system allows sharing on information investigations, but also of signals that may be relevant to other regulators. Each supervisor decides what to share based on the laws in force in their country.
The seven regulators are the CBP, the US Federal Trade Commission (who developed the system for GPEN), as well as the privacy authorities of Australia, Canada, Ireland, New Zealand, Norway and the United Kingdom.
The Dutch Data Protection Authority (CBP) has participated in an international scan focused on apps and websites for children. 29 different privacy regulators from around the world participated in the scan. All have held their own national scan. They have nearly 1500 of the most popular apps and websites in total under the microscope. 67% apps collected personal data on children. Also many of the apps and websites provide links to content which the fall outside the safe online environment of the app.
CBP concludes its from its state scan inter alia, that for most apps it is not possible to assess what the app actually does, what personal data are processed by it, and for what purpose. Parents should be able to find comprehensive information in the app store to download in an easy way.
The international scan is organized by the Global Privacy Enforcement Network (GPEN), an international alliance of privacy authorities. When the scan is looking at privacy issues such as the provision of information in the app store, the personal data to be entered when installing and or using ad networks.