Tag Archives: coordination

Agencia Española de Protección de Datos (AEPD)

Facebook Stops WhatsApp Data Sharing Across Europe

On 16 November 2016, WhatsApp announced it had temporarily blocked user data from being shared with its parent company Facebook along Europe. It means that Facebook would only make use of WhatsApp data to prevent spam.

As a consequence, the Spanish Data Protection Agency (AEPD) initiated in early October an investigation to examine the communications and the treatment of personal data made between WhatsApp and Facebook. More specifically, it will study what information collected from WhatsApp users is sent to Facebook, for what purpose, how long it is kept and what options users are offered if they wish to object.

Background of the case

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. Last August, the company made changes to its terms and conditions which allowed user data to be shared with its parent company as well as Facebook group of companies including Messenger and Instagram for services including advertising and product development purposes. The messaging app argued that it would allow for a better advertising experience and would help fight spam.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

German Data Protection Authorities

German DPAs audit 500 Companies on Data Exports to countries outside the EU

On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.

The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).

In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.

Cooperation among EU DPAs: current status (2015-2016)

1408730997720Andrés Cuella Brenchat, consultant for the Data Protection and Fundamental Rights Group (PRODADEF), University Jaume I (Spain)

The PHAEDRA II project has been devoted to improving practical cooperation and coordination between Data Protection Agencies (DPAs), Privacy Commissioners (PCs) and Privacy Enforcement Authorities (PEAs) in the European Union (EU), especially with regard to the enforcement of privacy and data protection laws. In order to follow up and assess cooperation among EU DPAs, PHAEDRA II created a commented repository of leading decisions in individual cases with cross-border implications among national DPAs in the EU. Since its beginnings, a shortage of “pure” cases of cooperation was noted. Not surprisingly though, as under the current Data Protection Directive 95/46/EC the obligation to cooperate in Article 28 is rather imprecise. From May 2018, the 28 European Union (EU) Member States will have to abide to the recent reform of the basic EU data protection legal framework. The new General Data Protection Regulation (GDPR) 2016/679 introduces major changes in how data protection law is applied and enforced among the EU Member States. It also introduces major changes in the character and scope of cooperation between EU DPAs. Cooperation will not merely be a possibility, but an obligation under EU law. Intensified cooperation among authorities at the European level will be necessary to adequately address cross-border issues.

The repository has shown that cooperation among EU DPAs has actually taken place during the last two years. It has identified cases of cooperation that have taken very different forms and degrees.

The most relevant one, under the current regime, might be the joint investigation teams created by different DPAs. For instance, in 2015 Facebook faced numerous privacy-related investigations in Europe in order to verify if the company was complying with EU and national law. DPAs from France, Spain, the Netherlands, Belgium and Germany (Hamburg’s DPA) joined efforts and created a Working Group to tackle potential breaches or shortcomings in Facebook’s policies. The Article 29 Data Protection Working Party (WP29) also participated in the investigation exercise. We consider this initiative to be one of the most important forms of cooperation and collaboration among EU DPAs.

International platforms have also acquired a major role in the cooperation among DPAs. The PHAEDRA II repository has focused in the activity of two key networks. The first is the International Cybersecurity Enforcement Network (or the so-called LAP-London Action Plan), which seeks to promote international spam enforcement cooperation and address spam related issues (such as online fraud and deception, phishing or dissemination of viruses). Both private sector representatives and government and public agencies are represented. DPAs from Ireland, Spain and the UK are part of this network. Moreover, other EU Member States – Belgium, Finland, Hungary, Latvia, the Netherlands, Portugal and Sweden – are represented through other governmental bodies, mainly consumer agencies. The latest form of cooperation occurred in June 2016, when 11 enforcement authorities across the globe, including those from the UK and the Netherlands, signed a Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to reinforce cross-border cooperation to address unwanted messages and calls. This MoU strengthens the international fight against a global problem.

The second network is more globally represented: the Global Privacy Enforcement Network (GPEN), which aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables privacy regulators worldwide to work and cooperate as they address risks to the personal information of their citizens. 17 out of the 28 EU DPAs are members to the GPEN. An example of recent cooperation where the GPEN had the coordinating role is the “Privacy Sweep” or international evaluation dedicated to verify the respect of privacy in the Internet of Things. In this Sweep, which took place on 11-15 April 2016, participated, among others, DPAs from France, Ireland, Italy and Belgium. This exercise is a continuation of the good collaboration between DPAs (in May 2014, 26 DPAs conducted an “Internet Sweep Day” that analysed information related to mobile application; in September 2015, another “Sweep Day” focused on online services for children). Another example is the MoU signed in October 2015 between the Dutch DPA with seven other privacy regulators for exchange of information in the GPEN Alert System or the “Sweeps”. In general terms, DPAs participate, to a greater or lesser extent, to different conferences and seminars organized worldwide where they have the opportunity to share about good practices or new policies, present new projects or to formalize bilateral agreements.

The soon to be replaced WP29 configures itself also as an important actor for cooperation. Indeed, it meets about multiple times a year in Brussels and its latest position in a specific matter was adopted in June through the “Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)”. The Working Party will be replaced by the European Data Protection Board (EDPB) and will become a EU body with legal personality. It will be composed of national data protection authorities and the European Data Protection Supervisor (EDPS).

This non-exhaustive description of forms of cooperation allows us to conclude that EU DPAs share common activities and goals and do engage in mutual cooperation. However, there are areas where cooperation could be increased to better achieve their mutual goals. For instance, guidelines are one of the favored instruments of DPAs. Positions papers or guidelines on different aspects of the General Data Protection Regulation (GDPR) have been released by, among others, the UK, Spain, Germany or Belgium. The WP29 has also released an Action plan concerning the implementation of the new Regulation. Other topics have brought the attention of many DPAs and have published their own guidelines, for instance, the implications of the Schrems Judgement, the implications of the right to be forgotten (France, Spain, Denmark, WP29) or the data protection issues relating to the utilization of drones (Sweden, WP29, Ireland). Moreover, the same issue may be tackled through different channels. For instance, video surveillance has raised interrogations in Spain (the Supreme Court has ruled and clarified data protection issues), France (guidelines have been issued) and Italy (the Italian DPA notes in its Annual Report that it handled more than 30.000 queries concerning, among others, video-surveillance). Finally, the European Data Protection Day, held every year on 28 January, is an event seeking to raise awareness and promote privacy and data protection. In 2016, 22 out of the 28 EU DPAs participated in the event. Nevertheless, the activities were not especially coordinated and were addressed to domestic audience. PHAEDRA’s study on best practices of cooperation found that the benefits of coordination in this area are however limited by the need for DPAs to communicate with the media and the public in the relevant Member State languages and to be responsive to local contexts, media usage and channels, and public attitudes.

Apart from the novel joint investigation teams, the rest of the cooperation activities were organized in the framework of existing platforms and bodies. The Investigations Teams therefore constitute the most telling example of spontaneous cooperation among DPAs. Moreover, it can be inferred from the above that DPAs collaborate mainly in three issues: investigation of common threats (Facebook, Sweeps), tackling very specific issues (MoU) and participation in common approaches (WP29).

Even if the new GDPR changes how data protection law is applied and enforced among the EU Member States, uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the day-to-day activities of EU DPAs. The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and procedures involved. As the recently published PHAEDRA study shows, there is a need for supplementary operational and legal guidance. Be that as it may, many questions arise: are there other circumstances hampering a more enhanced cooperation (different national legislation, political willingness…)? Are DPAs in a position to reinforce their cooperation? Will the entry into force of the GDPR boost cooperation? The extent and purpose of this entry in this blog cannot cover in these many issues but two main remarks may be added. Firstly, with the entering into force of the GDPR in less than two years, cooperation will be granted the importance it deserves. Indeed, Chapter VII of the GDPR boosts many aspects of cooperation (most notably, the consistency or the one-stop-shop mechanisms) that are missing in the Data Protection Directive. Secondly, cooperation is not circumscribed to a single chapter or provision acting independently of the rest of the Regulation. Quite the contrary, cooperation is predicated throughout the rest of the text, present in the tasks and duties carried out by each EU DPA. Consequently, a multiplication of “pure” cooperation cases in a very near foreseeable future should not be surprising. In order to follow-up, just check PHAEDRA’s repository!

Image credit: A New Resource For Educators, Practitioners & Researchers (via CaseRe3: Case Report Research Repository)

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL issues Internet Sweep Outcomes on Connected Devices
On September 23, 2016, the French Data Protection Authority (CNIL) issued the outcomes of the Internet sweep on connected devices that was created last May to evaluate the quality of the information that operators provide to end users but also the level of user empowerment and the degree of security of the personal data.
This initiative, announced by the CNIL last April, organised by the Global Privacy Enforcement Network (GPEN), lies within a coordinated online audit to analyse the impact of ordinary IT- devices.
It was made up of data protection authorities throughout the world and more than 300 connected devices were examined and audited. Specifically in France, 12 connected devices were tested by the CNIL in the field of home automation, health and well-being and this administrative regulatory body concluded that:
1. Users of connected devices are not adequately informed of the processing of their personal data as the product did not provide users appropriate information about how their personal data will be processed.
2. Users have an acceptable degree of control over their personal data as the personal data was subject to the user’s consent.
Like the other DPAs, the CNIL announced that it reserves the right to conduct more inspections in order to assess the compliance of connected devices to the French Data Protection Act.

Agencia Española de Protección de Datos (AEPD)

Changes in Whatsapp´s Privacy Policy

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. However, last August, the company announced a big change to its privacy policy as the new terms and conditions allows to share some user data (such as the phone number and the last time the client used the application) with its Facebook family of companies for undetermined range of services.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Facebook has maintained that its end-to-end encryption system will remain in place for the purpose of respecting the user´s privacy and giving an improved experience without third-party banner ads and spam.


Information Commissioner’s Office (ICO)

Tackling nuisance calls and messages: Update on the ICO and Ofcom Joint action plan

ICO and Ofcom (The Office of Communications – the UK telecommunications regulator) published an update to their joint action to tackle nuisance calls and texts. The latest update highlights recent targeted enforcement action, including the ICO’s issuing of more than £1m in monetary penalties so far this year and their recent ‘week of action’. It also covers work being done to improve call tracing and the authentication of Calling Line Identification (CLI) numbers, and summarises new collaborative efforts to identify other technical measures to help reduce nuisance calls.