Today is Jan. 28, 2021: Data Protection Day! Today is the 40th anniversary of "Convention 108" and the 15th Data Protection Day. Readers may ask, Why? And: Who thought we should have a "Data Protection Day" already too?
This article looks at the Council of Europe and Data Protection Day, and then some of the key issues that will (continue to) come up in 2021 when it comes to the privacy rights and protection of European citizens. It does not claim completeness.
The Council of Europe, founded May 5, 1949 and based in Strasbourg, is an international organization of which 47 European countries are members.(1) Its main treaty is the European Convention on Human Rights (ECHR). The European Court of Human Rights, established 1959, is the judicial body. The Court handles complaints about violations of the ECHR.
Privacy rights are also guaranteed in the ECHR. For example, Article 8 ECHR provides the right to respect for private and family life, one's own home and letter secrecy.(2)
In addition to the ECHR, the Council of Europe also producedthe 1981 Data Protection Convention .(3) This laid the foundation for European privacy protection. The Convention, also known as the Strasbourg Convention or Convention 108, is an elaboration of the right to respect for private life as enshrined in Article 8 of the ECHR. This Convention 108 protects individuals with respect to automated processing of their personal data and is regarded worldwide as the basis for personal data protection.
The treaty has a global scope. States that are not members of the Council of Europe can also sign the Convention. Under Article 18 of the treaty, there is an advisory committee, in which the Autoriteit Persoonsgegevens participates on behalf of the Netherlands.
On April 26, 2006, the Committee of Ministers of the Council of Europe decided to establish a Data Protection Day on Jan. 28 of each year. This date corresponds to the anniversary of the opening of the signing of Convention 108. Outside Europe, this day is called "Privacy Day.
Data protection affects all individuals and is emphatic in our daily lives. In our work, in relation to public agencies and government, in the healthcare domain, in education, when shopping or shopping online, traveling and of course when we surf the Internet. The "Big Tech" companies such as Facebook, Amazon, Apple, Google and Microsoft have become an integral part of our daily lives. Many of us are fused to our smartphones.
The purpose of Data Protection Day is to inform everyone about the processing of personal data and their privacy rights in doing so. It is also important to point out the risks of unlawful processing.
On Data Protection Day, the Council of Europe imagines that companies and organizations are also urged on this day to improve the protection of personal data.
The "highlights" below are a non-exhaustive overview of topics that will be (further) on the agenda in 2021 when it comes to the privacy rights and protection of European citizens. It does not claim completeness.
Guidelines for Artificial Intelligence and Data Protection.
On the occasion of Data Protection Day on Jan. 28, the Committee of the Council of Europe published "Convention 108" guidelines on artificial intelligence and data protection.(4) The guidelines are intended to help policymakers, artificial intelligence (AI) developers, manufacturers and service providers ensure that AI applications do not undermine data protection rights. Moreover, any AI application must pay close attention to avoiding and mitigating the potential risks of processing personal data, and enable meaningful control by data subjects over data processing and its effects.
Legitimate use of AI is of course essential for citizens. Various government systems, think of the "signaling" of welfare fraud from municipalities (Intelligence Bureau) and the Tax Administration are sensitive to this. There must be transparency about the use of AI. The Committee underlines that the protection of human rights, including the right to protection of personal data, is essential when developing or applying AI applications, especially when used in decision-making processes, and that such AI application is based on the principles of the updated data protection treaty, "Convention 108," open for signature on October 10, 2018.(5)
EU legislative program
Legislative initiatives have been taken from the European Commission. For example, proposals for the Digital Services Act and the Digital Markets Act were published on December 15, 2020. If it is up to the European Commission, the 'Big Tech' giants such as Facebook, Apple, Google, Microsoft and Amazon will be dealt with more harshly. They will have less freedom in the use of data and will be constrained by having to disclose takeovers. They must also do more against illegal content appearing on their platforms. There will be high fines for violating the rules and the possibility of splitting up. Fines for violations can range from 6% of global annual sales (Digital Services Act) to 10% (Digital Markets Act).
This means better protection for EU citizens. For example, Amazon will soon not be allowed to use data from sellers on their platform to promote their own products on their own platform. Digital platforms, for example, will also have to do more to combat illegal information. This in turn may pose dangers about freedom of speech. All in all, complicated legislation for the average citizen. If one is banned from a platform, however, a person can file a complaint. These complaints should be judged objectively and carefully.
Also, the ePrivacy Regulation has still not rolled off the "legislative bandwagon. This regulation deals with data protection around electronic communications. For website visitors and consumers on the one hand, but on the other hand website providers, this regulation is interesting because it deals with Cookies, among other things. For important considerations, a DPIA should also be carried out.
Big Tech
By extension, in the United States, as well as in Europe - after ex-President of the U.S. Trump was banned from major social media - a discussion about breaking the monopoly and power to curtail freedom of speech has emerged. The question is whether the Big Tech giants are allowed to decide this independently. These players have global power. Of course, very tricky and ethical issues are going to arise over this. Is Twitter, for example, allowed to restrict freedom of speech? And where are the limits? We are already hearing many noises from experts indicating that this should be further regulated by the government.
Another interesting development is that a bill is pending in Australia that has implications for Google and Facebook. Search engines will have to start paying for news referrals. This affects the Big Tech's revenue model. Google has indicated as a threat that it will then no longer offer its services in Australia. It will be interesting to watch these developments in 2021. Can governments use legislation to force Big Tech to handle our privacy better? Looking at the effect of the AVG on Facebook's privacy policy, this certainly seems to be the case.
Facebook and WhatsApp
WhatsApp previously announced it would start sharing the account data of all its users - except for the EU - with Facebook starting Feb. 8, 2021. As is well known, WhatsApp is a part of Facebook. After much confusion and criticism, WhatsApp postponed this update until May 15, 2021. Italian privacy regulator Garante Privacy has already expressed concerns about unclear terms to the European Data Protection Board (EDPB).
WhatsApp says it is changing the terms and conditions for users with business accounts. It will be easier for these businesses to communicate with customers via WhatsApp and certain data can then be shared with Facebook, such as metadata (WhatsApp usage and how often someone is online). This allows for much better targeted advertising. Facebook's revenue model.
By the way, European users need not worry, Facebook said. For Europe, the link between WhatsApp and Facebook does not apply.(6) Other providers of similar services, such as Signal and Telegram, benefit from this action: they may welcome many new users who are tired of Facebook breaking promises.
Right of inaccessibility
One of the consequences of the digitization of society and the increasing penetration of "Tech" into our daily lives is that we feel we have to be available 24/7. WhatsApp groups from work are active even in the evening. People who also get their work emails on their phones literally see emails coming in day and night. This leads to work pressure. In France, since Jan. 1, 2017, there is a legal right to be temporarily "unreachable. Calls from work can then be ignored. Following the example of France, there are also initiatives in the Netherlands and Europe to shape this 'unreachability'. CLAs already sometimes include this right.
From Data Protection Day, it is good to start the conversation about this in companies and institutions. How reasonable is it to create self-managing teams, for example in healthcare, that are mutually responsible for good staffing. What does this do to work pressure and accessibility. The feeling of never being detached from obligations from work is not bearable for everyone.(7)
Schrems II and data traffic with the U.S.
As is well known, on July 16, 2020, the European Court of Justice (ECJ) made messaging between Europe and the United States (US) more difficult by declaring the Privacy Shield invalid. In addition, the ECJ clearly indicated that personal data can still be processed in the U.S. on the basis of Standard Contractual Clauses (SCC), provided additional measures are taken.
As of July 16, 2020, everyone was looking to the European Data Protection Board (EDPB) because it would provide guidelines on how to handle data traffic between Europe and the US. The EDPB published these draft recommendations on Nov. 11, 2020. Although they are draft recommendations, they take effect immediately, with the public still able to submit comments to the EDPB. After this, the recommendations will be made final. Meanwhile, the consultation has been completed.(8)
The EDPB has provided two sets of recommendations. The first set is about the assessment the data exporter should do to see if additional measures are needed to protect personal data. The second set is about the extent to which the third country, in this case the U.S., is infringing on the protection of personal data because the standard of privacy protection is not equal to the level of protection within Europe based on the AVG.
It boils down to a roadmap to determine whether data exports are still allowed, using the European standards of data protection (AVG) as a basis. It boils down to a data transfer impact assessment. Meanwhile, Europe and the U.S. are working hard to restart consultations to enable messaging. Meanwhile, the new U.S. President has appointed privacy veteran Christopher Hoff to kick-start the talks.(9)
Under Biden, will the US get its own federal privacy law?
By extension, it is interesting to note that in the U.S. there are positive sounds about a federal privacy law. This law would strive to meet the adequacy requirements of the AVG. The invalidation of the Privacy Shield creates uncertainty for companies. This creates an urgent need in the U.S. for a federal privacy law that meets AVG requirements. The invalidation of the Privacy Shield particularly affects large international companies headquartered in the US. After all, SCCs are not necessarily suitable for data transfers because of the far-reaching capabilities of U.S. security agencies. Federal privacy legislation in the U.S. can help address the concerns of EU lawmakers. This can help solve free data movement between the EU and the US. As a result, data of European citizens will be better protected at the same time.
Corona also keeps privacy minds busy
Besides the debate that erupted violently in 2020 over whether an employer may temperature employees "at the gate," there are other privacy issues surrounding corona.
RIVM Vaccination Registry
The whole world is waiting for a redeeming vaccination to control the corona virus. The RIVM is going to commission a central vaccination register. This will record who has received which vaccine. The purpose of this, according to the minister, is: 'In addition to monitoring the effectiveness of the vaccine and the vaccination rate, the registry plays an important role in safety monitoring and monitoring side effects, being able to act quickly in the event of any calamities, monitoring the effectiveness of vaccination, and combating this pandemic in general.' Recording in the central database will be by consent: 'That is, the vaccine operator is responsible for the accuracy and completeness of the registration in the decentralized system, for obtaining the client's consent for the purpose of submitting vaccination data to RIVM, and for the timely submission of the data.' Next, the intention is for citizens to be able to view their own data: 'In this context, the RIVM is working on a client portal for displaying vaccination data, access to which will be granted with a DigiD.'
Employers and vaccination
After the question about measuring temperature, more questions will naturally come up about vaccination. As an employer, can you ask and record whether an employee has had a corona vaccination? As an employer, may you require someone to take a vaccination? To start with the latter. No, in principle you may not. Vaccination is voluntary. An employee has the right to bodily integrity. This is included in Article 11 of the Dutch Constitution. The question is whether an employer's duty of care could possibly weigh more heavily. This will lead to a consideration to be made by the courts. Such an issue will possibly arise in health care. Also, an employer may not process medical data. Consequently, the ever diligent human resources department may not create a registry.
Greece and vaccination passport
In 2021, of course, when the second or third wave is over, we want to travel again. The travel and airline industries face all kinds of requirements, such as the well-known PCR and rapid test, but possibly also a mandatory vaccination passport. Greece wants the European Union to hurry up with a "vaccination passport. People who can prove they have been vaccinated against corona should be able to travel freely throughout Europe. The Greeks are getting support from other EU countries, such as Portugal and Malta. It is not the intention of these countries that people without vaccinations should not be able to go anywhere. Meanwhile, the issue has been discussed in the European Commission, but no decisions have been made.
The airline industry (IATA) is also said to be developing an App that records vaccinations, which could potentially make travel easier.
Online teaching in education and proctoring
Developments in education will also continue. Online teaching and proctoring(digital monitoring to prevent fraud during exams and examinations) will continue to require attention. All of this must be applied in a safe manner. Recent examples at the Hanzehogeschool, for example, indicate that education still needs to arrange these things better. This also applies to developments at Erasmus University, which uses a second camera (one's own cell phone) during home exams. Students are demanding that the Executive Board reverse the measure. The measures are of course an invasion of privacy, but on the other hand there is an interest to prevent fraud. The courts may have to step in again to provide clarity. The Autoriteit Persoonsgegevens has already done so in its October 2020 publications. Importantly, DPIAs must also be carried out here, describing exactly what considerations a data controller has made to deploy proctoring software and possibly a second camera.
Data Protection Impact Assessments (DPIA).
Conducting the mandatory DPIA prior to the deployment of this type of technology is a good methodology to properly assess this type of 'high risk' processing. Especially for schools in primary and secondary education and health care, DPIAs are not yet 'commonplace'. A properly conducted DPIA shows where the technical and organizational risks are, and only then can proper measures be taken.
Duty to inform
When it comes to privacy rights for all of us, the obligation to inform is still an important issue. Based on Article 13 of the AVG, a controller is obliged to provide the data subject(client, customer, citizen, patient) with appropriate information prior to processing personal data. This means that companies and institutions when processing personal data must provide a proper privacy notice. It is important that everyone be critical of the processing of their personal data and actually read these documents. By doing so, together we make a more privacy-friendly society. Simply agreeing via a Cookie button for all processing is nice and quick, but is not always wise.
Cookies
Many Cookie pop-up still show pre-completed "green check marks" for choices to agree/disagree to certain processing. This is not allowed under the AVG. Based on Article 25 ("privacy by default"), a data controller must ensure that the most privacy-friendly settings are set by default.
It is good to spot these kinds of issues and report them to the responsible party. Often they are not even aware of this and has been set that way by the provider of the handy Cookie tool. The European Data Protection Supervisor has had a Web tool developed to scan Web sites.(10) The tool collects evidence of the processing of personal data, such as cookies, or requests to third parties. The inspection is performed automatically. The evidence collected allows Web site builders, FGs and end users to better understand what information is transferred and stored during a visit to a Web site. Such a tool can obviously contribute to better protection of personal data. Incidentally, this Web tool is not very suitable for non-professional users.
Data Protection Day 2021. The above developments show only part of what is going on in the field of data protection. Unlike 15 years ago, not a day goes by, or we can read in the newspaper and various other media several important developments in the field of privacy and information security. Not least of all of what goes wrong in this area.
It is important that both the data subject receives good information about the processing of personal data and what his/her rights are. Companies, institutions and governments have a duty to demonstrate that they comply with all legal obligations. Let Data Protection Day contribute to this every year!
Footnotes
(1) The Council of Europe should not be confused with the European Council(an EU institution composed of the heads of state of the 27 member states) and the Council of the European Union(the Council of Ministers of the EU).
(2) Article 8 - Right to respect for private, family and family life
Everyone has the right to respect for their private, family life, home and correspondence.
No interference by any public authority shall be permitted in the exercise of this right except to the extent provided by law and necessary in a democratic society in the interests of the national security, public safety or economic well-being of the country, the prevention of disorder or crime, the protection of health or morals or for the protection of the rights and freedoms of others.
(3) The Convention has a global scope. States that are not members of the Council of Europe may also sign the Convention. Under Article 18 of the treaty, there is an advisory committee, in which the Autoriteit Persoonsgegevens participates on behalf of the Netherlands.
More articles from PrivacyTeam >>
