It was another eventful one on the privacy front. With the arrival of the General Data Protection Regulation (AVG) as of May 25, 2018, data protection and privacy are in the spotlight more than ever: new laws and regulations, developments in case law, big data, Tinder, Uber and NS. So, an awful lot of news to blog about, which is why we like to look back together at (almost) all the great things that happened this year in the world of privacy.
Of course, the Personal Data Authority (AP) has not been idle this year either. As usual, the AP also presented the main themes for 2017 at the beginning of the year. In doing so, it indicated that it is an important year because this is the last year of the Personal Data Protection Act. Besides the new privacy legislation, the main themes for the AP in 2017 are profiling, special personal data and personal data security. And the latter is a particular concern, as even the House of Representatives is not safe from ransomware.
The AP appears to be putting its money where its mouth is, announcing early this year that it would investigate data security at the Tax Department's Data & Analysis Division. And when it comes to privacy, the IRS doesn't get away with it so easily. On Feb. 24, 2017, the Supreme Court ruled in three cases that the tax authorities may not use photos captured by ANPR cameras to check trip records in the context of private use of a company car. This is because there is no sufficient legal basis for the use of these images by the tax authorities, which means that the tax authorities are infringing on privacy.
And Instagram is not spared either: in early September, Instagram released a statement declaring that hackers had gained access to Instagram users' e-mail addresses and phone numbers through a leak. In addition, early this year Interior Minister Plasterk again expressed his concerns regarding the current vulnerable identification system DigiD.
With regard to special personal data, the AP has launched an investigation into the use of the citizen service number (BSN) in VAT numbers of self-employed persons. Reason for the investigation, according to the AP, is requests the AP has received from zzp-ers to speak out on this issue.When it comes to special personal data, the AP is calling on schools to be careful with images of students. The reason is the many questions the AP receives about schools publishing photos of students online and the AP's judgment that assessment agency BrainCompass is processing special personal data in violation of the law.
Furthermore, the AP, together with privacy regulators from Bavaria, France, Hungary, Slovenia, Spain and the United Kingdom, investigated Microsoft's processing of personal data through the Windows 10 operating system. The investigation found that Microsoft, with the latest version of Windows, is processing users' personal data in violation of the law. The AP also ruled that the processing of personal data of prostitutes by the municipality of The Hague violates the Wbp.
Of course, the AP is also paying attention to the AVG. Therefore, at the end of May, the AP announced that every week it will answer the most frequently asked questions about the AVG. In that context, the AP also has a lot to deal with. Not surprisingly, the AP has to grow three times its size.
The AVG came into force on May 25, 2016. All organizations, in both the public and private sectors, are expected to bring their business operations into compliance with the AVG from that date and are given until May 25, 2018 to do so, from then on only one privacy law will apply across the EU. The AVG introduces new rules and obligations compared to current privacy laws. For example, under certain circumstances, organizations that want to process personal data are required to conduct a Privacy Impact Assessment or appoint a privacy officer, there are broader information obligations and organizations must keep a register of processing activities. In addition, the scope of the AVG is broader, so there are new rules on the lead regulator, data subjects will have more rights regarding their personal data (including the right to data portability) and higher fines can be imposed. Do you already know what you need to do to get your business AVG ready?
On January 10, 2017, the European Commission (the Commission) published a proposal for a regulation in the field of privacy and electronic communications to replace the ePrivacy Directive. With the proposal, the Commission aims to increase the security of digital communication services by providing a high level of privacy protection for users of such services. Among other things, there will be new cookie rules and rules regarding spam. In addition, proposed regulation aims to ensure consistency with the AVG. European privacy watchdogs, gathered in the so-called Article 29 Working Party, have now considered the Commission's proposal and published a 35-page opinion document on it.
Speaking of cookies, a Consumer Association sample of 20 health websites found that those offering information on diseases and addictions are violating cookie laws. The websites in question allow advertising companies to watch consumers' search behavior without the website visitors' consent and do not inform them well enough about cookies.
This year, the Senate approved the new Intelligence and Security Services Act (Wiv). This so-called "interception law" gives the intelligence services more possibilities to intercept more types of data on a large scale and will go into effect on January 1, 2018.
Whereas Facebook had still kept the personal data of Whatsapp and Facebook strictly separate since its acquisition in 2014, as promised, Facebook began sharing the data between the parties since the summer of 2016.This was done by adjusting the terms of use and no explicit consent was sought. Consequently, the German Data Protection Authority then immediately decided that in Germany the processing was not deemed lawful. Facebook had to pay a fine of 3 million euros for this.
Facebook does still leave its users in the dark when it comes to the origin of (some of the) information. Indeed, in addition to the data Facebook obtains about users when they use its own service, Facebook appears to buy much more information about its users from external data providers, for example about their income, restaurants they visit and even the number of credit cards in their wallets. This makes our offline lives no longer a secret to Facebook, either. With this course of action, Facebook can create even more detailed user profiles that can be used to advertise even more precisely.
More Facebook news: the German court has asked the EU Court of Justice whether a website owner who places the Facebook like button on its website, which transfers personal data of website visitors to Facebook, can be considered the responsible party under privacy law.
Surely the highlight for Facebook this year was the extensive investigation by the AP: after investigation, the AP has concluded that Facebook is in violation of Dutch privacy laws when using personal data for advertising purposes by not informing users, or not adequately informing them about the processing of their personal data when showing targeted ads.
The right to be forgotten has existed for three years. Meanwhile, Dutch courts have issued several interesting rulings. Several rulings focused on the same question: whether the display of search results by Google constitutes processing of criminal personal data. Criminal personal data qualify as special personal data within the meaning of the Wbp. The processing of special personal data is subject to a stricter regime than ordinary personal data.The basic principle of the Wbp is that special personal data may not be processed unless one of the statutory exceptions applies. As currently formulated, the absolute prohibition therefore falls short and the AVG does not solve this problem either. A contraction therefore.
Furthermore, the Supreme Court ruled for the first time this year on the right to be forgotten: in principle, a search engine must always honor a deletion request unless there are special circumstances that justify denying such a request.
Even the Court of Justice of the EU has ruled that, in principle, company directors cannot invoke the right to be forgotten with respect to data about them in the company register. Furthermore, the European Court may again rule on the right to be forgotten. Indeed, the French Council of State has submitted a number of preliminary questions to the Court. The questions have to do with the scope of the removal of search results. The questions arise from a case between the French privacy watchdog Commission Nationale De l'Informatique et des Libertés (CNIL) and Google that has been going on for some time.
Finally, following Facebook,Google is also going to indicate from now on whether news is fake or not. The fact checks underlying the above will be performed by external parties. The announcement in this regard came back in October 2016, but is now being rolled out for the first time in the Netherlands.
More articles by SOLV Lawyers
