DOCSLIB.ORG

The High Court

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The High Court THE HIGH COURT JUDICIAL REVIEW [2020 No. 617 JR.] [2020 No. 126 COM.] BETWEEN FACEBOOK IRELAND LIMITED APPLICANT AND DATA PROTECTION COMMISSION RESPONDENT AND MAXIMILIAN SCHREMS NOTICE PARTY JUDGMENT of Mr. Justice David Barniville delivered on the 14th day of May, 2021 Index 1. Introduction……………………………………………………………………….… 3 2. Overview of Decision………………………………………………………………... 6 3. Structure of Judgment………………………………………………………..…….. 7 4. Relevant Factual Background………………………………………………….…... 8 5. CJEU Judgment in Schrems II…………………………………………………… 13 6. Developments Post Judgment in Schrems II……………………………………... 17 7. DPC’s 28 August 2020 Letter and PDD………………………………………….. 22 2 8. Correspondence Post the DPC’s 28 August 2020 Letter and PDD……………... 35 9. Procedural Background…………………………………………………………… 46 10. Resolution of Mr. Schrems Proceedings………………………………………….. 49 11. Structure for Consideration of the Issues Raised………………………………... 51 12. Whether PDD/DPC’s Procedure is Amenable to Judicial Review……………... 53 13. Alleged Failure by DPC to Conduct an Investigation/Inquiry Before Reaching a Decision…………………………………………………………………………….. 69 14. Alleged Departure by DPC from Published Procedures/Breach of Legitimate Expectation………………………………………………………………………… 80 15. Alleged Breach of Fair Procedures: 21-Day Period for Submissions…………. 114 16. Alleged Breach of Fair Procedures: Premature Judgment……………………. 132 17. Alleged Breach of Fair Procedures: Involvement of Commissioner at Investigation and Decision-Making Stages……………………………………... 151 18. Single Decision to Cover Infringement and Corrective Measures: Ultra Vires Section 111 of 2018 Act…………………………………………………………... 157 19. Failure to Await Guidance from EDPB and/or Failure to Take Timing of EDPB Guidance into Account…………………………………………………………… 157 20. Alleged Discrimination/Breach of FBI’s Right to Equality: Inquiry into FBI Only……………………………………………………………………………….. 167 21. Alleged Disproportionality of Simultaneous Inquiries………………………… 180 22. Adequacy of DPC’s Reasons……………………………………………………... 181 23. Duty of Candour………………………………………………………………….. 184 24. Abuse of Process/Improper Purpose……………………………………………. 192 25. Summary of Conclusions………………………………………………………… 196 1. Introduction 3 1. On 16th July, 2020, the Court of Justice of the European Union (“CJEU”) delivered its landmark judgment in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems (commonly now referred to as “Schrems II”) on a reference from the High Court (Costello J.). This case is about what happened after that judgment. 2. Following the judgment in Schrems II, the Data Protection Commission (“DPC”) decided to commence an “own volition” inquiry under s. 110 of the Data Protection Act, 2018 (the “2018 Act”) to consider whether the actions of Facebook Ireland Ltd (“FBI”) in making transfers of personal data relating to individuals in the European Union/European Economic Area are lawful and whether any corrective power should be exercised by the DPC in that regard. The DPC decided to commence the inquiry by issuing a “Preliminary Draft Decision” (“PDD”) to FBI on 28th August, 2020. 3. FBI took issue, on several grounds, with the decision by the DPC to commence the inquiry by means of the PDD and with the procedures adopted by the DPC. Mr. Schrems, who had made a complaint and a reformulated complaint to the statutory predecessor of the DPC, the Data Protection Commissioner, under the Data Protection Act, 1988 (the “1988 Act”), which had ultimately led to the reference by the High Court to the CJEU leading to the judgment in Schrems II, also took issue with the DPC’s decision and procedures on a number of grounds, some of which overlapped to an extent with the grounds advanced by FBI. 4. Both FBI and Mr. Schrems brought judicial review proceedings in respect of the PDD and the procedures adopted by the DPC. Each applied successfully to be joined as a notice party to the other’s judicial review proceedings. Both proceedings were entered in the Commercial List. FBI’s proceedings were heard by me over five days between 15th December and 21st December, 2020, following which they were adjourned to allow further affidavit evidence to be provided by the DPC. Mr. Schrems’ proceedings were due to commence on 13th January, 2021. However, they were resolved between Mr. Schrems and the 4 DPC shortly prior to hearing, on terms to which it will be necessary briefly to refer later in this judgment. 5. FBI contends that the DPC’s decision to issue the PDD and to adopt the procedure which it has adopted should be quashed, and declarations should be made by the court, on several grounds. At the outset, FBI asserts that the DPC’s decision and the procedures adopted by it are amenable to judicial review. It then says that the DPC’s decision and the procedures are unlawful on several grounds, including being in breach of the provisions of the 2018 Act and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April, 2016 (the “GDPR”) by virtue of the DPC’s failure to conduct any investigation before issuing the PDD; a breach of FBI’s legitimate expectation that procedures published by the DPC in its 2018 Annual Report and on its website, and followed by the DPC in other inquiries, would be followed in respect of the DPC’s inquiry; breaches of FBI’s right to fair procedures, including premature judgment of the issues by the DPC and a failure to afford sufficient time to FBI to make submissions to the DPC; a failure by the DPC to take into account relevant considerations and, in particular, to await publication by the European Data Protection Board (“EDPB”) of guidance/recommendations to assist controllers and processors as regards the use of what are called “supplementary measures” to ensure adequate protection for data subjects when transferring data to third countries; a breach of FBI’s right to equal treatment and non-discrimination; a breach of the DPC’s obligation to act proportionately by subjecting FBI to simultaneous inquiries (namely, the “own volition” inquiry and the complaint made by Mr. Schrems. FBI also alleges a breach by the DPC of its duty of candour in the manner in which it has defended the proceedings. 6. In response, the DPC contends that the decision to issue the PDD is not amenable to judicial review (although it accepts that the procedures which it decided to follow are so amenable). It initially maintained that the proceedings amounted to an abuse of process by 5 FBI and advanced that claim in its pleadings and in its written submissions but ultimately withdrew the point at the hearing. In response to the grounds advanced by FBI, the DPC contends that FBI is fundamentally mistaken when it asserts that no investigation was carried out by the DPC before issuing the PDD and further maintains that FBI was invited to make submissions on the facts and on the law and to provide such further information as it felt necessary in response to the preliminary views set out in the PDD. The DPC relies on the fact that it was in possession of a vast amount of information in light of the procedural history leading up to the judgment of the CJEU in Schrems II. The DPC disputes the contention that FBI had a legitimate expectation that any particular procedure would be followed by it arising from the description of an “illustrative” process in its 2018 Annual Report and on its website or by virtue of any practice adopted by it. It also disputes the allegations of premature judgment and contends that the views set out in PDD were expressly stated to be preliminary only and subject to such submissions on the facts and on the law which FBI were invited to make. It further disputes the allegations of breaches of fair procedures, and asserts that no extension of time was sought by FBI to make a submission in response to the PDD and that no extension of time was refused by the DPC. The DPC confirmed at the hearing of proceedings that, in the event that FBI failed in its proceedings, the time allowed for FBI to put in its submissions would run from the resumption of the inquiry and that the DPC would consider any reasoned request for an extension of time. The DPC further maintains that it was and is entitled and obliged to proceed as it has done, notwithstanding the absence of guidelines or recommendations from the EDPB (which recommendations were put out for consultation on 10th November, 2020). The DPC disputes the allegations of unequal treatment and discrimination. It also disputes the contention that there is a breach of any obligation of proportionality by reason of the existence of the inquiry and the ongoing complaint by Mr. 6 Schrems. It further disputes that there was any breach of the duty of candour in its defence of the proceedings. 7. For his part, as a notice party in these proceedings, Mr. Schrems supports the quashing of the PDD on the grounds that it infringes his legitimate expectation that his complaint would be determined by the DPC following the CJEU’s judgment in Schrems II. He also supports FBI’s complaints in relation to the disproportionality of the DPC conducting simultaneous inquiries. However, Mr. Schrems opposes the reliefs being sought by FBI on the grounds of an alleged departure by the DPC from its published procedures in issuing the PDD and commencing the own-volition inquiry. He also disagrees with FBI that the DPC was obliged to await publication of EDPB guidance before proceeding with the inquiry. Mr. Schrems stressed the obligation on the DPC under the GPDR and the judgment of the CJEU in Schrems II to act expeditiously. Consistent with that contention, Mr. Schrems disputes FBI’s case that it was afforded insufficient time to make submissions to the DPC in response to the PDD. 8. As can be seen from this brief summary of the respective contentions of the parties, several important issues of national administrative law arise for consideration in these proceedings as well as significant issues of EU law arising from the GDPR and from the judgment of the CJEU in Schrems II.
Load more

Recommended publications
  • Susan Denham
    Susan Denham Chief Justice Denham has been a judge of the superior doesn’t have what it takes’. They will say, courts for over twenty years, having been a practising ‘Women don’t have what it takes’.” barrister for twenty years prior to that. She was appointed Whether consciously or otherwise, Chief Justice to the High Court in 1991 and to the Supreme Court in Denham has, throughout her career been subject to this 1992. In July 2011, she was appointed Chief Justice of pressure to succeed. She has not only succeeded, but also Ireland, by the President, Mary McAleese. excelled. Chief Justice Denham is the longest serving member of When she “took silk” in 1987, rising from Junior to the current Supreme Court and in her career has Senior Counsel, Chief Justice Denham represented the distinguished herself as one of the finest judges in the State in a number of significant extradition cases and she history of the state. Her judgments are thoughtful, erudite became an expert in Judicial Review. She spent ten years and clear. While upholding at all times the Rule of Law at the inner Bar before being appointed to the High Court and delivering clearly principled legal judgments, Chief (1991) and to the Supreme Court the following year. Justice Denham’s judicial pronouncements exude a Chief Justice Denham’s appointment to the Supreme striking humanity. She seems acutely aware of the Court made history. She was the first woman ever to sit on difficulties faced by ordinary people in this country, of the that bench and for eight years, she was the sole female trials and tribulations of family life, of the impact of crime member of the Court.
    [Show full text]
  • Next-Gen Technology Transformation in Financial Services
    April 2020 Next-gen Technology transformation in Financial Services Introduction Financial Services technology is currently in the midst of a profound transformation, as CIOs and their teams prepare to embrace the next major phase of digital transformation. The challenge they face is significant: in a competitive environment of rising cost pressures, where rapid action and response is imperative, financial institutions must modernize their technology function to support expanded digitization of both the front and back ends of their businesses. Furthermore, the current COVID-19 situation is putting immense pressure on technology capabilities (e.g., remote working, new cyber-security threats) and requires CIOs to anticipate and prepare for the “next normal” (e.g., accelerated shift to digital channels). Most major financial institutions are well aware of the imperative for action and have embarked on the necessary transformation. However, it is early days—based on our experience, most are only at the beginning of their journey. And in addition to the pressures mentioned above, many are facing challenges in terms of funding, complexity, and talent availability. This collection of articles—gathered from our recent publishing on the theme of financial services technology—is intended to serve as a roadmap for executives tasked with ramping up technology innovation, increasing tech productivity, and modernizing their platforms. The articles are organized into three major themes: 1. Reimagine the role of technology to be a business and innovation partner 2. Reinvent technology delivery to drive a step change in productivity and speed 3. Future-proof the foundation by building flexible and secure platforms The pace of change in financial services technology—as with technology more broadly—leaves very little time for leaders to respond.
    [Show full text]
  • Remote Court Hearings
    Oireachtas Library & Research Service | Bill Digest L&RS Note Remote Court Hearings Rebecca Halpin, Parliamentary Researcher, Law Abstract<xx> July 2020 28 July 2020 This L&RS Note considers the use of remote hearings in Ireland during the Covid-19 pandemic. The paper describes the way in which remote hearings have been introduced in Ireland and the type of matters in which they are used. The paper then considers the difficulties associated with remote hearings, the need for legislative reform, and circumstances in which remote hearings may be unsuitable. The L&RS gratefully acknowledges the assistance of Dr Rónán Kennedy, School of Law, NUI Galway in reviewing the contents of this Note in advance of publication. Oireachtas Library & Research Service | L&RS Note Contents Summary ........................................................................................................................................ 1 Introduction ..................................................................................................................................... 2 Remote hearings – an overview ...................................................................................................... 3 ICT in Irish courts – capability and capacity .................................................................................... 4 Recent developments that facilitated the introduction of remote hearings .................................. 5 Impact and response to Covid-19 pandemic ..................................................................................
    [Show full text]
  • June 10, 2021 President Joseph R. Biden the White House 1600
    June 10, 2021 President Joseph R. Biden The White House 1600 Pennsylvania Ave. NW Washington, DC 20500 Dear Mr. President: We, the undersigned civil rights, civil liberties, privacy, government accountability, and consumer rights organizations, urge your Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows. Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated. Recent history demonstrates that any transatlantic data transfer agreement will be subject to litigation to determine whether it provides adequate protection for personal data. In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. Without reform of U.S. surveillance and privacy laws, any new transatlantic data transfer deal will likely face a similar fate. The only way to fully address these issues and enter into a lasting transatlantic agreement is to harmonize data protection standards between the European Union and the United States. There have been calls for the United States to strengthen and modernize its privacy laws since long before the European Union’s General Data Protection Regulation came into effect in 2018. The modern concept of the right to privacy was invented in the United States – but now we lag behind many other nations on privacy protections.
    [Show full text]
  • Survey on Privacy Preserving in Social Networks
    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2015): 78.96 | Impact Factor (2015): 6.391 Survey on Privacy Preserving in Social Networks S. Mayil1, Dr. M. Vanitha2 1Research scholar, PG & Research Department of Computer Science, JJ College of Arts and Science (Autonomous), Pudukkottai, Tamil Nadu, India 2Assistant Professor, Ph.D. and Research Department of Computer Application, Alagappa University, Karaikudi , Tamilnadu. Abstract: The development of online social networks and the release of data network resulting in the risk of leakage of personal confidential information. This requires privacy protection before the data network is published by the service provider. Data privacy online social networks are important in recent years. Therefore, this research is still in its infancy. This article describes the generalization techniques of anonymous social networking data with sufficient privacy for harsh environments while preserving the validity of the data. The loss metric information, iloss, is used to check the information due to the loss of the generalized amount. While these networks make frequent data sharing and intercommunication between users can instantly and privacy problems that may arise are very explicable with their obvious immediate consequences. Although the concept of privacy can take different forms, the ultimate challenge is how to prevent the invasion of privacy when personal information is available. Basic social networks, co-statements, and their associated primary motivations. The following describes how to protect privacy, relying on technical analysis and link social networks to disclose sensitive user information. Keywords: Data Privacy, Data Publishing, Privacy Preserving, Social Network, Service Provider. 1. Introduction data may affect the privacy of individuals.
    [Show full text]
  • CJEU Ruling on Facebook Action on January 25, 2018: Class Action, Model Case Or No Jurisdiction?
    CJEU ruling on Facebook action on January 25, 2018: Class action, model case or no jurisdiction? In August 2014, lawyer and data protection expert Max Schrems filed a lawsuit against Facebook with his competent court in Vienna, as previous complaints in Ireland have not been decided by the Irish Data Protection Commissioner since 2011. Now the CJEU decides on the admissibility of the lawsuit against Facebook. Previously, in 2015 Schrems brought down the EU-US “Safe Harbor” system through a case against Facebook at the CJEU. Dispute solely on jurisdiction and on two questions Facebook has submitted various grounds with the court in Vienna, why the procedure should not be heard at all. The majority of these attempts to prevent the procedure have already been rejected by the Austria courts over the past three years. What remained, were two questions: (1) whether Mr Schrems is a "consumer" or has lost this status through his pro bono work as a privacy advocate; and (2) whether he can bring claims of other users jointly in a "class action". The class action is financed by ROLAND Prozessfinanz AG. Facebook wants each of the 25,000 other users to have to sue in a separate procedure - which would make the legal costs skyrocket and a case against Facebook financially impossible for most users. In Facebook’s view, the same legal and factual issues should therefore be trailed 25,000 times in front of thousands of European courts and judges (“divide and conquer”). These two questions were submitted to the Court of Justice of the European Union (CJEU) for a preliminary ruling by the Austrian Supreme Court.
    [Show full text]
  • Facebook: Where Privacy Concerns and Social Needs Collide
    Edith Cowan University Research Online Theses: Doctorates and Masters Theses 2020 Facebook: Where privacy concerns and social needs collide Sonya Scherini Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/theses Part of the Communication Technology and New Media Commons, Mass Communication Commons, and the Social Media Commons Recommended Citation Scherini, S. (2020). Facebook: Where privacy concerns and social needs collide. https://ro.ecu.edu.au/ theses/2331 This Thesis is posted at Research Online. https://ro.ecu.edu.au/theses/2331 Edith Cowan University Copyright Warning You may print or download ONE copy of this document for the purpose of your own research or study. The University does not authorize you to copy, communicate or otherwise make available electronically to any other person any copyright material contained on this site. You are reminded of the following: Copyright owners are entitled to take legal action against persons who infringe their copyright. A reproduction of material that is protected by copyright may be a copyright infringement. Where the reproduction of such material is done without attribution of authorship, with false attribution of authorship or the authorship is treated in a derogatory manner, this may be a breach of the author’s moral rights contained in Part IX of the Copyright Act 1968 (Cth). Courts have the power to impose a wide range of civil and criminal sanctions for infringement of copyright, infringement of moral rights and other offences under the Copyright Act 1968 (Cth). Higher penalties may apply, and higher damages may be awarded, for offences and infringements involving the conversion of material into digital or electronic form.
    [Show full text]
  • A Collaborative Framework: for Privacy Protection in Online Social Networks
    A Collaborative Framework: for Privacy Protection in Online Social Networks 4 4 Yan Zhu1,2, Zexing Hu1, Huaixi Wang3, Hongxin Hu , Gail-Joon Ahn 1 Institute of Computer Science and Technology, Peking University, Beijing 100871, China 2Key Laboratory of Network and Software Security Assurance (Peking University), Ministry of Education, China 3School of Mathematical Sciences, Peking University, Beijing 100871, China, 4Laboratory of Security Engineering for Future Computing (SEFCOM), Arizona State University, Tempe, AZ 85287, USA Email: {yan.zhu.huzx.wanghx}@pku.edu.cn. {hxhu,gahn }@asu.edu Abstract-With the wide use of online social networks (OSNs) , Although some new techniques were introduced in these the problem of data privacy has attracted much attention. solutions, it is still necessary for a centralized server to Several approaches have been proposed to address this issue. enforce access control, which cannot protect the privacy of One of privacy management approaches for OSN leverages a key users against the centralized server. Also, some solutions management technique to enable a user to simply post encrypted contents so that only users who can satisfy the associate security implemented access control at client-side but their approach policy can derive the key to access the data. However, the key should be synchronous, requiring multiple users to be online management policies of existing schemes may grant access to simultaneously. unaurhorized users and cannot efficiently determine authorized One of efficient ways for enforcing access control in OSN users. In this paper, we propose a collaborative framework is to allow users to put the encrypted data on the server and which enforces access control for OSN through an innovative key management focused on communities.
    [Show full text]
  • The High Court
    THE HIGH COURT RECORD NO: 2015/4888P Denis O’Brien Plaintiff AND Clerk of Dail Eireann, Sean Barrett, Joe Carey, John Halligan, Martin Heydon, Paul Kehoe, John Lyons, Dinny McGinley, Sean O Fearghail, Aengus O’Snodaigh and Emmet Stagg (Members of the Committee on Procedure and Privileges of Dáil Éireann), Ireland and the Attorney General Defendants JUDGMENT of Ms Justice Ní Raifeartaigh delivered on Friday 31st March, 2017 1. The principle of comity as between the legislature and the courts in a system embodying the separation of powers has been described as follows: “This principle is that of mutual respect and forbearance between the legislative and judicial branches, and it has been recognised by the courts as one of the foundations for the privileges (including the privilege of free speech) enjoyed by the House. … The relationship between the courts and 1 Parliament is a matter of the highest constitutional significance. It should be, and generally is, marked by mutual respect and restraint. The underlying assumption is that what is under discussion or determination by either the judiciary or the legislature should not be discussed or determined by the other. The judiciary and the legislature should respect their respective roles.”1 This case raises important issues as to the role of the Court when the principle of comity is breached. Is an individual entitled to invoke the jurisdiction of the courts where a member of the Houses of the Oireachtas has engaged in utterances which, if spoken outside the House, would constitute a breach of a court order obtained by the individual? While this arose in the present case in relation to the revelation of private banking information of the plaintiff, the implications are much wider and would arise whatever the private nature of the information published, be it information relating to a person’s banking, taxation or other financial affairs, health or medical matters, relationships or sexual disposition, or any other information of a private and confidential nature.
    [Show full text]
  • Ireland Independent Judiciary 2006
    Brian Curtin v Dail Eireann, Seanad Eireann, et al. Supreme Court [2006] IESC 14, 2 IR 556 9 March 2006 HEADNOTE: Article 35.4.1o of the Constitution provides:- "A judge of the Supreme Court or the High Court shall not be removed from office except for stated misbehaviour or incapacity, and then only upon resolutions passed by Dail Eireann and by Seanad Eireann [lower house and upper house of parliament, respectively] calling for his removal." Pursuant to s. 39 of the Courts of Justice Act 1924, Circuit Court Judges held office by the same tenure as High Court Judges. The applicant, a judge of the Circuit Court, sought to challenge by way of judicial review, a direction of an Oireachtas [Parliament] committee (established following the proposal of a resolution to remove him from office pursuant to Article 35.4.1o of the Constitution) to produce his personal computer to the committee. It was accepted that the computer contained material which constituted child pornography, as defined by the Child Trafficking and Pornography Act 1998, but the applicant contended that the material was not knowingly in his possession. The applicant had been prosecuted on indictment for offences under the Act of 1998 and acquitted by direction of the trial judge, by reason of the fact that the warrant used to enter his property had been invalid on the date of its execution, when the computer was seized by the gardai. The computer was retained in the possession of the Garda Commissioner. As part of the scheme to enable the Oireachtas to deal with the case of the applicant under Article 35.4.1o, the Oireachtas passed the Committees of the Houses of the Oireachtas (Compellability, Privileges and Immunities of Witnesses) (Amendment) Act 2004, which provided for the attendance of a judge as a witness before an Oireachtas committee and the Child Trafficking and Pornography (Amendment) Act 2004 which was designed to permit hearings to be conducted and material to be considered without breach of the Act of 1998.
    [Show full text]
  • The Future of Banking Is Open
    Visa Consulting & Analytics The Future of Banking is Open 1 Visa Consulting & Analytics Open banking What it is, why it matters, and how banks can lead the change If a consumer wants to block out the world around them, a single app gives them access to hundreds of thousands of songs and podcasts; over time, this app learns about their tastes and suggests new tunes for their listening pleasure. As technology evolves and artificial intelligence becomes more pervasive, consumers are beginning to ask why managing money cannot be as intuitive as managing music? Data is a key ingredient in offering personalized financial services, but it has been traditionally hard for consumers to share sensitive information with third parties, in a secure and consistent way. In response, financial innovation globally by both traditional and emerging players has taken place. This has led to an increase in financial innovation globally that is driven partly by the market and partly by regulation. As the world responds to the COVID-19 pandemic, one of the clear outcomes is accelerated digital engagement, something that can only be done quickly and at scale through an open ecosystem and the unbundling of financial services. In this paper, we look at what open banking is, the way some of the world’s most forward-thinking banks are responding, and how Visa Consulting & Analytics can help in transforming your business. 2 Contents What is open banking, and why does it matter? What is driving open banking? What are the consumer considerations? What are the commercial implications for ecosystem players? How are banks responding? Five strategies to consider How can Visa help you take the next step on your open banking journey? 3 What is open banking, and why does it matter? Broadly put, the term open banking refers to the use of APIs (Application Programming Interfaces) to share consumers’ financial data (with their consent) to trusted third-parties that, in turn, create and distribute novel financial products and services.
    [Show full text]
  • Checkliste Datenverkehr Eu - Usa
    CHECKLISTE DATENVERKEHR EU - USA 1. Findet ein Datenverkehr mit den USA statt?1 ☐ Datenübermittlung in die USA an o Konzernunternehmen? o direkte Vertragspartner (laufende Projekte, Kooperationen etc)? ☐ Datenhosting in den USA? o Software-Hosting (z.B. HubSpot, Apple) o Clouds (z.B. Microsoft, Google, Amazon) o Mailings (z.B. Gmail, Mailchimp) ☐ Social Media Nutzung mit USA-Beteiligung? o Social Media Accounts (Facebook, Instagram, Twitter) o Social Media Fanpages o Social PlugIns 2. Ist das datenempfangende US Unternehmen ein „elektronischer Diensteanbieter“ wie in der beanstandeten Regelung des Section 702 Intelligence Surveillance Act (FISA) gefordert? ☐ Ja –> Weiter zu 3. ☐ Nein. 15.1. Werden sonstige Sicherheitsmaßnahmen vom US-Unternehmen getroffen, um etwaigen Datenzugriff Unberechtigter zu verhindern? ☐ Ich weiß es nicht. In diesem Fall können Sie einen Fragebogen (wie z.B. von NOYB) an das US Unternehmen schicken, um abzuklären, ob das Unternehmen unter die strengen Überwachungsgesetze der USA fällt, welche vom Europäischen Gerichtshof problematisch gesehen wurden. Das sind z.B.: - Telekommunikationsanbieter - Clouddiensteanbieter - Anbieter elektronischer Kommunikationsdienste - sonstige gesetzliche oder freiwillige Überwachungsmaßnahme von Seiten der US-Behörden, an denen das Unternehmen beteiligt ist? 3. Auf welcher Grundlage findet der Datentransfer statt? ☐ Privacy Shield –> Weiter zu 4. ☐ Standardvertragsklauseln (SCC) –> Weiter zu 5. ☐ Binding Corporate Rules (BRC) –> Weiter zu 6. ☐ genehmigte Vertragsklauseln –> Derzeit keine Änderung notwendig! ☐ ausdrückliche Einwilligung –> Prüfung von: 1 Falls auch nur ein Punkt bejaht wird –> Weiter zu 2. o Verträgen und Einwilligungserklärungen der Betroffenen, o Informationserteilung an Betroffene über Risiken in Drittland. -> Derzeit keine Änderung notwendig. ☐ Vertragserfüllung: o Verträge und AGB prüfen o Übermittlung ist für Vertragserfüllung zwischen der betroffenen Person und dem Verantwortlichen oder zur Durchführung von vorvertraglichen Maßnahmen auf Antrag der betroffenen Person erforderlich.
    [Show full text]