DOCSLIB.ORG

View Feedback

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
View Feedback noyb – European Center for Digital Rights Goldschlagstraße 172/4/3/2 1140 Vienna AUSTRIA To: European Data Protection Board Vienna, 19.10. 2020 Subject: noyb’s comments on Guidelines 8/2020 on the targeting of social media users adopted on 2 September 2020 for public consultation Dear Members of the EDPB, noyb welcomes the opportunity to submit comments on the Guidelines 8/2020 published for consultation. We want to explicitly welcome the general approach the EDPB has taken in these guidelines and thank the members of the EDPB working groups for their work. We especially welcome: the clear position on the unlawful use of Article 6(1)(b) as a legal basis by some providers; the clear position that in most cases Article 6(1)(a) is the relevant legal basis; the clear position on the application of Article 9 when special categories of personal data are inferred or generated via the use of proxies and the highlight on the large footprint (from targeting of vulnerable groups to the use of micro-targeting for political manipulation) that GDPR violations in the area of social networks have. In order to focus these submissions, we will, however, mainly concentrate on the elements that we feel may benefit from further input. 1. Pending Litigation In the spirit of transparency, we want to highlight that noyb (or persons associated or supported by noyb) are currently engaged in litigation before the Irish DPC and before the Austrian Civil Courts that partly overlaps with issues raised in these Guidelines. At the same time, we invite the EDPB to request the documents in the cases before the Austrian, Belgian, German and Irish DPAs (DPC Case numbers C-18-5-5, C-18-5-6 and C-18-5-7) to get first hand input on the legal arguments put forward by some Social Media Providers. We are equally happy to provide the relevant documents in the case 3 Cg 52/14k - 91 before the Vienna Regional Civil Court (LGfZRS), which partly overlaps with the subject matter of these guidelines. noyb – European Center for Digital Rights | Goldschlagstr. 172/4/3/2, 1140 Vienna, AUSTRIA | ZVR N°: 1354838270 www.noyb.eu | General email: [email protected] | Legal communication: [email protected] | IBAN: AT21 2011 1837 8146 6600 Page 1 of 14 In light of experience derived from these pending cases, we hope to add helpful practical points to the work of the EDPB. Finally, for the avoidance of doubt and in light of arguments made in litigation in Ireland, Germany, Belgium and Austria, we want to mention that an omission to comment on individual parts of the Guidelines may not be interpreted as agreeance to these parts by noyb. 2. General Comments 2.1. Wording throughout the Guidelines As a general matter and being fully aware of the delicate process of drafting EDPB Guidelines, we would encourage the EDPB to take even clearer positions on some issues in order to arrive at guidelines that go beyond the first red lines set by the recent CJEU judgements on Facebook. This is especially in light of our experience that social media providers, in particular, have so far aggressively used even the slightest uncertainty in EDPB guidelines to depart from their obvious meaning. Lack of clear guidelines in practice opens the door to deliberate misinterpretation by controllers, which in turn leads to the abuse of data subject rights, to lengthy procedures before DPAs, or even costly litigation. In this regard , we want to highlight that many factual descriptions in the Guidelines (like “Personal data provided by social media users can be used by the social media provider…” in § 37) will likely be used out of context by controllers to claim that the EDPB takes the view that these practices are actually legal. While some factual descriptions are clearly found to be illegal in other parts of the Guidelines, other practices are not further analysed, but merely described. We therefore strongly encourage the EDPB to limit general factual descriptions of services and to use language that distinguishes between factual descriptions (of partly illegal practices) and the later legal analysis more clearly. 2.2. “Upstream” processing While we are aware that this may be outside of the scope of the Guidelines, it seems striking that processing operations that take place before any “upstream” operations (i.e. processing operations for advertisement) are not mentioned in the Guidelines. This seems to be relevant in at least two aspects: First, we wanted to draw attention to the fact that, under C-101/01 Lindqvist, users of social networks may themselves be controllers for the initial processing operations (such as public micro-blogging or their personal messages or emails). There is often no red line between consumers and active users of social media service and even private parties often run public pages on such platforms. In practice, the click of a button that makes others’ data public or the mere intent to use a page for commercial purposes can make a user a “controller” as in Lindqvist or C-210/16 Wirtschaftsakademie. Should the social media provider use data that it gathered as a processor (e.g. when Google provides Cloud Storage or Gmail) in violation of the instructions by the user, it would violate Articles 28 and 29 and other parts of the GDPR. Page 2 of 14 Second, Article 2(2)(c) GDPR and Recital 18 GDPR makes the, often unlimited, uploading, sharing and storing of personal data of others (“friends”) legal, only if these activities fall under the household exception. Limitless further processing of such “privileged” data for commercial purposes would make the household exception a backdoor that would allow commercial actors to outsource data gathering to private persons. Recital 18 explicitly mentions that social media providers are (in relation to these processing operations) processors that fall under the GDPR, even if the user can make use of the household exception and therefore does not fall under the GDPR. Some controllers may interpret the factual description of this process in the Guidelines as an accepting of this practice as legal. Third, the Guidelines mention, for example in §§ 9 and 18, that data is generated and shared for private (“household”) purposes. As these are clearly not compatible purposes with the purpose of commercial data gathering for advertisements, this begs the question of whether a social media provider may simply engage in “secondary use” of such (often very personal and private data) under Article 6(4) GDPR. It seems to noyb that such a “secondary use” of personal data would for example require the consent of the data subject under Article 6(4) GDPR – in addition to the requirement for consent under Article 6(1) GDPR, which the Guidelines already discuss in detail. While the EDPB may decide against including a legal analysis of these “upstream” processing operations as part of the Guidelines, we would strongly encourage to explicitly limit the Guidelines to processing operations from a certain point onwards and mention that the EDPB does at least not take a position on the legality of the described data gathering process. The current factual descriptions in the Guidelines, according to which data is taken from many sources (be it maps, email services or chat apps) and further used, could be misinterpreted to mean that the EDPB agrees that the massive and global harvesting and aggregation of data on every individual (euphemistically called “social graph”) is generally legal - independent of the purpose or controllership of the original processing operation. 2.3. Differentiation of “targeting mechanism” In general, we consider that all data, whether inferred, observed or actively provided by the users, should be processed under the same conditions by the social media providers, in compliance with all relevant data protection laws. Whereas we see the interest of the distinction made by the EDPB in its guidelines for didactic purposes, such categories may not be that easy to delineate in the context of social media. For example, the Guidelines consider that the “like” button would constitute inferred data, whereas one could easily argue that this data is merely observed because the “like” button clearly indicates a preference actively provided by the user. i) Transparency implications The requirement for transparent and informed consent1 relating to observed data and inferred data should be more clearly detailed. Users are not always aware that their personal data are collected even when they are merely, in their subjective opinion, “interacting” with the social media but not actively providing information to the social media or to a third party. For example, “liking” a post of a friend or “friending” someone provides information to the social media, but, in the subjective view of many users, this might be providing information to the friend but 1 See below on why consent under Article 6(1)(a) GDPR is usually the relevant legal basis. If the EDPB takes a different view, the same transparency considerations apply to Article 6(1)(f) GDPR. Page 3 of 14 not actively to the social media platform, unlike a user uploading their profile photo. Moreover, in such contexts, it can be difficult to prove that a social media provider actually processes observed or inferred data when there is a lack of information given by the social media provider and the targeters. Therefore, it is crucial that the EDPB clarifies that any new categorization of data resulting from observation or inference, such as “users interested in online betting”, “people likely to be impulsive”, “people likely to be betting heavily” and “people with lower income”, are made transparent and clear to the users. Without such transparency clarifications, the recommendations of the EDPB will remain a dead letter – any such categories will not be communicated to the users who will thus remain unaware of the various profiling types used by social media providers and targeters.
Load more

Recommended publications
  • Anonymity and Encryption in Digital Communications, February 2015
    Submission to the UN Special Rapporteur on freedom of expression – anonymity and encryption in digital communications, February 201 1! Introduction Privacy International submits this information for the Special Rapporteur's report on the use of encryption and anonymity in digital communications. Anonymity and the use of encryption in digital communications engage both the right to freedom of expression and right to privacy very closely: anonymity and encryption protects privacy, and ithout effective protection of the right to privacy, the right of individuals to communicate anonymously and ithout fear of their communications being unla fully detected cannot be guaranteed. As noted by the previous mandate holder, !rank #aRue, $the right to privacy is essential for individuals to express themselves freely. Indeed, throughout history, people%s illingness to engage in debate on controversial sub&ects in the public sphere has al ays been linked to possibilities for doing so anonymously.'( Individuals' right to privacy extends to their digital communications.) As much as they offer ne opportunities to freely communicate, the proliferation of digital communications have signi*cantly increased the capacity of states, companies and other non+state actors to interfere ith individual's privacy and free expression. Such interference ranges from mass surveillance of communications by state intelligence agencies, to systematic collection and storage of private information by internet and telecommunication companies, to cybercrime. Anonymity and encryption are essential tools available to individuals to mitigate or avert interferences ith their rights to privacy and free expression. In this ay, they are means of individuals exercising to the fullest degree their rights hen engaging in digital communications.
    [Show full text]
  • June 10, 2021 President Joseph R. Biden the White House 1600
    June 10, 2021 President Joseph R. Biden The White House 1600 Pennsylvania Ave. NW Washington, DC 20500 Dear Mr. President: We, the undersigned civil rights, civil liberties, privacy, government accountability, and consumer rights organizations, urge your Administration to ensure that any new transatlantic data transfer deal is coupled with the enactment of U.S. laws that reform government surveillance practices and provide comprehensive privacy protections. The United States’ failure to ensure meaningful privacy protections for personal data is the reason that a growing number of countries are concerned about trans-border data flows. Until the United States addresses this problem, concerns about data transfers to the United States will remain, and data flow agreements are likely to be invalidated. Recent history demonstrates that any transatlantic data transfer agreement will be subject to litigation to determine whether it provides adequate protection for personal data. In 2015, the Court of Justice of the European Union invalidated the U.S.-EU Safe Harbor agreement. And in July 2020, the successor agreement, Privacy Shield, was also invalidated by the same court. Without reform of U.S. surveillance and privacy laws, any new transatlantic data transfer deal will likely face a similar fate. The only way to fully address these issues and enter into a lasting transatlantic agreement is to harmonize data protection standards between the European Union and the United States. There have been calls for the United States to strengthen and modernize its privacy laws since long before the European Union’s General Data Protection Regulation came into effect in 2018. The modern concept of the right to privacy was invented in the United States – but now we lag behind many other nations on privacy protections.
    [Show full text]
  • Survey on Privacy Preserving in Social Networks
    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2015): 78.96 | Impact Factor (2015): 6.391 Survey on Privacy Preserving in Social Networks S. Mayil1, Dr. M. Vanitha2 1Research scholar, PG & Research Department of Computer Science, JJ College of Arts and Science (Autonomous), Pudukkottai, Tamil Nadu, India 2Assistant Professor, Ph.D. and Research Department of Computer Application, Alagappa University, Karaikudi , Tamilnadu. Abstract: The development of online social networks and the release of data network resulting in the risk of leakage of personal confidential information. This requires privacy protection before the data network is published by the service provider. Data privacy online social networks are important in recent years. Therefore, this research is still in its infancy. This article describes the generalization techniques of anonymous social networking data with sufficient privacy for harsh environments while preserving the validity of the data. The loss metric information, iloss, is used to check the information due to the loss of the generalized amount. While these networks make frequent data sharing and intercommunication between users can instantly and privacy problems that may arise are very explicable with their obvious immediate consequences. Although the concept of privacy can take different forms, the ultimate challenge is how to prevent the invasion of privacy when personal information is available. Basic social networks, co-statements, and their associated primary motivations. The following describes how to protect privacy, relying on technical analysis and link social networks to disclose sensitive user information. Keywords: Data Privacy, Data Publishing, Privacy Preserving, Social Network, Service Provider. 1. Introduction data may affect the privacy of individuals.
    [Show full text]
  • CJEU Ruling on Facebook Action on January 25, 2018: Class Action, Model Case Or No Jurisdiction?
    CJEU ruling on Facebook action on January 25, 2018: Class action, model case or no jurisdiction? In August 2014, lawyer and data protection expert Max Schrems filed a lawsuit against Facebook with his competent court in Vienna, as previous complaints in Ireland have not been decided by the Irish Data Protection Commissioner since 2011. Now the CJEU decides on the admissibility of the lawsuit against Facebook. Previously, in 2015 Schrems brought down the EU-US “Safe Harbor” system through a case against Facebook at the CJEU. Dispute solely on jurisdiction and on two questions Facebook has submitted various grounds with the court in Vienna, why the procedure should not be heard at all. The majority of these attempts to prevent the procedure have already been rejected by the Austria courts over the past three years. What remained, were two questions: (1) whether Mr Schrems is a "consumer" or has lost this status through his pro bono work as a privacy advocate; and (2) whether he can bring claims of other users jointly in a "class action". The class action is financed by ROLAND Prozessfinanz AG. Facebook wants each of the 25,000 other users to have to sue in a separate procedure - which would make the legal costs skyrocket and a case against Facebook financially impossible for most users. In Facebook’s view, the same legal and factual issues should therefore be trailed 25,000 times in front of thousands of European courts and judges (“divide and conquer”). These two questions were submitted to the Court of Justice of the European Union (CJEU) for a preliminary ruling by the Austrian Supreme Court.
    [Show full text]
  • Facebook: Where Privacy Concerns and Social Needs Collide
    Edith Cowan University Research Online Theses: Doctorates and Masters Theses 2020 Facebook: Where privacy concerns and social needs collide Sonya Scherini Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/theses Part of the Communication Technology and New Media Commons, Mass Communication Commons, and the Social Media Commons Recommended Citation Scherini, S. (2020). Facebook: Where privacy concerns and social needs collide. https://ro.ecu.edu.au/ theses/2331 This Thesis is posted at Research Online. https://ro.ecu.edu.au/theses/2331 Edith Cowan University Copyright Warning You may print or download ONE copy of this document for the purpose of your own research or study. The University does not authorize you to copy, communicate or otherwise make available electronically to any other person any copyright material contained on this site. You are reminded of the following: Copyright owners are entitled to take legal action against persons who infringe their copyright. A reproduction of material that is protected by copyright may be a copyright infringement. Where the reproduction of such material is done without attribution of authorship, with false attribution of authorship or the authorship is treated in a derogatory manner, this may be a breach of the author’s moral rights contained in Part IX of the Copyright Act 1968 (Cth). Courts have the power to impose a wide range of civil and criminal sanctions for infringement of copyright, infringement of moral rights and other offences under the Copyright Act 1968 (Cth). Higher penalties may apply, and higher damages may be awarded, for offences and infringements involving the conversion of material into digital or electronic form.
    [Show full text]
  • A Call from the Panopticon to the Judicial Chamber “Expect Privacy!”
    Journal of International Commercial Law and Technology Vol.1, Issue 2 (2006) A Call From the Panopticon to the Judicial Chamber “Expect Privacy!” Julia Alpert Gladstone Bryant University Smithfield, RI,USA Abstract Privacy is necessary in order for one to develop physically, mentally and affectively. Autonomy and self definition have been recognized by the United States Supreme Court as being values of privacy. In our technologically advanced, and fear driven society, however, our right to privacy has been severely eroded. Due to encroachment by government and business we have a diminished expectation of privacy. This article examines the detriments to self and society which result from a reduced sphere of privacy, as well as offering a modest suggestion for a method to reintroduce an improved conception of privacy into citizens’ lives. Keywords: Privacy, Technology, Judiciary, Autonomy, Statute INTRODUCTION Citizens often pay scant attention to their privacy rights until a consciousness raising event, such as the late 2005 exposure of the unauthorized wiretapping performed by the United States Executive Branch, heightens their interest and concern to protect previously dormant privacy rights. The scholarly literature on privacy is plentiful which broadly explains privacy as a liberty or property right, or a condition of inner awareness, and explanations of invasions of privacy are also relevant. This article seeks to explain why privacy remains under prioritized in most people’s lives, and yet, privacy is held as a critical, if not, fundamental right. Privacy is defined according to social constructs that evolve with time, but it is valued, differently. It is valued as a means to control one’s life.
    [Show full text]
  • A Collaborative Framework: for Privacy Protection in Online Social Networks
    A Collaborative Framework: for Privacy Protection in Online Social Networks 4 4 Yan Zhu1,2, Zexing Hu1, Huaixi Wang3, Hongxin Hu , Gail-Joon Ahn 1 Institute of Computer Science and Technology, Peking University, Beijing 100871, China 2Key Laboratory of Network and Software Security Assurance (Peking University), Ministry of Education, China 3School of Mathematical Sciences, Peking University, Beijing 100871, China, 4Laboratory of Security Engineering for Future Computing (SEFCOM), Arizona State University, Tempe, AZ 85287, USA Email: {yan.zhu.huzx.wanghx}@pku.edu.cn. {hxhu,gahn }@asu.edu Abstract-With the wide use of online social networks (OSNs) , Although some new techniques were introduced in these the problem of data privacy has attracted much attention. solutions, it is still necessary for a centralized server to Several approaches have been proposed to address this issue. enforce access control, which cannot protect the privacy of One of privacy management approaches for OSN leverages a key users against the centralized server. Also, some solutions management technique to enable a user to simply post encrypted contents so that only users who can satisfy the associate security implemented access control at client-side but their approach policy can derive the key to access the data. However, the key should be synchronous, requiring multiple users to be online management policies of existing schemes may grant access to simultaneously. unaurhorized users and cannot efficiently determine authorized One of efficient ways for enforcing access control in OSN users. In this paper, we propose a collaborative framework is to allow users to put the encrypted data on the server and which enforces access control for OSN through an innovative key management focused on communities.
    [Show full text]
  • The Right to Privacy in the Digital Age
    The Right to Privacy in the Digital Age April 9, 2018 Dr. Keith Goldstein, Dr. Ohad Shem Tov, and Mr. Dan Prazeres Presented on behalf of Pirate Parties International Headquarters, a UN ECOSOC Consultative Member, for the Report of the High Commissioner for Human Rights Our Dystopian Present Living in modern society, we are profiled. We accept the necessity to hand over intimate details about ourselves to proper authorities and presume they will keep this information secure- only to be used under the most egregious cases with legal justifications. Parents provide governments with information about their children to obtain necessary services, such as health care. We reciprocate the forfeiture of our intimate details by accepting the fine print on every form we sign- or button we press. In doing so, we enable second-hand trading of our personal information, exponentially increasing the likelihood that our data will be utilized for illegitimate purposes. Often without our awareness or consent, detection devices track our movements, our preferences, and any information they are capable of mining from our digital existence. This data is used to manipulate us, rob from us, and engage in prejudice against us- at times legally. We are stalked by algorithms that profile all of us. This is not a dystopian outlook on the future or paranoia. This is present day reality, whereby we live in a data-driven society with ubiquitous corruption that enables a small number of individuals to transgress a destitute mass of phone and internet media users. In this paper we present a few examples from around the world of both violations of privacy and accomplishments to protect privacy in online environments.
    [Show full text]
  • 13 Principles for a Human Rights Respecting State Surveillance Framework
    13 Principles for a Human Rights Respecting State Surveillance Framework Reporters Without Borders (RWB) joins the Association for Progressive Communications and more than 215 other organizations in calling for the adoption of the “International Principles on the Application of Human Rights to Communications Surveillance,” which were developed by Access, Electronic Frontier Foundation and Privacy International in consultation with a group of international experts. Privacy is a fundamental human right, and is central to the maintenance of democratic societies. It is essential to human dignity, reinforces other rights, such as freedom of expression, information and association, and is recognised under national, regional and international human rights instruments. This Council recognized with A/HRC/RES/20/8 “the same rights that people have offline must also be protected online.” However, in recent years, many States have developed national legal frameworks and practices that exploit the capacities of new technologies to engage in mass surveillance. Those frameworks reflect a shift from surveillance of communications based on the rule of law (in particular legally authorised targeted surveillance based on clear criteria) to mass surveillance through untargeted collection of communications data of ordinary citizens where no lawful grounds for surveillance exists. These national legal frameworks often contain outmoded definitions of communications that purport to distinguish between the content of communication, versus data about the communication. Typically, the content of communications is strongly protected whereas non-content transactional data, traffic data, or “meta-data” is typically given much less protection, even though it can be just as revealing and have serious privacy implications. Activities that restrict the right to privacy, including communications surveillance, can only be justified when prescribed by law, are necessary to achieve a legitimate aim, and are proportionate to the aim pursued.
    [Show full text]
  • Checkliste Datenverkehr Eu - Usa
    CHECKLISTE DATENVERKEHR EU - USA 1. Findet ein Datenverkehr mit den USA statt?1 ☐ Datenübermittlung in die USA an o Konzernunternehmen? o direkte Vertragspartner (laufende Projekte, Kooperationen etc)? ☐ Datenhosting in den USA? o Software-Hosting (z.B. HubSpot, Apple) o Clouds (z.B. Microsoft, Google, Amazon) o Mailings (z.B. Gmail, Mailchimp) ☐ Social Media Nutzung mit USA-Beteiligung? o Social Media Accounts (Facebook, Instagram, Twitter) o Social Media Fanpages o Social PlugIns 2. Ist das datenempfangende US Unternehmen ein „elektronischer Diensteanbieter“ wie in der beanstandeten Regelung des Section 702 Intelligence Surveillance Act (FISA) gefordert? ☐ Ja –> Weiter zu 3. ☐ Nein. 15.1. Werden sonstige Sicherheitsmaßnahmen vom US-Unternehmen getroffen, um etwaigen Datenzugriff Unberechtigter zu verhindern? ☐ Ich weiß es nicht. In diesem Fall können Sie einen Fragebogen (wie z.B. von NOYB) an das US Unternehmen schicken, um abzuklären, ob das Unternehmen unter die strengen Überwachungsgesetze der USA fällt, welche vom Europäischen Gerichtshof problematisch gesehen wurden. Das sind z.B.: - Telekommunikationsanbieter - Clouddiensteanbieter - Anbieter elektronischer Kommunikationsdienste - sonstige gesetzliche oder freiwillige Überwachungsmaßnahme von Seiten der US-Behörden, an denen das Unternehmen beteiligt ist? 3. Auf welcher Grundlage findet der Datentransfer statt? ☐ Privacy Shield –> Weiter zu 4. ☐ Standardvertragsklauseln (SCC) –> Weiter zu 5. ☐ Binding Corporate Rules (BRC) –> Weiter zu 6. ☐ genehmigte Vertragsklauseln –> Derzeit keine Änderung notwendig! ☐ ausdrückliche Einwilligung –> Prüfung von: 1 Falls auch nur ein Punkt bejaht wird –> Weiter zu 2. o Verträgen und Einwilligungserklärungen der Betroffenen, o Informationserteilung an Betroffene über Risiken in Drittland. -> Derzeit keine Änderung notwendig. ☐ Vertragserfüllung: o Verträge und AGB prüfen o Übermittlung ist für Vertragserfüllung zwischen der betroffenen Person und dem Verantwortlichen oder zur Durchführung von vorvertraglichen Maßnahmen auf Antrag der betroffenen Person erforderlich.
    [Show full text]
  • Gibson Dunn Paris | Data Protection – December 2020
    December 14, 2020 GIBSON DUNN PARIS | DATA PROTECTION – DECEMBER 2020 To Our Clients and Friends: Personal Data Watch Europe 11/27/2020 – Committee of Convention 108 | Guidelines | Children's data protection in education setting The Council of Europe’s Committee of Convention 108 published guidelines on children's data protection in an education setting. For further information: Council of the Europe Website 11/20/2020 – Presidency of the Council of the European Union | Progress report | ePrivacy Regulation The European Data Protection Board (EDPB) published a statement on the ePrivacy Regulation and the future role of Supervisory Authorities and the EDPB. In particular, the EDPB expressed its concerns about the latest developments regarding the enforcement of the future ePrivacy Regulation, which would create fragmentation of supervision, procedural complexity, as well as lack of consistency and legal certainty. For further information: EDPB Website 11/17/2020 – European Data Protection Supervisor | Opinion | European Health Data Space The European Data Protection Supervisor published a Preliminary Opinion on the European Health Data Space, which aims to highlight the essential elements to be taken into account in its elaboration from a data protection perspective. For further information: EDPB Website 11/10/2020 – European Data Protection Board | Document | Procedure for the development of informal Codes of Conduct sessions The European Data Protection Board (EDPB) published a document on the procedure for the development of informal “Codes of Conduct sessions”. For further information: EDPB Website 11/12/2020 – European Commission | Draft Standard Contractual Clauses The European Commission published two draft Standard Contractual Clauses: (i) the first to carry out an international transfer of data to a third country in the absence of an adequacy decision under Article 46 of the GDPR, and (ii) the second to regulate the relationship between data controller and data processor in accordance with the requirements of Article 28.
    [Show full text]
  • Worldwide Privacy Regulations Restricting Access to Genealogical Records Jan Meisels Allen
    IAJGS 38th International Conference on Jewish Genealogy August 6, 2018 Warsaw, Poland Worldwide Privacy Regulations Restricting Access to Genealogical Records Jan Meisels Allen Genealogists without records can’t do genealogy! We are facing crises worldwide on access to vital records due to misunderstandings by those in power about identity theft and fraud and due to budget cuts Privacy Someone's right to keep their personal matters and relationships secret Why Do We Care About Privacy? There are many people who value their privacy, and wouldn't dream of posting personal information about themselves or their family where everyone can see it. Some of those people are my cousins, and some of them are your cousins - but how could you and I hope to connect with them online given their concerns? Do You Want Your Information Available to Everyone? We want others to provide information to us. Do we want our personal information posted to the Internet? European Union Members 28 Countries Austria Belgium Bulgaria Czech Croatia Cyprus Republic Denmark Estonia Finland France Germany Greece Hungary Ireland Italy Latvia Lithuania Luxembourg Malta Netherlands Poland Portugal Romania Slovakia Slovenia Spain Sweden Until 3-29- United Kingdom 2019 European Union - 2 • 28 Countries until BREXIT takes place - 29 March 2019 • 500 million residents • Right to be forgotten/erased • Google has ~90% of Search Engine Market in Europe-varies by country • Since May 29, 2014 Google received 698,395 requests to delink from 2,615,742 URLs. They did not remove 44 percent of the URLs requested. • Fall 2016 CJEU ruled hyperlinking by third-party website (search engine) without consent of holder constitutes a "communication to the public“ and doing so is a violation of EU copyright directive.
    [Show full text]