Data Protection - Summer 2021

This summer many academic legal 📄 and security 🔒 related articles have been published. A clear trend is visible in assessing organisations and their concrete security measures, as seen in the SchremsII follow-up and the focus by SA's in their enforcement.

Data Protection - Summer 2021

🇪🇺 European developments

The EDPB 🇪🇺 adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea 🇰🇷.

The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA.
EDPB adopts opinion on draft South Korea Adequacy Decision | European Data Protection Board

EC 🇪🇺 starts an infringement procedure against Belgium 🇧🇪

The European Commission will launch an infringement procedure against Belgium following complaints that the Belgian privacy regulator's ability to act independently is compromised because several of its members are also affiliated with the government.

EU to take legal action targeting Belgian privacy regulator
The Belgian regulator’s ability to act independently is in doubt because several of its officials are also affiliated with the government.

Case law

EDPS 🇪🇺 published a case law digest:  Transfers of personal data to third countries

Case Law Digest 2021: Transfers of personal data to third countries
From Lindqvist to Schrems II: case law of the CJEU on transfers of personal data to third countries

The unsurprising decision by Germany’s highest civil court, Bundesgerichtshof, specified the scope of data subject access requests. The court held that Article 15 GDPR also covers information already known about the data subject, previous correspondence and notes of internal processes or internal communications related to the data subject.

Urteil des VI. Zivilsenats vom 15.6.2021 - VI ZR 576/19 -

Belgian Council of State 🇧🇪 Considers Encryption in principle a Sufficient Measure for U.S. Data Transfers

The decision was made in the context of a tender granted by the Flemish Authorities to a company that used AWS cloud services. An unsuccessful tender participant had challenged the outcome of the tender process before the Council of State, deploying several arguments, including that a lack of appropriate safeguards for data transfers to AWS in the U.S. infringed the GDPR’s restrictions on data transfers in light of the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case.
Belgian Council of State Considers Encryption a Sufficient Measure for U.S. Data Transfers
The Belgian Council of State recently confirmed a decision of the regional Flemish Authorities to contract with an EU branch of a U.S. company using Amazon Web Services, stating that the use of U.S. cloud services in itself does not infringe on the GDPR.

Supervisory Authorities

Luxembourg's SA 🇱🇺 fined Amazon Europe Core EUR 746m

The Luxembourg National Commission for Data Protection, CNPD, imposed a fine on Amazon Europe Core of EUR 746 million. This decision is the result of a collective complaint sent to the CNIL by the association La Quadrature du Net (LQDN). In application of the cooperation procedures between authorities established by the RGPD, the CNPD was competent to deal with this case, as the company Amazon Europe Core was established on its territory. The CNIL cooperated closely with the CNPD throughout the procedure, in the context of controls and analysis of the evidence obtained, and then, during the examination of the draft decision in the context of the one-stop shop procedure.
L’autorité luxembourgeoise de protection des données a prononcé à l’encontre d’Amazon Europe Core une amende de 746 millions d’euros | CNIL
Cette décision a pour origine une plainte collective qui avait été adressée à la CNIL par l’association La Quadrature du Net (LQDN). En application des procédures de coopération entre autorités instaurées par le RGPD, c’est la CNPD qui était compétente pour traiter ce dossier, la société Amazon Euro…

DPC fines 🇮🇪 WhatsApp EUR 225 Million for transparency violations

The DPC announced a fine of €225 million against WhatsApp Ireland Ltd for failure to meet the transparency requirements of Articles 12-14 GDPR.

CNIL 🇫🇷 fines Monsanto 400k for processing without informing 200 individuals

The U.S.-based biotechnology firm Monsanto Company was fined by the CNIL for violating an individual's right to know under the GDPR. Monsanto allegedly held a file carrying personal information of 200 individuals without informing them what data was collected. Information gathered included individuals' occupations, company address and phone number, as well as personal mobile number and email address.

Fichier de lobbying : sanction de 400 000 euros à l’encontre de la société MONSANTO | CNIL
En mai 2019, plusieurs médias ont révélé que la société MONSANTO détenait un fichier contenant les données personnelles de plus de 200 personnalités politiques, ou appartenant à la société civile (par exemple des journalistes, militants de la cause écologiste, scientifiques ou encore agriculteurs) s…

Garante 🇮🇹 fines Deliveroo EUR 2.5m & Foodinho EUR 2.6m over AI algorithm use

The investigation found that the platform’s use of algorithms to automatically penalise riders by excluding them from job opportunities if their ratings fell below a certain level was discriminatory, and the fact that there was no opportunity for human review nor the ability to challenge the decision contravened GDPR. [...] a controller should be able to show that its algorithm is not discriminatory.

AP 🇳🇱 imposed a fine of EUR 750k on TikTok for violating the privacy of young children and lack of transparency

The Dutch DPA previously investigated TikTok for alleged children’s privacy violations and submitted a report of its findings to the company in October 2020. As a result of its investigation, the Dutch DPA found that the notice provided to Dutch users when installing and using the TikTok app was in English and not easily and readily understandable to users, thereby violating the GDPR's transparency principle.

TikTok fined for violating children’s privacy

DPC 🇮🇪 launches two inquiries into TikTok concerning compliance with GDPR requirements relating to the processing of childrens’ personal data and transfers of data to China

Data Protection Commission
The Data Protection Commission (DPC) has today commenced two own-volition inquiries pursuant to section 110 of the Data Protection Act 2018 in relation to TikTok Technology Limited’s (TikTok) compliance with requirements of the GDPR.

Datatilsynet 🇳🇴 fined Ferde AS, a Norwegian toll company, EUR 496k for data transfer to China

Through a report on the state-owned broadcasting company NRK, the Norwegian DPA became aware that Ferde AS was transferring information on passages in toll rings to a data processor in China. On this basis, the DPA initiated an investigation into whether Ferde has implemented routines and measures to ensure adequate information security for the information transferred to China.
Gebyr til Ferde AS
Datatilsynet ilegger et overtredelsesgebyr på 5 millioner kroner til det norske bompengeselskapet Ferde. Selskapet skal blant annet ulovlig ha overført personopplysninger om norske bilister til Kina.

Datatilsynet 🇳🇴 choose not to use Facebook

What are the privacy risks associated with communicating through a Page on Facebook? And what kind of responsibility for the processing of personal data may we have as the owner of a Page? We have carried out a risk assessment and a DPIA of Facebook, based on the obligations that follow from data protection regulations.
Norwegian Data Protection Authority choose not to use Facebook
What are the privacy risks associated with communicating through a Page on Facebook? And what kind of responsibility for the processing of personal data may we have as the owner of a Page? We have carried out a risk assessment and a DPIA …

Hamburg SA 🇩🇪 warns it's government from using Zoom due to data transfer to the US

The HmbBfDI has formally warned the Senate Chancellery of the Free and Hanseatic City of Hamburg (FHH) against using the video conferencing solution from Zoom Inc. in the so-called on-demand variant. This use violates the GDPR, as such use involves the transfer of personal data to the US. There is no sufficient protection for such data in this third country, according to Schrems II.
Senatskanzlei vor dem Einsatz von „Zoom“ formal gewarnt
Das offizielle Informations- und Serviceangebot des Hamburger Beauftragten für Datenschutz und Informationsfreiheit

Datatilsynet 🇩🇰 has serious criticism of Helsingør Kommune in Chromebook-case

As the municipality had not assessed this [risk], the municipality also did not have evidence that the configuration had been done in a way that was appropriate to the risks to data subjects.
Alvorlig kritik af Helsingør Kommune i Chromebook-sag
Datatilsynet har afgjort den første i en række af sager, der vedrører brugen af Google Chromebooks og G Suite for Education (nu kaldet Workspace) i folkeskolen.

Garante 🇮🇹 publishes updated Guidelines on Cookies and Other Tracking Technologies

The guidelines do not relate just to cookies, but also other types of identifiers (such as fingerprinting and radio-frequency identification tags). Providing consent through Scrolling and Cookie Walls is not permitted. Reposting banners to seek consent when a user already has expressed preferences for the relevant website is prohibited.

CNIL 🇫🇷 has updated its PIA software and templates

Privacy Impact Assessment (PIA) | CNIL
Where a processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out a privacy impact assessment.
The open source PIA software helps to carry out data protection impact assesment | CNIL
Who can use the PIA software? The tool is mainly addressed to data controllers who are slightly familiar with the PIA process. In this regard, a stand-alone version can be downloaded and easily launched on your computer. It is also possible to use the tool on an organisation’s servers in order to in…

ICO 🇬🇧 has published a new resource to help public sector organisations understand when the direct marketing rules will apply to their messages

New guidance on direct marketing and the public sector
The Information Commissioner’s Office (ICO) has published a new resource to help public sector organisations understand when the direct marketing rules will apply to their messages. The guidance is aimed at those responsible for data protection within public sector organisations.

Literature

Article - Digital welfare fraud detection and the Dutch SyRI judgment

In 2020, a Dutch court passed judgment in a case about a digital welfare fraud detection system called Systeem Risico Indicatie (SyRI). The court ruled that the SyRI legislation is unlawful because it does not comply with the right to privacy under the European Convention of Human Rights. In this article we analyse the judgment and its implications. [...] The judgment reminds policymakers that fraud detection must happen in a way that respects data protection principles and the right to privacy. The judgment also confirms the importance of transparency if personal data are used.
“Digital welfare fraud detection and the Dutch SyRI judgment” by Frederik Zuiderveen Borgesius
Berkeley Electronic Press Selected Works

Article: How machine-learning recommendations influence clinician treatment selections: the example of antidepressant selection

Decision support systems embodying machine learning models offer the promise of an improved standard of care for major depressive disorder, but little is known about how clinicians’ treatment decisions will be influenced by machine learning recommendations and explanations. [...] More generally, our findings challenge the common assumption that clinicians interacting with ML tools will perform better than either clinicians or ML algorithms individually.
How machine-learning recommendations influence clinician treatment selections: the example of antidepressant selection - Translational Psychiatry
Translational Psychiatry - <ArticleTitle Language="En" xml:lang="en">How machine-learning recommendations influence clinician treatment selections:...

Paper: Not Directly Stated, Not Explicitly Stored:: Conversational Agents and the Privacy Threat of Implicit Information

Our first point is that meaning that is expressed implicitly is an integral part of natural language, implying that agents that have the ability to engage in a fully humanlike dialogue will also have the ability to manipulate implied meaning. As a result, such agents will be capable of acquiring sensitive information about users that is not directly stated. Users have little awareness of or control over information that is implicitly communicated. Our second point is that in today's search and recommender systems user profiles are not explicitly stored. As a result, it is not obvious that a user is being targeted on the basis of implicit person-specific information.
Not Directly Stated, Not Explicitly Stored: | Adjunct Proceedings of the 29th ACM Conference on User Modeling, Adaptation and Personalization

Article: An Institutional View Of Algorithmic Impact Assessments

This Article combines insights from governance, organizational theory, and computer science to analyze how future AIA regulations will be implemented on the ground. Institutional logics, such as liability avoidance and the profit motive, will render the first goal—early consideration of social impacts—difficult in the short term.
An Institutional View Of Algorithmic Impact Assessments
Scholars and advocates have proposed algorithmic impact assessments (AIAs) as a regulatory strategy for addressing and correcting algorithmic harms. An AIA-base

Article: Is That Your Final Decision? Multi-Stage Profiling, Selective Effects, and Article 22 of the GDPR

* Provisions in many data protection laws require a legal basis, or at the very least safeguards, for significant, solely automated decisions; Article 22 of the GDPR is the most notable.
* Little attention has been paid to Article 22 in light of decision-making processes with multiple stages, potentially both manual and automated, and which together might impact upon decision subjects in different ways.

Article: Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018

These results suggest that current regulatory guidance may not provide complete incentives for firms to invest in cybersecurity capabilities, particularly for small- to medium-sized breaches.
Do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018
Abstract. While data breaches have become more common, there is little evidence that companies that incur them experience a persistent decline in financial perf

Handbook: Handbook on non-discriminating algorithms

Algorithms are used increasingly frequently for risk-based operations and automated decision-making. However, this approach carries a great risk, especially with machine-learning systems, namely, that it is no longer clear how the decision-making takes place.
Handbook on non-discriminating algorithms | Tilburg University
Algorithms are used increasingly frequently for risk-based operations and automated decision-making. However, this approach carries a great risk, especially with machine-learning systems, namely, that it is no longer clear how the decision-making takes place. That this can go horribly wrong was show…

Article: Smartphone platforms as privacy regulators

Tool: Assembling Accountability: Algorithmic Impact Assessment for the Public Interest

The Algorithmic Impact Assessment is a new concept for regulating algorithmic systems and protecting the public interest. Assembling Accountability: Algorithmic Impact Assessment for the Public Interest is a report that maps the challenges of constructing algorithmic impact assessments (AIAs) and provides a framework for evaluating the effectiveness of current and proposed AIA regimes.
Assembling Accountability: Algorithmic Impact Assessment for the Public Interest
The Algorithmic Impact Assessment is a new concept for regulating algorithmic systems and protecting the public interest. Assembling Accountability: Algorithmic Impact Assessment for the Public Interest is a report that maps the challenges of constructing algorithmic impact assessments (AIAs) and pr…

DPIA follow-up: Google mitigates 8 high privacy risks for Workspace for Education

Google has agreed to act as data processor for the Diagnostic Data about the individual use of the services. In a role as data processor Google may only process the personal data for the three (fixed) purposes authorised by the schools and universities, in stead of the current 17 dynamic purposes.
Google mitigates 8 high privacy risks for Workspace for Education - Blogpost
Google has agreed to major privacy improvements for its Google Workspace for Education services for schools and universities in the Netherlands. After intense negotiations with representatives of the schools and higher education institutions in the Netherlands, Google has agreed to mitigate the high…
NOYB has filed 422 complaints with ten EU data protection authorities. The move came after it sent written warnings and draft complaints to more than 500 companies on May 31, 2021.
About 42% of all violations were remedied within 30 days. However, 82% of all companies have not fully stopped violating the GDPR (meaning, some fixed some of the violations and some didn’t fix them at all.)
noyb files 422 formal GDPR complaints on nerve-wrecking “Cookie Banners”
Today we filed 422 + 36 complaints on “cookie banners” with ten European Data Protection Authorities.

Report: Beyond Debiasing: Regulating AI and its Inequalities

EDRi's latest report "", authored by Agathe Balayn and Dr. Seda Gürses,* argues that policymakers must tackle the root causes of the power imbalances caused by the pervasive use of AI systems. In promoting technical ‘debiasing’ as the main solution to AI driven structural inequality, we risk vastly underestimating the scale of the social, economic and political problems AI systems can inflict.

Blog: Embedding the new standard contractual clauses in IT contracts

The new SCCs will not only affect new agreements but also existing agreements after a short transition period. The SCCs obligate duly assessesment of the data transfer and the possiblity of the suspension of the transfer, which might impact the continued performance of the related agreement.

Considerations on embedding the new standard contractual clauses in IT contracts
Authors: Heidi Waem and Nicolas Becker On 4 June 2021, the European Commission released the final version of the new Standard Contractual Clauses (new SCCs) (see our blogpost here). This new set of clauses was launched in the aftermath of the CJEU’s Schrems II decision and includes specific wo

List: Currently pending CJEU 🇪🇺 data protection cases by Legalbeetle and their details by FPF

What are the questions that the Court is asked to clarify next? This overview includes a preview of the most interesting cases where the CJEU is expected to weigh in.

Compliance: AWS provides some features for adjusting data protection settings in Web Services and new SCCs form part of Data Protection Addendum

How AWS is helping EU customers navigate the new normal for data protection | Amazon Web Services
French version German version Achieving compliance with the European Union’s data protection regulations is critical for hundreds of thousands of Amazon Web Services (AWS) customers. Many of them are subject to the EU’s General Data Protection Regulation (GDPR), which ensures individuals’ fundamenta…

Compliance: Microsoft updates its Products and Services Data Protection Addendum

Mapping: GDPR Guide to National Implementation by White & Case

The GDPR does not create total uniformity. Despite the fact that it is a Regulation, the GDPR does not create completely identical privacy and data protection rules across all Member States. Instead, it permits or requires Member States to implement specifications or restrictions on certain rules set out in the GDPR.
GDPR Guide to National Implementation | White & Case LLP
Foreword and issue-by-issue comparisonOther chaptersAustriaBelgiumBulgariaCroatia

Mapping: Global Comprehensive Privacy Law Mapping by CNIL and IAPP

Data protection around the world | CNIL
Global Comprehensive Privacy Law Mapping Chart
Comprehensive data protection laws exist across the globe. The Westin Research Center has created this chart mapping several comprehensive data protection laws, including the laws in the U.S., to assist our members in understanding how data protection is being approached around the world.

Tool: SCCs Generator

(Probably the World’s First) SCC Generator – European Essential Guarantees Guide
The European Essential Guarantees Guide (EEGG) is a global project focusing on Governmental Surveillance and Data Retention laws for assessing the lawfulness of international data transfers under the GDPR, among others.

Technology

Whatsapp, backdoors and traceability

The ostensible goal of the new legislation is to make it possible for police to track down those who originate or disseminate this content. Put simply, what the authorities say they want is a means to identify a piece of content (for example, a video or a meme) that has gone to a large group of people, and then trace the content back to the WhatsApp account that originally sent it.

Article: Wireless Charging Power Side-Channel Attacks

This paper shows that today’s wireless charging interface is vulner-
able to power side-channel attacks; a smartphone charging wire-
lessly leaks private information about its activity to the wireless
charger (charging transmitter).

Article: Light Ears: Information Leakage via Smart Lights

In this paper, we design and evaluate novel attacks that take advantage of light emitted by modern smart bulbs in order to infer users’ private data and preferences. The first two attacks are designed to infer users’ audio and video playback by a systematic observation and analysis of the multimedia-visualization functionality of smart light bulbs.

Cyber attacks by state actors - seven moments to stop an attack.

This publication by the AIVD and MIVD provides insight into the threat of cyber attacks and practical tips for recognizing and preventing an attack.
Publicatie AIVD/MIVD: Cyberaanvallen door statelijke actoren - zeven momenten om een aanval te stoppen
De cyberdreiging tegen Nederland is de laatste jaren sterk toegenomen. Deze publicatie van de AIVD en MIVD geeft inzicht in de dreiging van cyberaanvallen en geeft praktische tips om een aanval te herkennen en te voorkomen.

Media

Afghans are racing to erase their online lives

Afghans are racing to erase their online lives
Every photo and every data point is a link to the old way of life in Afghanistan – and a reason for Taliban retribution

Fingerprinting ad blockers, or: How Your Ad Blocker Can Track You Across the Web

How Your Ad Blocker Can Track You Across the Web
A few lines of code hidden away on a webpage can turn your blocked ads into a unique ID.

🇳🇱 Nederlandse ontwikkelingen

Kentekencamera's scanden ook gezichten en gebruikte die voor onderzoek zonder wettelijke basis

Kentekencamera’s scanden ook gezichten van automobilisten
Opsporing: De gezichten van automobilisten zijn zonder wettelijke basis gebruikt voor opsporing.

Jurisprudentie

Rechtbank Rotterdam: EUR 2.5k immateriële schade bij een enkele langdurende onrechtmatige verwerking

[N]u verweerder door het bewaren en verwerken van de rapporten met persoonlijke gegevens van verzoekster in strijd heeft gehandeld met de AVG en daardoor het recht op eerbiediging van de persoonlijke levenssfeer van verzoekster heeft geschonden. Ten aanzien van de hoogte van de vast te stellen schadevergoeding is van belang dat de privacygevoelige persoonsgegevens gedurende een periode van ongeveer tien jaar door verweerder zijn bewaard, ondanks verschillende verzoeken van verzoekster tot vernietiging van de gegevens. De rechtbank acht voldoende aannemelijk dat in die tien jaar de persoonlijke gegevens van verzoekster zijn verwerkt en meerdere personen en/of instanties van de inhoud kennis hebben kunnen nemen zonder dat zij daartoe gerechtigd waren en dat verzoekster op grond daarvan immateriële schade heeft geleden.

Door het bewaren en verwerken van rapporten met gevoelige persoonsgegevens van verzoekster handelde het college van B&W in strijd met de AVG. Het college schaadde haar recht op de eerbiediging van de persoonlijke levenssfeer. Dit geldt als een aantasting in de persoon (artikel 6:106b BW).

De rechtbank neemt in aanmerking dat de gevoelige persoonsgegevens tien jaar zijn bewaard ondanks herhaaldelijke verzoeken tot verwijdering. Daarom is er een grote kans dat meerdere personen en organisaties in die tien jaar de gegevens – onrechtmatig – bekeken. De rechtbank komt daarom tot een schadevergoeding van EUR 2.500, in plaats van de geiste EUR 25k.

ECLI:NL:RBROT:2021:6822, Rechtbank Rotterdam, ROT 20/3286

Rechtbank Den Haag: Binnen verzoeken van betrokkenen (15-22 jo. 35 AVG) passen geen vorderingen tot immateriële schadevergoeding

ECLI:NL:RBDHA:2021:9925, Rechtbank Den Haag, C/09/608204 / HA RK 21-96

Rechtbank Amsterdam: Brit klaagt Microsoft Ireland aan in Nederland

De Nederlandse rechter verklaart zich onbevoegd van het verzoek kennis te nemen.

ECLI:NL:RBAMS:2021:3670, Rechtbank Amsterdam, C/13/696660 / HA RK 21-37

Rechtbank Rotterdam: Inzagerecht strekt tot geluidsopnamen

5.8 [naam verweerster] vordert Magnum Fx te veroordelen om binnen twee weken na betekening van het vonnis een digitale kopie te verstrekken van alle geluidsopnames die zij heeft gemaakt van telefoongesprekken tussen Magnum Fx en door haar ingeschakelde derden
6.4 veroordeelt Magnum Fx om binnen twee weken na betekening van dit vonnis een digitale kopie te verstrekken van alle geluidsopnames die zij heeft gemaakt van telefoongesprekken tussen Magnum Fx en door haar ingeschakelde derden
ECLI:NL:RBROT:2021:8865, Rechtbank Rotterdam, C/10/613404 / HA ZA 21-150

Rechtbank Midden-Nederland: Agent pleegde computervredebreuk door dates na te trekken in systemen

Verdachte heeft met niet-werkgerelateerde bevragingen onbevoegd gebruik gemaakt van politiesystemen van de politie. De rechtbank merkt dit aan als het opzettelijk en wederrechtelijk binnendringen in een geautomatiseerd werk in de zin van artikel 138ab van het Wetboek van Strafrecht. Het gebruik maken van inloggevens voor doeleinden die buiten de grenzen van haar autorisatie vallen, merkt de rechtbank aan als het gebruik maken van een valse sleutel in de zin van artikel 138ab, eerste lid, sub c van het Wetboek van Strafrecht.
ECLI:NL:RBMNE:2021:4656, Rechtbank Midden-Nederland, 16.257082.20 (P)

Overheid

10 concrete eisen informatiebeveiliging en privacybescherming voor aansluiting op CoronaCheck

Eis 1. Aanvraag door rechtsgeldig vertegenwoordiger
Eis 2. Voldoen aan NEN-7510/7512/7513
Eis 3. Voldoen aan NTA-7516
Eis 4. Veilig datatransport
Eis 5. Moderne versleutelingscijfers
Eis 6. PKI overheid-certificaten
Eis 7. DPIA
Eis 8. Websites conform standaarden W3C
Eis 9 Pentest op systemen in de keten voor CoronaCheck
Eis 10. Kwalificatie Internet.nl voor websites en emailadressen
Eisen informatiebeveiliging en privacybescherming CoronaCheck
Eisen informatiebeveiliging en privacybescherming CoronaCheck

Naleven Europese privacyregels door overheidsinstanties

Staatssecretaris Knops (BZK) geeft antwoord op vragen over het naleven van de Europese privacyregels van de AVG bij (uitvoerings)instanties. De antwoorden geven beknopt weer wat elke overheidsinstantie heeft opgezet voor de naleving van de AVG en geeft weinig inzicht over waar de pijnpunten zitten.  

Antwoorden op Kamervragen over naleven Europese privacyregels door (overheids)instanties
Staatssecretaris Knops (BZK) geeft antwoord op vragen over het naleven van de Europese privacyregels van de Algemene verordening gegevensbescherming (AVG) bij (uitvoerings)instanties. Het Tweede Kamerlid Verhoeven (D66) heeft deze vragen gesteld.

Politie geeft in jaarverantwoording 2020 niet te voldoen aan AVG

De volwassenheid van de privacybeheersing is nog niet voldoende. De deelportefeuille Privacy geeft richting aan de benodigde ontwikkeling. In
bepaalde gevallen is het nog niet mogelijk om aan alle voorwaarden te kunnen voldoen. Dit is deels een kwestie van tijd (mitigeren) en wordt deels veroorzaakt door een te complexe Wpg (accepteren). Deze laatste wordt momenteel door het departement herschreven. Naast de restrisico’s wordt
ook dit risico geaccepteerd.
Jaarverantwoording politie 2020
Verslag over de prestaties van de politie in 2020.

Politie hackt met commerciële software met privacy risico's volgens Inspectie JenV

Daarnaast is in 2020 in bijna alle zaken gebruik gemaakt van commerciële
software waarbij de leverancier toegang heeft zonder dat de politie dit kan
beperken en controleren. De Inspectie concludeert dat hierdoor risico’s niet kunnen worden uitgesloten voor wat betreft de betrouwbaarheid van met de hackbevoegdheid verkregen bewijs en de privacy van de betrokkenen.
Rapport Verslag toezicht wettelijke hackbevoegdheid politie 2020
De Inspectie Justitie en Veiligheid meldt een aantal zorgen in het verslag over het toezicht op de wettelijke hackbevoegdheid van de politie 2020. De politie heeft in 2020 voor het tweede jaar op rij niet volledig vastgelegd wat ze heeft gedaan bij het hacken van apparaten van verdachten. Evenals in…

Privacyscan door BMC op Burgernet

Niet in alle gevallen zijn formele rollenen verantwoordelijkheden in de
samenwerking tussen de deelnemende partijen voldoende beschreven. [...] Om mogelijke onduidelijkheden in de toekomst te voorkomen, worden een
aantal aanbevelingen gedaan. Deze hebben met name betrekking op het
formaliseren van de rol van de Politie als verwerkingsverantwoordelijke, de rol
van het LPB en de rol van de deelnemende gemeenten. Daarnaast worden enkele
aanbevelingen gedaan om de transparantie naar betrokkenen te vergroten en de
beveiligingseisen naar de verwerkers verder te specificeren.
Privacyscan Burgernet
Het rapport bevat een privacyscan van de verwerkingen van persoonsgegevens bij de uitvoering van takendoor Burgernet.

Politie gebruikt omstreden Chinese drones voor opsporing

De politie stelt ‘niet uit te kunnen sluiten dat hun data op Chinese servers belandt.’

Politie gebruikt omstreden Chinese drones voor opsporing - Investico
De Nationale Politie maakt gebruik van drones van het omstreden Chinese techbedrijf Da Jiang Innovations (DJI), ondanks verschillende aanwijzingen dat beelden en andere dronedata weg kunnen lekken naar de Chinese overheid. Volgens verschillende experts doet de politie te weinig om dat risico weg te …

Etnisch profileren: we hoeven het niet te accepteren

Etnisch profileren: we hoeven het niet te accepteren
Deze week sprak de rechter zich uit over de zaak van o.a. Mpanzu Bamenga en Controle Alt Delete over etnisch profileren door de Koninklijke Marechaussee. De rechter oordeelde dat etniciteit onderdeel…

De Sociale Verzekeringsbank (SVB) publiceert binnenkort een register met veelgebruikte algoritmen

In dat register staan welke algoritmen door de SVB worden ingezet en hoe die werken. Ook verschijnt er een lijst met contactpersonen voor het opvragen van technische informatie.

SVB: door algoritmen krijgen burgers waar ze recht op hebben - Overheid, data en algoritmen
De Sociale Verzekeringsbank (SVB) gebruikt algoritmen. Hoe betrekt zij burgers daarbij? En hoe worden burgers beschermd tegen risico’s?

Naleving & toezicht

SURF Taskforce Beyond Privacy Shield met Use cases

Het Europese Hof van Justitie heeft het EU-VS Privacy Shield ongeldig verklaard. Dit heeft grote gevolgen voor het gebruik van diensten door SURF en zijn leden. Alleen door samen te werken kunnen we verder komen in dit complexe onderwerp
Wat kan de SURF Taskforce Beyond Privacy Shield voor jou doen?
De ongeldingverklaring van het EU-VS Privacy Shield heeft grote gevolgen. De SURF Taskforce Beyond Privacy Shield werkt aan een oplossing.

Media

FD: megaboete voor WhatsApp – Transparantie klinkt goed, maar verbetert privacy amper

De Europese waakhonden eisen van WhatsApp, en daarmee van elke organisatie, dat zij tot in het kleinste detail moeten opschrijven welke data voor welke doeleinden worden gebruikt en onder welke condities: dit moet bovendien vaak zelfs in de lastige terminologie van de AVG. De toezichthouders vinden ook dat deze papieren tijger niet meer samengevat en ‘gelaagd’ (dat wil zeggen in een doorklikbare korte pop-up) aan de websurfer kan worden gepresenteerd, als dat zou leiden tot ‘enigszins onsamenhangende’ informatieverschaffing.
93e FD Column: De megaboete voor WhatsApp – Transparantie klinkt goed, maar verbetert privacy amper | axelarnbak.nl