GDPR compliance in times of crisis.

GDPR Compliance in Times of Crisis. What are the priorities? supervisory authorities, and what are the controls what can businesses expect in the current health and economic context?

Although the CNIL clearly focuses its activities on the processing of health data, it has not abandoned its supervisory prerogatives in the broad sense.

First of all, there are numerous awareness-raising actions aimed at employers (see the September legal monitoring document), teachers and researchers faced with increased use of information technologies and artificial intelligence.

The CNIL also focused its investigations on the epidemic monitoring systems and the StopCovid application. 

Its head of the inspection department indicates in a recent publication that the Small businesses, SMEs and start-ups are therefore less subject to inspection.

The investigations have not been abandoned, however, especially since those responsible have had time to take the necessary compliance measures since the GDPR came into force.

These checks are carried out more on the basis of questionnaires and interviews, and unannounced checks are less frequent due to the crisis.

On-site checks therefore give rise to a 48-hour warning.

Similar adaptations are taking place in many European countries, as evidenced by the recent Council of Europe report on the subject.

If flexibility has been observed concerning, for example, an exceeding of the legal deadline for responding to the right of access of individuals to their data, tolerance is significantly lower or non-existent when data processing constitutes the core business of the controlled body.

In addition to the adaptation of control methods in times of crisis, there has been a change in the form of recourse available to individuals in the event of a violation of their rights.

The GDPR now allows complainants to be represented by public interest bodies, many associations have seen their activities develop since 2018, such as “La Quadrature du Net” in France” or “None of Your Business” in Austria.

We have seen them at work recently in legal actions concerning drone surveillance over Paris during the lockdown and in the context of demonstrations, and concerning the issue of data transfers to the United States (see the Schrems II ruling, discussed in our August legal watch).

These structures, which are increasingly better organized and financed, give new visibility to the problem of data protection.

Given the possible damages and sanctions provided for in the Regulation, they highlight the issues, not only from an ethical point of view, but also from a financial and strategic point of view.

These developments are the focus of an upcoming webinar organized on November 18 by the Privacy Platform of MEP Sophie In't Veld.

And also

France:

• The Council of State refuses to suspend the operation of the "health data hub", despite the risks associated with the transfer of this data to the United States.

The CNIL had highlighted the risks linked to Microsoft hosting the health data of people receiving treatment in France, and recalled the legality issues raised by the Schrems II ruling of the European Court of Justice.

Although it does not suspend the operation of the platform, the Council of State nevertheless recognizes the risks of transfer, and requests that appropriate guarantees be taken, until a lasting solution has been found.

The CNIL will advise public authorities on this matter and will ensure, for requests for authorization of research projects in the context of the health crisis, that the use of the platform is technically necessary.

• The CNIL is offering an event dedicated to the right to portability on Monday, November 23, 2020 from 2:00 p.m. to 5:30 p.m.

This new right, enshrined in the GDPR, allows everyone to receive the personal data that he or she has communicated to a data controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller.

The debates will aim in particular to discuss concrete solutions to streamline the flow of data between services, while respecting the rights of individuals.

The GDPR now allows complainants to be represented by public interest bodies, many associations have seen their activities develop since 2018, such as “La Quadrature du Net” in France” or “None of Your Business” in Austria.

We have seen them at work recently in legal actions concerning drone surveillance over Paris during the lockdown and in the context of demonstrations, and concerning the issue of data transfers to the United States (see the Schrems II ruling, discussed in our August legal watch).

These structures, which are increasingly better organized and financed, give new visibility to the problem of data protection.

Given the possible damages and sanctions provided for in the Regulation, they highlight the issues, not only from an ethical point of view, but also from a financial and strategic point of view.

These developments are the focus of an upcoming webinar organized on November 18 by the Privacy Platform of MEP Sophie In't Veld.

And also

France:

• The Council of State refuses to suspend the operation of the "health data hub", despite the risks associated with the transfer of this data to the United States.

The CNIL had highlighted the risks linked to Microsoft hosting the health data of people receiving treatment in France, and recalled the legality issues raised by the Schrems II ruling of the European Court of Justice.

Although it does not suspend the operation of the platform, the Council of State nevertheless recognizes the risks of transfer, and requests that appropriate guarantees be taken, until a lasting solution has been found.

The CNIL will advise public authorities on this matter and will ensure, for requests for authorization of research projects in the context of the health crisis, that the use of the platform is technically necessary.

• The CNIL is offering an event dedicated to the right to portability on Monday, November 23, 2020 from 2:00 p.m. to 5:30 p.m.

This new right, enshrined in the GDPR, allows everyone to receive the personal data that he or she has communicated to a data controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller.

The debates will aim in particular to discuss concrete solutions to streamline the flow of data between services, while respecting the rights of individuals.

Europe:

• United Kingdom : there Mariott International Company was fined 20 million euros on October 30th for a security breach, a significantly lower amount, although still substantial, than the 100 million euros initially announced by the UK data protection authority.

• The European Court of Justice delivered two important judgments on 6 October (La Quadrature du Net and Privacy International) in the area of the use of personal data by intelligence services.

She specifies the strict conditions under which communications data can be stored by operators and confirms the illegality of the "mass" interceptions of this data by the intelligence services.

The Court further refutes the existence of a fundamental and collective right to security., which would justify a balancing with the fundamental rights to privacy and data protection.

• The European Data Protection Board (EDPB) adopted guidelines on data protection at its meeting on 21 October “by design and by default”, which concretely illustrate how to ensure this protection from the design stage of an IT system.

International :

• Brazil has been equipped since October 19 with a College of Data Protection Commissioners for the management of its supervisory authority.

Of the five members appointed by the President of the Republic and confirmed by the Senate, three have primarily military experience, which makes it a rather unique college.

• The Global Privacy Assembly virtually brought together around a hundred representatives of data protection authorities in mid-October.

The assembly adopted several resolutions concerning theartificial intelligence, facial recognition and humanitarian aidIt has also published a collection of best practices related to the COVID-19 pandemic.

• UNICEF prepares guidelines to protect children's rights in the context of the development of artificial intelligence. The project is available online and its final version will be published in 2021.

Anne Christine Lacoste

 Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.