By Ivan Blomqvist.
ePrivacy Regulation (ePR)
The “Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)”, known also as the ePrivacy Regulation (ePR), is a proposed legal act of the European Union, enforceable as law in all member states, that intends to focus on a more expansive regulation of electronic communications by outlining data security laws and reinforcing rules regarding the electronic transfer of data.
Noncompliance of ePrivacy Regulation could mean penalties of up to 20 million euros or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
ePrivacy Regulation objectives
The ePrivacy Regulation plans to account for the new players providing electronic communications services like WhatsApp and Skype, while benefiting from one single set of rules across all of the European Union.
It also looks to simplify the provision of cookies by utilizing rules that are friendlier to users and to prohibit unsolicited electronic communications, commonly referred to as spam, such as emails, text messages and automated calls. Additionally, the ePR seeks to repeal the Privacy and Electronic Communications Directive (Directive 2002/58/EC), also referred to as the ePrivacy Directive (ePD), while also overriding the General Data Protection Regulation (GDPR) on specific matters (lex specialis).
Since its inception in 2017, the ePR has been the subject of many discussions in the Council of the European Union. But, despite its progress, common ground could not be found on the some matters like the protection of terminal equipment information, the processing of electronic communications data by third parties, and the cooperation among data protection and telecommunications regulatory authorities.
In 2020, the current Presidency of the Council of the European Union released a newly revised draft of the ePrivacy Regulation in which it focuses on metadata and what can be considered as “legitimate interests” to process it and to also place cookies on end-users’ devices.
In March 2020, the current presidency invited all delegations to provide their final comments on the proposed draft, so that negotiations with the European Parliament can begin as soon as possible. Should the ePR be finally approved, it will finalize the European Union’s framework regarding the protection of data and the confidentiality of electronic communications.
By Maria Sol Porro, Trademarks Lawyer, and University Professor
Our photos in the “cloud”
The new filter that allows users to age their faces has caused FaceApp to be in the number one of downloads, on the one hand, and in the eye of the storm, on the other. The alarm has jumped when it has been discovered that the app does not notify at any time that the photos are processed in the “cloud”. When a photo is uploaded so that the faces appear older, younger or of another sex, the application sends it to a server that processes the file and returns it to us with the desired retouching, giving access to said data to all the signatures of the group Russian ¨Wireless Lab¨, the owner of FaceApp, as well as those unknown companies that become “affiliates.”
FaceApp, available on iOS and Android, explains that it does not rent or sell the information of its users to third parties outside of FaceApp (or the group of companies that FaceApp is a part of) without their consent, but in turn expose that they can share the User information without explicit consent with third-party organizations that help them provide the service. Again, the famous application would not be fully complying with the requirements in force in the General Data Protection Regulation in the case of the EU.
Are we the customer or are we the product that is sold?
In this context, FaceApp recognizes that they are working to improve the quality of this service, in its latest press release. However, it has not updated its conditions of use since 2017, forcing the user to have to look for them within the website. This means that almost nobody stops to consult what information is going to be shared with the application and what is the use that will be made of it. Faced with this reality, the aforementioned debate makes us wonder: if a service is free on the internet, are we the customer or are we the product that is sold?
Source: www.abc.esRead More
Fines for Infringement of the Data Protection Law
The National Authority for the Protection of Personal Data (ANPDP), which belongs to the Ministry of Justice, imposed fines for a total of $ USD 232,271.– to public and private institutions for infringement of the personal data protection law.
According to the Peruvian law which governs this matter (Law No. 29733 of Protection of Personal Data of Peru), the processing of personal data requires, as a general rule, obtaining the free, prior, informed, express and unambiguous consent of its owner, except as provided in the law. Likewise, security measures must be implemented to protect the collected personal data, such as documenting security protocols for access and privilege management, as well as periodically reviewing the aforementioned privileges, among others.
Case: Fine for infringement of the Data Protection
Example of this new policy followed by the National Data Protection Authority was one of the last sanctions imposed on ¨Supermercados Peruanos S.A.¨, which had collected personal data without the authorization of its clients. Likewise, security measures were not implemented and the Authority was not notified of the transfer of data outside the Peruvian territory.
Also, during 2018, the ANPDP also prepared 105 final reports of instruction, made 283 visits to public and private institutions on personal data, and issued 3.278 resolutions on the National Registry of Personal Data Protection. In this sense and in order to inform the data managers, conducted the training of more than 1.700 people in various events and 689 queries on standard interpretation of data protection legislation, as well as made the first Report on Supervision of Transparency Portals Standard of public entities.
In this way, it is important to highlight that these new measures clearly demonstrate that the APDP is fully committed to the actions necessary to guarantee the right to the protection of personal data in Peru, in relation to the new measures taken by several Latin American countries and The EU.
Source: https://gestion.pe/economia/Read More