This Week in Privacy: 19 April 2021
April 19, 2021
EU: EDPB releases opinions on draft UK adequacy decisions
The European Data Protection Board released its opinion regarding the European Commission's proposed adequacy decision for the UK.
The EDPB noted that there are key areas of strong alignment between the EU and the UK data protection frameworks on certain core provisions such as: grounds for lawful and fair processing for legitimate purposes; purpose limitation; data quality and proportionality; data retention, security and confidentiality; transparency; special categories of data; and on automated decision making and profiling.
However it also outlined a number of areas that should be further assessed and/or monitored by the Commission, including: possible future divergences creating risks for the maintenance of the level of protection provided to personal data transferred from the EU; the 'immigration exemption,' which the EDPB calls on the Commission to provide further information on, particularly in relation to its necessity and proportionality; the interplay between the UK data protection framework and its international agreements; the scenarios for which a lawful interception without approval by the Investigatory Powers Commissioner or the Judicial Commissioners are possible; bulk interceptions; and the overall safeguards provided under UK law when it comes to overseas disclosures.
International: CoE issues guidance on vaccine passports and human rights
The Council of Europe issued guidance on the safeguarding of human rights in the context of vaccine passports for COVID-19.
In particular, the Council highlighted four themes including:
- basis for the obligation of states to provide access to immunisation;
- vaccination certificates or 'vaccine passports' and their use;
- privacy and data protection; and
- security and public health risks.
The Council also emphasised the importance of harmonising or facilitating the process of certifying that someone is vaccinated, immune, or infection free provided that personal data is protected and measures to prevent counterfeiting are taken.
The Council also invited Member States to take action in line with Convention 108 and the Convention on Cybercrime.
USA: Senator introduces bill on protection of data from foreign surveillance
U.S. Senator Ron Wyden released a discussion draft of the Protecting Americans' Data from Foreign Surveillance Act to regulate the export of Americans' sensitive personal information.
The bill would create new safeguards against exporting sensitive personal information to foreign countries if doing so could harm U.S. national security. The draft legislation provides for several requirements including:
- directing the Secretary of Commerce to lead an interagency process to identify categories of personal data that, if exported by third parties, could harm U.S. national security;
- directing the Secretary of Commerce to compile a list of countries to which exports of Americans' personal data would not harm national security, and to require licenses for exports of the identified categories of personal data to other countries in bulk;
- exempting from the new export controls any data encrypted with NIST-approved algorithms, if the key protecting the data is not exported;
- applying export control penalties to senior executives who knew or should have known that employees below them were directed to illegally export Americans' personal data;
- creating a private right of action for individuals; and
- requiring the Commerce Department to publish quarterly reports on personal data exports.
Read more here and the bill here.