Romanian civil society disputes the legality of implementing facial recognition technology

EN

Vizualizari: 4405

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Several non-governmental organizations sent to the Romanian authorities an OPEN LETTER (https://dpo-net.ro/wp-content/uploads/2019/10/OPEN-LETTER-implementing-the-facial-recognition-system.pdf) expressing concern about respecting the fundamental principles of respecting privacy, by implementing the facial recognition system that is to be acquired by the General Inspectorate of the Romanian Police, formulating at the same time more requests publicly.

"We underline the fact that the signatory organizations do not position themselves against the implementation of new technologies meant to bring more security to the inhabitants of Romania, supporting instead a responsible approach, respecting the right to privacy, according to the applicable national and European legislation. The documentation for the acquisition specifications is disregarding the obligation to establish adequate guarantees for the rights and freedoms of the people will result in the acquisition of a facial recognition system that cannot be used under legal conditions.

The General Inspectorate of the Romanian Police, under the subordination of the Ministry of Internal Affairs, had to carry out an impact analysis before starting any action related to the processing of personal data, such as the purchase of the software application, and to include fundamental criteria to ensure compliance. The principles of "privacy by design" and "privacy by default" should be included in all specifications. The signatory organizations consider that the decision to implement a mass monitoring system, aimed at all the residents of Romania, should have been taken, according to the legal requirements, following a real and transparent risk assessment process, involving both the National Supervisory Authority for Processing Personal Data, as well as civil society. The lack of this process determines us to look with skepticism both the legality of the implementation of this system and the ability to fulfill its purpose without affecting the rights of all the inhabitants of Romania.", the signatories conclude.

In order to comply with the technical solution, the NGOs request the analysis of the following proposed actions:

  1. cancellation of the procurement procedure in question;
  2. identifying or elaborating a legal framework that expressly regulates such a mass monitoring system;
  3. conducting an evaluation of the impact of data processing for this type of processing;
  4. consulting civil society on the use of a facial recognition system;
  5. consulting the authority on the outcome of the evaluation of the impact of the processing in order to establish with it the appropriate measures that will be put in place to protect the data subject's rights, freedoms, and legitimate interests;
  6. drafting of new documentation containing express requirements regarding the technical and organizational measures that the system must include from the moment of conception;
  7. establishing at least 70% of the weighting of the selection criterion on "The effectiveness of the search/comparison algorithm", this being by far the most important aspect of this system;
  8. imposing selection criteria regarding the demonstration of the technical and professional capacity by requesting the demonstration of the existence of a similar experience by implementing a similar system and requesting recommendations issued by the beneficiaries, as well as requesting the evidence regarding having a specialist in the privacy data that will assist all the period of implementation of the system and the training of the personnel of the contracting authority.

The organizations that submitted the letter to the authorities are :

dpo-NET.ro warned about the risks and controversies associated with using this type of mass monitoring system in an article published a month ago, in which we analyzed the contradictory trends regarding the use of these technologies worldwide.

We are glad that such a sensitive and important subject has not gone unnoticed by civil society.

We will follow closely the effects of this open letter, hoping that the authorities will take this step seriously and will understand, in the 12th hour, that ignoring their legal obligations when we discuss the implementation of such a technology will have the effect of the poisoned apple, pushing towards us the distrust of the population in the capacity of the Romanian Police to ensure their safety.

INTRA ACUM în grupul TELEGRAM "Comunitatea Dpo-NET.ro"!


Iți plac articolele dpo-NET.ro? Poți fi la curent cu toate aceste noutăți dacă ne urmărești zilnic pe paginile noastre de LinkedIn sau Facebook. 


Acest articol este protejat de către dispoziţiile legale incidente și este interzisă copierea, reproducerea, recompilarea, modificarea, precum şi orice modalitate de exploatare a acestuia. Articolele publicate pe DPO-NET.RO pot fi preluate doar în limita a maxim 500 de caractere, fără a depăşi jumătate din totalul de caractere, şi cu citarea obligatorie a sursei, cu link activ. Orice abatere de la această regulă constituie o încălcare a Legii 8/1996 privind dreptul de autor. Dacă sunteţi interesaţi de preluarea ştirilor și articolelor publicate pe DPO-NET.RO, vă rugăm să ne contactati.

FREE Webinar „New Trends in Cyber Security” – 15th April 2021, 9:30-12:30 (registration required)

EN

Vizualizari: 799

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The National Association for Information Systems Security (ANSSI) organizes together with partners a series of technological seminars were new and innovative solutions are presented.

The presentations are accompanied by relevant practical examples and the topics are clarified in the extended question and answer sessions, ensuring a deep understanding of all relevant concepts.

Topics:

  • NIS Directive,
  • New Cyber Threats,
  • Secure Home- and Remote Office,
  • Software-based VPN with the security level of a hardware solution,
  • Secure Internet Browsing,
  • Hard Disk Encryption,
  • Rugged Products - Living examples,
  • Highest security for your data on-premise, hybrid and in cloud-native infrastructures,
  • Software Defined Network Infrastructure.

Speakers:

  • Dan CIMPEAN, General Director of CERT-RO (video message),
  • Dragos PREDA, former State Secretary for Communications,
  • Ioan-Cosmin MIHAI, cybercrime training officer at the European Union Agency for Law Enforcement Training - CEPOL,
  • Mihai SCEMTOVICI, General Manager Solvit Networks,
  • Kurt KIRCHBERGER, ROHDE & SCHWARZ Cybersecurity,
  • Lutz LINZENMEIER, LANCOM Systems GmbH,
  • Jacek WIELGUS, Panasonic System Communications Company Europe.

Moderator: Toma CIMPEANU, CEO ANSSI

In order to attend the webinar, registration is required at https://attendee.gotowebinar.com/register/7419559853837705483

Please select “Show in My Time Zone” to show the correct time. After registration, you will receive the access link. The event will be held in English.

INTRA ACUM în grupul TELEGRAM "Comunitatea Dpo-NET.ro"!


Iți plac articolele dpo-NET.ro? Poți fi la curent cu toate aceste noutăți dacă ne urmărești zilnic pe paginile noastre de LinkedIn sau Facebook. 


Acest articol este protejat de către dispoziţiile legale incidente și este interzisă copierea, reproducerea, recompilarea, modificarea, precum şi orice modalitate de exploatare a acestuia. Articolele publicate pe DPO-NET.RO pot fi preluate doar în limita a maxim 500 de caractere, fără a depăşi jumătate din totalul de caractere, şi cu citarea obligatorie a sursei, cu link activ. Orice abatere de la această regulă constituie o încălcare a Legii 8/1996 privind dreptul de autor. Dacă sunteţi interesaţi de preluarea ştirilor și articolelor publicate pe DPO-NET.RO, vă rugăm să ne contactati.

Germany: Using Mailchimp to send newsletters to the EU is illegal. Do we have other solutions?

EN

Vizualizari: 3683

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Following a complaint regarding non-compliance with Art.44 GDPR, the German Supervisory Authority (BayLDA) considered it illegal for a German company (FOGS Magazin, Munich) to use Mailchimp 's services (The Rocket Science Group LLC, USA) to send newsletters, as Mailchimp may qualify as an "electronic communications service provider" under US surveillance law, and the EU data controller has not assessed this risk.

German Supervisory Authority (BayLDA) presented the following arguments:

  • Mailchimp  qualifies as an "electronic communications service provider" under US surveillance law (FISA702 (50 USC § 1881)). Therefore, transferred email addresses may be in danger of being accessed by US intelligence services.
  • In the light of the CJEU decision "Schrems II" (C-311/18), the respondent failed to assess whether there are additional measures in place to ensure that the transferred data was protected by US surveillance.
  • The data transfer was based only on EU standard data protection clauses (Standard contractual clauses - CCS).

As FOGS Magazin stated that it would immediately stop using Mailchimp, the German Supervisory Authority (BayLDA) did not impose a fine or a corrective measure.

"Following our investigation, the controller informed us that it used Mailchimp twice to send newsletters. Due to our intervention, the company has now announced that it will stop using Mailchimp with immediate effect. The company also informed us that informed that it sent e-mail addresses only to Mailchimp and stated that the recommendations of the European Data Protection Board on additional measures for the transfer of personal data to third countries are not yet in the final version, but are subject to consultation ( https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en), is shown in the document sent by the authority to the applicant.

"According to our assessment, the use of Mailchimp by FOGS Magazin in the two cases mentioned was inadmissible from the point of view of data protection legislation, as FOGS did not verify whether "additional measures" were required for transmission to Mailchimp within the meaning of the CJEU decision. "Schrems II" (CJEU, judgment of 16 July 2020, C-311/18), in addition to the EU standard data protection clauses. "

Analyzing this transfer from the point of view of compliance with data protection regulations, in the present case, there are indications that Mailchimp qualifies as an "electronic communications service provider" in accordance with US surveillance law (FISA702 (50 USC § 1881)). ) and thus US intelligence services can access these databases. This transfer could only be allowed by taking additional measures.

What does Art.44 GDPR and the Schrems II Decision provide? Are there any solutions?

We remind you that any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of Regulation 679/2016, the conditions laid down in Chapter 5 are complied with by the data controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in Chapter 5 from GDPR shall be applied in order to ensure that the level of protection of natural persons is not undermined.

On 16 July 2020, the CJEU, in Case C-311/18 (Schrems II), invalidated Decision 2016/1250 on the adequacy of the protection afforded by the EU-US Privacy Shield , because it considered that it did not provide the level of protection offered by the GDPR (adequate safeguards, enforceable rights and effective remedies) due to the excessive degree of intrusion by the US authorities (NSA, FBI). At the same time, the decision validated Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to data controllers established in third countries. Moreover, the Court ruled that the decision is immediately applicable, without creating a legislative vacuum because the RGPD offers alternative ways to transfer personal data legally.

"For transfers we may continue to make use of the derogations in Article  46 of the  RGPD which state that in the absence of a Commission decision, transfers may be made to third countries or international organizations on the basis of appropriate guarantees and subject to opposable rights and in addition to appropriate safeguards involving either the supervisory authority or the Commission or the mandatory corporate rules, we find in paragraph 3 ( a) “ contractual clauses between the controller or the processor and the controller, the person authorized by the controller or the recipient of personal data from the third country or the international organization ' , subject to authorization by the competent supervisory authority.

Even if, as the Court has pointed out, it is the primary responsibility of data exporters and data importers to ensure that the legislation of the third country of destination allows the data importer to comply with standard data protection clauses or mandatory corporate rules before transferring personal data to that third country, supervisors will also play a key role when applying the GDPR and when issuing decisions on transfers to third countries.

Article 49 of the GDPR also offers us another solution, in the absence of a Commission decision and appropriate safeguards, namely transfers of personal data to a third country or an international organization can only take place under one of the following conditions:

“(a) the data subject has explicitly agreed to the proposed transfer, after being informed of the possible risks that such transfers may involve for the data subject due to the lack of a decision on the adequacy of the level of transfer; protection and adequate safeguards;

b) the transfer is necessary for the execution of a contract between the data subject and the controller or for the application of pre-contractual measures adopted at the request of the data subject;

c) the transfer is necessary for the conclusion of a contract or for the execution of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

d) the transfer is necessary for important reasons of public interest;

e) the transfer is necessary for the establishment, exercise or defense of a right in court;

f) the transfer is necessary for the protection of the vital interests of the data subject or of other persons, when the data subject does not have the physical or legal capacity to express his / her consent;

g) the transfer is made from a register which, according to Union or national law, is intended to provide information to the public and which can be consulted either by the general public or by any person who can prove a legitimate interest, but only in so far as the conditions for consultation laid down by Union or national law in that specific case are fulfilled . "

Regarding the thesis in letter a), respectively the consent of the data subject, EDPB recalls the conditions regarding the consent, in particular the consent must be explicit, specific and informed.

Are there solutions for companies to continue to operate normally?

There are solutions for the continued transfer of personal data to third countries or international organizations. We appreciate that many of the transfers made up to the Court's judgment have ceased or will cease, but the truly substantiated transfers can still be made in compliance with the restrictions and conditions imposed, with the aim of defending the rights and interests of European citizens. We look forward to the EDPB recommendations for data controllers and authorized persons, until their appearance we make some recommendations for personal data controllers in order to comply with the decision to invalidate the Privacy Shield:

  • In the case of newsletter solutions, you can replace US applications with solutions from the European Union or even from Romania.
  • Wordpress sites, for example, provide Google Analytics-like traffic analysis tools, and this type of cookie can be removed.
  • We recommend removing yahoo  and  gmail addresses for  business purposes and replacing them with email domains hosted in the European Union. Domains hosted in third countries should also be moved to servers in the European Union.
  • Website platforms hosted in the US can be replaced with platforms hosted in the European Union.
  • We recommend replacing document transfer applications with EU-hosted solutions.
  • Also, online payment services such as  Paypal  can be replaced by card payment processors in Romania, remarketing services from Google can be eliminated and used services in the EU, the same solution being valid for cloud services.

Whenever transfers are made to the US, users must be informed transparently, in accordance with Article 13 of the RGPD, and if the processing / transfer is based on consent, data controllers must ensure that they have obtained valid consent.

As a general recommendation, we advise Romanian personal data controllers to re-analyze their list of service providers as authorized persons and to verify the countries to which the processed data is transferred, and, in case of identification of transfers to third countries, to evaluate situation and decide on the opportunity to change these providers with service providers in the European Union. "

What were the implications of invalidating Privacy Shiled at European level? But in Romania?

Daniela Cireașă, Senior Partner NeoPrivacy Romania:  "Following the CJEU decision in Schrems II, the European supervisory authorities took a position on the transfer of personal data to the USA. The Swiss supervisory authority, a country that had its own agreement with the United States, The Switzerland-US Privacy Shield agreement, which transferred the personal data of Swiss citizens to the US, has been invalidated, and the Swiss authorities announced on September 8, 2020 that the United States had been removed from the list of countries providing adequate protection under certain conditions. provides the necessary protection.

The Convention Committee 108 and the Council of Europe's Commissioner for Data Protection have also called for the adoption of international legal standards for data protection following the Schrems II judgment. In a joint statement, they stated that " Countries must agree at international level on the extent to which surveillance by intelligence services may be authorized, under what conditions and under what safeguards, including independent surveillance and efficient ”.

The supervisory authorities in Berlin, Hamburg but also the Dutch authority recommend the cessation of transfers to the USA. The Berlin authority even recommends withdrawing data from the US. Several supervisors emphasize the need for further analysis and case-by-case assessments.

Please note that the Irish supervisory authority has instructed Facebook to stop data transfers to the United States. Following this summons, on 11 September 2020, Facebook took legal action against the Irish Data Protection Commission (IDPC), launching an appeal in Ireland in an attempt to stop IDPC's preliminary order to suspend the use of standard contract terms ( CCS) in EU-US data transfers.

CNIL has called on the French authorities to stop hosting Microsoft's health data research platform as soon as possible, given the recent invalidation of the Privacy Shield. The Secretary of State for Digital announced on the same day that he was working with the Minister of Health to repatriate this platform to French or European infrastructures.

Facebook considered the proposal premature and urged the Irish regulator to take a pragmatic and proportionate approach until a long-term solution can be reached, as it claims that the preliminary order was decided before Facebook received guidance from European Data Protection Board.

In Romania, during the school year, under restrictive conditions for all subjects involved, the authorities decided conducting online meetings and online classes. Most platforms used in Romania transferred data to the United States. The Ministry of Education and Research announced on September 2, 2020 that, in collaboration with Google (Meet) and Microsoft (Teams), it provides free educational platforms, both platforms belonging to American companies. We add to the list of platforms that transfer data to the US and the new facility of ANAF (National Agency for Fiscal Administration), visual identification through Zoom platform,

An additional proof that in Romania the data controllers, both from public and private sectors, have not assimilated the information of the invalidation of the Privacy Shield are the online stores or simple presentation sites that still use the suite of analysis cookies from Google,  American solutions  for newsletter or payment etc. Even the websites of candidates in local elections have such cookies installed. We appreciate that most date controllers use these solutions without being fully aware of the implications.

We believe that we are still far from a new agreement between the EU and the US, although the US recommendations have become even more urgent: (1) the adoption of comprehensive federal privacy legislation, (2) the establishment of an independent data protection agency and (3) ratification Council of Europe Convention on Confidentiality. The current situation of uncertainty affects both European and American companies and the rights and interests of European citizens.

Between July and September 2020, NYOB conducted a survey of 33 companies that transfer data to the US and their reactions ranged from a lack of response to vague or substanceless responses. Companies such as Airbnb, Netflix or Whatsapp have not responded at all, while others have responded by referring to Privacy Policies that do not answer specific questions or by making standard Contract Terms that are manifestly uncovered because those companies are subject to intrusive US law. .

We recommend all personal data controllers in Romania to turn to specialists in the field of personal data protection, the only ones who, at present, are up to date with news in the field and are able to explain to data controllers all the implications and offer solutions in accordance with data protection legislation."

INTRA ACUM în grupul TELEGRAM "Comunitatea Dpo-NET.ro"!


Iți plac articolele dpo-NET.ro? Poți fi la curent cu toate aceste noutăți dacă ne urmărești zilnic pe paginile noastre de LinkedIn sau Facebook. 


Acest articol este protejat de către dispoziţiile legale incidente și este interzisă copierea, reproducerea, recompilarea, modificarea, precum şi orice modalitate de exploatare a acestuia. Articolele publicate pe DPO-NET.RO pot fi preluate doar în limita a maxim 500 de caractere, fără a depăşi jumătate din totalul de caractere, şi cu citarea obligatorie a sursei, cu link activ. Orice abatere de la această regulă constituie o încălcare a Legii 8/1996 privind dreptul de autor. Dacă sunteţi interesaţi de preluarea ştirilor și articolelor publicate pe DPO-NET.RO, vă rugăm să ne contactati.

Federico Marengo: „Governments should invest more resources in the data protection authorities in order to get involved in the data literacy of individuals”

Federico Marengo is a lawyer with master in public administration (University of Buenos Aires), LLM (University of Manchester), and PhD candidate (Università Bocconi, Milano). His research deals with the […]

European Commission launches study on legal rules on health data processing (GDPR)

The European Commission has published a study on „Assessing EU Member States‘rules on health data in the light of the GDPR„. The study finds that, although the General Data […]

Over 80% of Romanians unaware of how to report cybercrime!

Romania rank second, as 84% of Romanians have no idea how to report a cybercrime or illegal online behaviour Worryingly, 67% of Romanians do not feel well informed […]

Imobiliare.ro – security breach with over 200,000 exposed files

A few days ago, a Report of the Website Planet experts was published, announcing a security breach of the imobiliare.ro portal , regarding the insecure access of 201,087 files from the company’s database. Launched in […]

ASCPD announces the election of a new Board of Directors and the establishment of the Advisory Board

Three years after its founding, the Romanian Association of Specialists in Privacy and Data Protection (ASCPD) announces the new Board of Directors which begins its activity on November […]

ASCPD EXPRESSED ITS CONCERN ABOUT THE USE OF THE TERM “BAZACONIE” („NAUGHTINESS”) IN THE PUBLIC STATEMENTS OF THE PREMIER

The Romanian Association of Privacy and Data Protection Specialists in Romania (ASCPD) expresses its concern regarding statements made in the public space, belonging to Prime Minister Ludovic Orban, […]

ASCPD submitted 20 proposals regarding the accreditation of GDPR certification bodies in Romania

The Romanian Association of Privacy and Data Protection Specialist (ASCPD), after the consultation with all its members, submitted to the Romanian Data Protection Authority, a document with 20 […]

ASCPD requests the Romanian Ministry of Education to remove the consent as a legal basis for the processing of personal data for the national assessment of students

According to a press release, The Association of Specialists in Privacy and Data Protection (ASCPD) notified the Ministry of Education and Research on Article 5, (2) of the  Procedure regarding […]

ASCPD publishes a GUIDE for NGOs involved in fundraising campaigns during the Covid-19 pandemic

Given the epidemiological context, the ASCPD (Romanian Association of Privacy and Data Protection Specialists) assists non-governmental organizations involved in fundraising campaigns, launching  “GUIDE for the processing of personal […]

ASCPD joined the Confederation of European Data Protection Organizations

The Romanian Association of Privacy and Data Protection Specialists (ASCPD) announced on Tuesday that it has joined the Confederation of European Data Protection Organizations (CEDPO), becoming the tenth […]

Trevor Hughes, CEO of IAPP: „In Privacy, we have a new hybridized profession”

Participating in the 13th edition of the Computer, Privacy and Data Protection (CPDP) Conference, held in Brussels on January 22-24, 2020, Trevor Hughes, CEO of the International Association […]

The legal provisions that allowed the parties access to the additional lists are unconstitutional

According to a press release sent by ASCPD – Association of Specialists in Confidentiality and Data Protection,  we are informed that the People’s Advocate has notified the Constitutional […]

The year 2019 saw through the eyes of a GDPR-ist, 10 memorable moments

It is the end of the year and being a moment of balance I can not help thinking about how many things I have achieved professionally and especially […]

CPDP 2020: DATA PROTECTION AND ARTIFICIAL INTELLIGENCE

Date: 22–24 January 2020 Location: Brussels, Belgium Les Halles de Schaerbeek, Rue Royale-Sainte-Marie 22, 1030 Brussels Area42, Rue des Palais 46, 1030 Brussels CPDP offers the cutting edge […]

GDPR Principles translated into simple language

During my interactions on GDPR with many business owners and decision factors I noticed that the principles of GDPR are almost completely unknown. It seems nobody had time […]

ASCPD: Data of persons who voted on additional lists in presidential election, into possession of political parties

The data of the persons included on the additional lists for the 10 November elections, by a simple request, have come into the possession of the political parties, […]

Brittany Kaiser: The foreign intervention in elections is still a real threat (video)

As the former director of business development at Cambridge Analytica, Brittany Kaiser is a well-known whistleblower who saw how data could be weaponized to influence and manipulate people. […]

WebSummit 2019 – first day review

Today, Web Summit, the “world’s largest technology event”, has announced that this year’s edition is officially a sellout, with 70,469 attendees, 2,150 startups and 239 partners confirmed to […]

More Than Fines Needed to Fight Data Abuses by Globe’s Biggest Firms

As privacy commissioners from around the globe are gathering in Tirana for the start of the 41st International Conference of Data Protection and Privacy Commissioners (ICDPPC) we hear […]

Historic progress towards regulatory cooperation and high data protection standards

The International Conference of Data Protection and Privacy Commissioners (ICDPPC) is a worldwide annual forum at which independent regulators on privacy, data protection and freedom of information adopt […]