Tag Archives: data protection authority

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

Google Analytics under Scrutiny by Italian Data Protection Authority

Legal news, , , , , , , ,

The second issue of our summer series focuses on the recent decision by the Italian Data Protection Authority, which affects all users of the Google Analytics services in Italy, as well as other similar services that entail the transfer of users’ personal data to the United States.

Read our slides to understand what actions are available to you.

The Safe Harbor Decision (And What Is Wrong With It)

Legal news, , , , , ,

As most people and businesses on either side of the Atlantic are now aware, on October 6, 2015 the European Court of Justice invalidated the Commission’s Safe Harbor decision and made the transfer of personal data to the United States slightly more difficult for businesses.

The Court decision is based on two fundamental findings: first, the Commission’s Safe Harbor decision did not find – as it was required to do according to the Court – that the United States ensures a level of protection of fundamental rights essentially equivalent to that guaranteed within the European Union. Second, and equally important, the Court held that the Commission had no authority to restrict the powers of national data protection authorities to examine complaints of their citizens and assess whether the transfer of data to the United States affords an adequate level of protection.

Until the recent Court decision, the Safe Harbor program has provided a framework for the transfer of personal data from the European Union to the United States. Safe Harbor, however, is neither the only way to transfer personal data to the United States, nor the most commonly used. United States undertakings have consistently used – and will be able to continue to use even after the Court’s decision – model clauses and binding corporate rules.

As European and US undertakings have a wide variety of tools available to transfer data to the United States, the most troubling finding of the Court’s decision is not the invalidation of the Safe Harbor per se, but rather the recognition of much broader powers to member states’ data protection authorities. While the Safe Harbor scheme provided a single and simplified framework that was easily understood by United States’ businesses, the new decision leaves uncertainty as to the approach that each member state’s data protection authorities will take in connection with the export of their citizens’ data. As a consequence, in spite of the current efforts by European authorities to adopt a single data protection regulation ensuring a more uniform legislation throughout the continent, the Court decision is likely to lead – for at least some time – to a more fragmented and less clear legal framework among different member states.

Last, but not least, it is worth noting that one of the main reasons that led the Court to invalidate the Safe Harbor Commission’s decision has been the discovery of mass surveillance programs by US national security intelligence agencies and their rights to access personal data of European citizens. The concern of the European Court of Justice is well grounded and all of us, as individuals, are likely to share that same concern. However, why is the Court not equally worried about the surveillance programs and data retention policies adopted by several member states over the last few years?

Many have pointed out (see for instance here and here) that the Court decision is the result of different sensitivities between US and European people when it comes to the protection of their privacy, being the Europeans more keen to consider the protection of their personal data as a fundamental human right (or, rather, very keen on teaching data protection lessons to the United States). However, the failure of the European Court of Justice to acknowledge that such fundamental right is as much at risk within the borders of Europe as it is outside leaves us wondering whether the Court is really protecting the substance of our privacy as European citizens.

Electronic Medical Record: Italian Data Protection Authority Issues New Guidelines

Legal news, , , , , , ,

On June 4, 2015, the Italian Data Protection Authority issued new guidelines governing the collection and processing of personal and sensitive data through the Electronic Medical Record.

  • What is an Electronic Medical Record?

A record, kept by a hospital or a healthcare center, containing patients’ clinical history at that specific hospital or healthcare center.

  • Patients’ rights

The guidelines set forth several rights to which patients treated at any hospital or healthcare center are entitled:

  1. Patients are entitled to decide whether the hospital or the healthcare center may store their data through an Electronic Medical Record. If a patient denies his/her consent, physicians will be able to rely only on information gathered during examination and treatment, as well as on information previously conveyed by the patient, if any. Denial of consent will not affect the possibility of being treated at the hospital/healthcare center.
  2. Specific consent is needed for the collection of certain categories of sensitive date, such as HIV infections, abortions, data relating to sexual assault. With respect to such data, patients will have the right to limit access to specific individuals/professionals.
  3. In addition to all rights granted by the Data Protection Code (such as the right to receive confirmation on the existence of personal/sensitive data, to know the origin of the data, the purpose and means of processing, as well as the logic applied to the processing) patients will also be entitled to receive information on each access to their Electronic Medical Record.
  • Hospitals and healthcare centers’ obligations

Hospitals and healthcare centers are required to provide patients with a thorough privacy notice concerning the processing of data through the Electronic Medical Record. Upon patients’ request, hospitals and healthcare centers shall also provide information concerning stored data and access logs to the Electronic Medical Record (including the professional accessing the data, date and time of access) within 15 days of the request. Patients will also be entitled to redact data or healthcare documentation that they do not wish to be included in their Electronic Medical Record.

The Data Protection Authority’s guidelines also address important technical aspects and provide that patients’ healthcare information contained in the Electronic Medical Record shall be segregated from other administrative data. Sensitive data will need to be encrypted. Furthermore, access to the record will be granted only to medical staff involved in the patient’s treatment and any access and processing will be recorded on log files to be kept by the hospital or healthcare center for at least 24 months.

Lastly, the guidelines set forth strict data breach requirements for hospitals and healthcare center, by providing that any data breach or unauthorized access shall be reported to the Data Protection Authority within 48 hours of knowledge of the breach. Failure to report will lead to the application of penalties.

See the Data Protection Authority’s presentation of the new guidelines