Data Protection September-October 2021
This bimonthly LAVOIX newsletter presents a selection of legal news in the field of personal data protection for the period September-October 2021.
EDPB Guidelines on restrictions to the GDPR by the legislator
The European Data Protection Board adopted, on 13 October 2021, the final version of the Guidelines on restrictions under Article 23 of the GDPR, following a public consultation.
Article 23 of the GDPR introduces the possibility for Member States to limit the scope of the obligations and rights provided for in Articles 12 to 22 (rights of data subjects), Article 34 (notifying data subjects of a breach), as well as Article 5 (principles relating to processing).
These guidelines provide guidance as to the application of restrictions to the GDPR by the national and EU legislator, the proportionality and necessity assessments to be observed, the obligations of controllers and processors, the conditions for exercising data subjects rights once the restrictions are lifted and the consequences for infringement of Article 23 of the GDPR.
CNIL White paper on payment data and means of payment
In October 2021, the CNIL adopted the White Paper "When trust pays off: today's and tomorrow's means of payment in the challenge of data protection".
This white paper identifies the legal points of vigilance with regard to the application of the GDPR concerning new payment means, as well as the areas for future works and actions to support professionals in this regard.
In particular, this white paper defines payment data and its legal implications in terms of personal data protection.
The CNIL recommends several key points, including the preservation of the anonymity of payments and the free choice of payment means, the importance of protecting the confidentiality of transactions by design, the importance of payment data security and questions the location of payment data in Europe.
Decrees on the categories of data retained by electronic communications operators and their retention periods
Decree No. 2021-1361 of 20 October 2021 aims at specifying the categories of connection data, defined in II bis and III of Article L.34-1 of the French Post and Electronic Communications Code as amended by Act No. 2021-998 of 30 July 2021 on the prevention of terrorist acts and intelligence, that must be kept by electronic communications operators.
It determines what information relates to the civil identity of the user, the information provided by the user when subscribing to a contract or creating an account, information relating to payment, technical data enabling the source of the connection to be identified or that relating to the terminal equipment used, as well as other traffic data and location data.
It defines traffic and location data as "information made available by electronic communication processes, likely to be recorded by the operator in the course of electronic communications for which it ensures transmission".
Decree No. 2021-1363 of 20 October 2021 imposes an injunction, in view of the serious and current threat to national security, to retain certain categories of connection data for a period of one year.
This injunction applies to electronic communication operators as well as to the persons mentioned in 1 and 2 of I of article 6 of the law of 21 June 2004 for confidence in the digital economy.
These decrees came into force on 21 October 2021.
Formal notice to the company Francetest for insufficient security of health data
By decision MED-2021-093 of 4 October 2021, the President of the CNIL issued a formal notice to the company Francetest for multiple security weaknesses relating to the processing of health data on behalf of pharmacies in connection with COVID-19 antigenic screening tests.
The security weaknesses observed concern in particular the hosting of health data with a service provider that does not have HDS approval issued by the Ministry of Solidarity and Health, the use of insufficiently robust authentication processes, the use of a weak hash function and inadequate logging of server activities.
The decision was made public in view of the sensitivity of the data being processed and the need to inform data subjects.
Chinese Data Protection Law comes into force
China's Personal Information Protection Law (PIPL), adopted in August 2021, came into force on 1 November 2021.
It aims at strengthening confidentiality and securing the storage of personal data of Internet users by companies.
This law introduces, among other things, the principles of purpose limitation and data minimisation, and provides for the appointment of persons responsible for data protection within companies.
World Privacy Assembly Resolutions 2021
The World Privacy Assembly adopted five resolutions at its 43rd annual meeting in October 2021.
The resolutions adopted relate to oversight of government access to privately held data, protection of children's digital rights, data sharing in the public interest, adoption of a 2021-2023 strategic plan including surveillance technologies, and the establishment of an independent secretariat.