Parliament recently enacted the Third, Fourth and Fifth COVID-19 Acts. Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new law – namely, the conflict of interests between the amended Social Insurance Act and the EU General Data Protection Regulation.
Due to the COVID-19 pandemic, telecoms providers must now send mass alerts (eg, regional access prohibitions) via text message on order of the government and provide traffic and location data for the purposes of evaluating whether individuals are complying with quarantine orders. In addition, a number of legislative developments have taken place with respect to data protection. This article outlines these recent changes.
With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
'Influencer marketing' means taking advantage of bloggers and other persons who have their own social media channels to promote goods and services. While the concept of transmitting arguably hidden advertising is problematic, there are many variations of this and the lines between hidden advertising and personal opinion are often blurred. As such, the Advertising Council recently issued guidelines for dealing with influencer marketing as a specific means of marketing communication.
The EU General Data Protection Regulation (GDPR) has created a new understanding and awareness of data protection. Despite being a directly applicable legal act, the GDPR has created significant work for the Austrian federal legislature, which has chosen to impose it by implementing the narrow but general Data Protection Act and introducing amendments to ordinary legal acts individually. However, these amendments are essentially limited to wording adjustments and restrictions on data subjects' rights.
The Litigation Chamber of the Data Protection Authority recently issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal. Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee.
The Belgian Protection Authority (DPA) recently fined a social media platform €50,000 for processing personal data during the scope of a referral programme without an appropriate legal basis. This decision is particularly relevant because it was rendered on the basis of the one-stop-shop mechanism and all of the national authorities concerned validated the DPA's reasoning.
The Cayman Islands Monetary Authority (CIMA) has updated its Rule and Statement of Guidance – Cybersecurity for Regulated Entities following feedback received during a private sector consultation. The rule, which sets out CIMA's requirements in relation to the management of cybersecurity risks, is a clear and precise directive that creates binding obligations, the breach of which may lead to a fine or regulatory action being taken by CIMA.
The Supreme People's Court and the National Development and Reform Commission recently issued the Opinions on Providing Judicial Services and Supports to Accelerate the Improvement of the Socialist Market Economy System in the New Era. Among other things, the opinions emphasise that the state should strengthen the protection of data rights and personal information security.
The Ministry of Industry and Information Technology (MIIT) recently instructed third-party testing agencies to examine certain mobile apps and issued the Second and Third Batches of Apps that Infringe Upon Users' Rights and Interests, requiring operators of said apps to make rectifications. Numerous apps did not complete their rectifications before the designated timelines. As a result, the MIIT may impose fines.
China Central Television's 3.15 programme recently exposed that third-party software development kit plug-ins for mobile phones were collecting and using users' personal information. In response, the Ministry of Industry and Information Technology immediately asked the relevant entities to investigate the enterprises involved in accordance with the law.
The Justice Bureau of Shenzhen Municipality recently issued the Data Regulations of Shenzhen Special Economic Zone for public opinion. The draft regulations define the concept of 'data rights' for the first time and set out the ownership of personal and public data. According to the draft regulations, no organisation or individual may infringe on natural persons' data rights in accordance with the law.
The General Office of the State Council recently issued the 2020 Legislative Plan, which includes several laws applicable to the cybersecurity sector, such as the Regulations on Network Protection of Minors and the Regulations on the Security Protection of Critical Information Infrastructure.
At present, the regulation of the AI sector in Croatia is practically non-existent, as is the case in many other EU member states. This might be viewed as troublesome, as the technology is advancing rapidly without a specific legal control system to provide guidance. However, the issues arising from the use of AI are complex and difficult to foresee, which makes the legislative process time consuming and demanding.
Croatia has among the lowest number of infected persons and persons requiring hospital care due to the COVID-19 outbreak. Despite this fact, the government has amended the Electronic Communications Act enabling the legal use of mobile data as an additional tool in its strategy to combat the pandemic. However, the process has been deterred by the opposition finding the amendments potentially unconstitutional and unjustified.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.