Dashcams have become increasingly popular in recent years and a built-in dashcam is now the most sought-after feature among car buyers. Buyers' primary motivation is self-explanatory: recorded footage can be used as evidence in case of an accident. However, whether dashcams are incompatible with privacy and data protection law and thus illegal on Austrian roads is a tricky question.
Parliament recently enacted the Third, Fourth and Fifth COVID-19 Acts. Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new law – namely, the conflict of interests between the amended Social Insurance Act and the EU General Data Protection Regulation.
Due to the COVID-19 pandemic, telecoms providers must now send mass alerts (eg, regional access prohibitions) via text message on order of the government and provide traffic and location data for the purposes of evaluating whether individuals are complying with quarantine orders. In addition, a number of legislative developments have taken place with respect to data protection. This article outlines these recent changes.
With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
'Influencer marketing' means taking advantage of bloggers and other persons who have their own social media channels to promote goods and services. While the concept of transmitting arguably hidden advertising is problematic, there are many variations of this and the lines between hidden advertising and personal opinion are often blurred. As such, the Advertising Council recently issued guidelines for dealing with influencer marketing as a specific means of marketing communication.
The Litigation Chamber of the Data Protection Authority (DPA) recently provided welcome clarifications concerning the validity of employee consent. The DPA decided that the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the EU General Data Protection Regulation were fulfilled and that the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
The Litigation Chamber of the Data Protection Authority recently issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal. Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee.
The Belgian Protection Authority (DPA) recently fined a social media platform €50,000 for processing personal data during the scope of a referral programme without an appropriate legal basis. This decision is particularly relevant because it was rendered on the basis of the one-stop-shop mechanism and all of the national authorities concerned validated the DPA's reasoning.
The Cayman Islands Monetary Authority (CIMA) has updated its Rule and Statement of Guidance – Cybersecurity for Regulated Entities following feedback received during a private sector consultation. The rule, which sets out CIMA's requirements in relation to the management of cybersecurity risks, is a clear and precise directive that creates binding obligations, the breach of which may lead to a fine or regulatory action being taken by CIMA.
In August 2020 the Ministry of Commerce issued the Master Plan for Comprehensively Deepening the Pilot Programme on the Innovative Development of Trade in Services. The plan covers 28 provinces and municipalities directly under the central government, including Beijing, Tianjin and Shanghai. The pilot programme, which concerns cross-border data transfer security management, will run for three years.
In 2020 the Ministry of Industry and Information Technology issued the Guidelines on the Construction of a Data Security Standards System in the Telecoms and Internet Industries for public comment. According to the draft guidelines, the data security standards system for telecoms and internet industries comprises four categories: basic and general standards, critical technology standards, security management standards and critical field standards.
In August 2020 the National Information Security Standardisation Technical Committee issued the Information Security Technology – Method for Evaluating the Security Protection Capabilities of Critical Information Infrastructure (Draft for Comment) for public comment. According to the draft method, the evaluation of the security protection capabilities of critical information infrastructure will focus on capability domain level, graded protection and cryptography.
In August 2020 the National Information Security Standardisation Technical Committee released the Information Security Technology – Method of Boundary Identification for Critical Information Infrastructure (Draft for Comment) for public opinion. The draft provides six factors that should be considered when identifying the boundaries of critical information infrastructure: critical business, network facilities, information systems, critical business information, critical business information flows and basic operation environments.
The Standardisation Administration and four other government departments recently issued the Guide to the Building of a National Standard Framework for New Generation Artificial Intelligence. The guide requires that the top-level design of AI standardisation should be clarified by 2021 when more than 20 key standards in key general technologies, technologies in key fields and ethics have been preliminarily researched.
The Croatian cybersecurity system is a cross-sectorial complex network of institutions and regulations in constant development but aligned with the requirements acquired through the country's membership of the European Union and the North Atlantic Treaty Organisation. From a legal perspective, various cybersecurity matters are covered by several relevant acts, each addressing different issues within its scope. This article explores this legislation.
At present, the regulation of the AI sector in Croatia is practically non-existent, as is the case in many other EU member states. This might be viewed as troublesome, as the technology is advancing rapidly without a specific legal control system to provide guidance. However, the issues arising from the use of AI are complex and difficult to foresee, which makes the legislative process time consuming and demanding.
Croatia has among the lowest number of infected persons and persons requiring hospital care due to the COVID-19 outbreak. Despite this fact, the government has amended the Electronic Communications Act enabling the legal use of mobile data as an additional tool in its strategy to combat the pandemic. However, the process has been deterred by the opposition finding the amendments potentially unconstitutional and unjustified.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.