In recent years there has been an increased use of technologies that match a person's digital image to a picture database. While the Austrian legal system does not expressly permit the use of such technology, the Ministry of the Interior uses it to identify unknown perpetrators suspected of intentionally committing a criminal offence. Austrian privacy experts worry that without an explicit legal basis, the use of facial recognition software may result in the gradual extension of powers.
Dashcams have become increasingly popular in recent years and a built-in dashcam is now the most sought-after feature among car buyers. Buyers' primary motivation is self-explanatory: recorded footage can be used as evidence in case of an accident. However, whether dashcams are incompatible with privacy and data protection law and thus illegal on Austrian roads is a tricky question.
Parliament recently enacted the Third, Fourth and Fifth COVID-19 Acts. Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new law – namely, the conflict of interests between the amended Social Insurance Act and the EU General Data Protection Regulation.
Due to the COVID-19 pandemic, telecoms providers must now send mass alerts (eg, regional access prohibitions) via text message on order of the government and provide traffic and location data for the purposes of evaluating whether individuals are complying with quarantine orders. In addition, a number of legislative developments have taken place with respect to data protection. This article outlines these recent changes.
With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
The Litigation Chamber of the Data Protection Authority (DPA) recently provided welcome clarifications concerning the validity of employee consent. The DPA decided that the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the EU General Data Protection Regulation were fulfilled and that the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
The Litigation Chamber of the Data Protection Authority recently issued a reprimand to a hospital for its violation of an employee's access and information rights regarding an audit, which had led to the employee's dismissal. Specifically, the hospital had refused the employee access to the external expert's audit report which had formed the basis of its decision to dismiss the employee.
The Belgian Protection Authority (DPA) recently fined a social media platform €50,000 for processing personal data during the scope of a referral programme without an appropriate legal basis. This decision is particularly relevant because it was rendered on the basis of the one-stop-shop mechanism and all of the national authorities concerned validated the DPA's reasoning.
In an increasingly hostile market, companies have taken an innovative approach to advertising, seeking to ensure consumer loyalty. This has included comparing their products and services with those of competitors in an attempt to convince consumers that theirs are the best. However, is this type of advertising, which is (in theory) harmful to competitors whose products and services are shown as being inferior, allowed?
The Cayman Islands Monetary Authority (CIMA) has updated its Rule and Statement of Guidance – Cybersecurity for Regulated Entities following feedback received during a private sector consultation. The rule, which sets out CIMA's requirements in relation to the management of cybersecurity risks, is a clear and precise directive that creates binding obligations, the breach of which may lead to a fine or regulatory action being taken by CIMA.
The National Information Security Standardisation Technical Committee recently issued the Information Security Technology – Personal Information Security Measurement and Evaluation Specification in Mobile Internet Applications (Draft for Comment). The draft for comment sets out the implementation processes for carrying out the measurement and evaluation of personal information security in mobile apps in accordance with the Information Security Technology - Personal Information Security Specification.
The National Information Security Standardisation Technical Committee recently issued the Information Security Technology – Gradation and Evaluation for the Effect of Personal Information De-identification (Draft for Comment). The draft for comment clarifies that the identifiability of personal information can be categorised into one of four grades, based on the risk of re-identification, and can be used to evaluate the effectiveness of personal information de-identification activities.
The Cyberspace Administration of China recently issued Several Provisions on the Safety Management of Automobile Data (Draft) to solicit public opinion. The draft provisions provide a series of stringent data protection and cybersecurity rules for the automobile sector which will affect almost all players in the automobile industry chain. This article summarises the noteworthy rules that the draft provisions propose.
The Supreme People's Procuratorate recently issued the Provisions on the Handling of Cybercrime Cases by the People's Procuratorates, which include general provisions, as well as provisions on the guided collection of evidence and case reviews, the review of electronic data and court attendance in support of public prosecutions. Among other things, the provisions require the people's procuratorates to strengthen the penalties handed down in cybercrime cases.
The Ministry of Industry and Information Technology recently issued the Circular on Launching the Pilot Programme on Classified and Graded Management of Cybersecurity of Industrial Internet Enterprises. The pilot programme is initially scheduled to launch in 15 provinces and aims, among other things, to perfect the rationality, effectiveness and operability of the rules, standards, classification procedures and grading for industrial internet cybersecurity.