newtech.law

Posted on Categories privacy/personal data protection

“Dark patterns” targeted by EU institutions

“Dark patterns” used by online platform providers have been controversial for some time, but recently there has been a growing buzz about them, in particular due to actions undertaken by EU and national data protection and consumer protection authorities. (For an overview of cases and decisions by EU and national authorities, see the European Commission’s “Behavioural study on unfair commercial practices in the digital environment: Dark patterns and manipulative personalisation, Final Report,” pp. 61–70.) Primarily, these measures are intended to combat deceptive practices in the digital environment, but also to educate consumers and draw their attention to the most common types of practices.

The harmfulness and prevalence of dark patterns has also been noticed by EU lawmakers, who expressly banned such practices by online platform providers in Art. 25(1) of the Digital Services Act (Regulation (EU) 2022/2065 on a Single Market for Digital Services—DSA). The DSA entered into force on 16 November 2022, but most of the obligations in the regulation will apply from 17 February 2024. Therefore, the application of dark patterns may violate not only data protection laws (especially the General Data Protection Regulation) and consumer protection laws, but also (from February 2024) the Digital Services Act.

Continue reading ““Dark patterns” targeted by EU institutions”
Posted on Categories privacy/personal data protection

“Bossware” under labour and data protection law

The proliferation of remote work, combined with the development of monitoring technologies, has led employers around the world to implement various, sometimes technologically advanced methods to check employees’ performance and commitment to their work. In this area, IT solutions and programs commonly called “bossware” are gaining popularity.

In practice, bossware can include a variety of solutions and technologies, such as:

  • Keyloggers monitoring the employee’s use of the keyboard on a company computer
  • Downloading and analysis of screenshots from the employee’s business device
  • Tracking mouse movements
  • Constant or periodic observation of employees using the camera (e.g. eye movement) or microphone on a business device
  • Tracking the employee’s online activity
  • Monitoring the use of business email, calendar and business messaging
  • Analysis of the performance of applications and programs run by the employee.

A specific feature of bossware solutions is the frequent use of automated analysis to flag employees whose productivity, commitment or manner of work deviates from the employer’s expected norm, without their superiors’ involvement.

Polish employers are also reaching for bossware. In this regard, we describe below what they should take under consideration in light of Polish labour law and data protection law.

Continue reading ““Bossware” under labour and data protection law”
Posted on Categories privacy/personal data protection

Standard contractual clauses need to be updated by 27 December 2022

Entities transferring personal data outside the European Economic Area on the basis of standard contractual clauses that are no longer in force (where the transfer began before 27 September 2021) should conclude agreements based on new clauses by 27 December 2022.

Under the General Data Protection Regulation, the transfer of personal data to “third countries” (outside the European Economic Area) is only permitted if the conditions set forth in the GDPR are met, i.e. generally when:

  • The transfer is made to a country which the European Commission has determined provides an adequate degree of protection (i.e. it has issued an adequacy decision—decisions issued so far are available on the European Commission website)
  • If there is no adequacy decision, then adequate safeguards are provided, including in the form of conclusion of an agreement based on standard contractual clauses between the entities involved in the transfer
  • If there is no adequacy decision or adequate safeguards, then one of the special circumstances specified in the GDPR applies.
Continue reading “Standard contractual clauses need to be updated by 27 December 2022”
Posted on Categories privacy/personal data protection

Cookies: The coming revolution

Last year regulators in the EU devoted a lot of attention to cookie files and other tracking technologies used on websites. This interest was generated among other sources by numerous complaints filed by NOYB—European Center for Digital Rights in the last year with data protection authorities, and has resulted in guidance and several decisions issued by regulators in recent months (e.g. in Austria, Belgium and France). Because they may shape the future approach of regulators to the use of cookies, it is worth discussing some of the main conclusions flowing from these decisions.

Continue reading “Cookies: The coming revolution”
Posted on Categories changes in law, privacy/personal data protection

Data Governance Act: A step closer to easier sharing of data

On 30 November 2021, the Council of the European Union and the European Parliament reached a provisional agreement on the final wording of a draft Data Governance Act (DGA) (COM/2020/767 final).

The aim of the proposal is to promote the availability of data and to build a trustworthy environment facilitating the use of data (both person and non-personal) for research and creation of innovative new products and services. It is also intended to create a legal framework for easier sharing of data and mechanisms facilitating re-use of certain data held by the public sector, including data involving health, agriculture and the environment.

Continue reading “Data Governance Act: A step closer to easier sharing of data”
Posted on Categories data economy, privacy/personal data protection

What is the right to personal data?

When seeking inspiration for the future legal status of data, it is worth taking a closer look at how the right to personal data has been shaped. In particular, we could consider whether it is a property right and whether the current legal framework for the right to personal data corresponds to reality and meets our needs.

The attempt to define an absolute right to personal data is mainly driven by Art. 1(2) of the EU’s General Data Protection Regulation, which states that one of the objectives of the regulation is to protect the “right to the protection of personal data.” The right to protection of personal data is also enshrined in the Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union.

The source of this right is found in European legislation. For this reason, an attempt to determine the substance of the right to data protection is difficult, as we cannot simply and directly refer to structures known from the different legal systems of the member states.

The essence of the right to data protection seems to be indicated in recital 7 of the GDPR preamble, which states, “Natural persons should have control of their own personal data.” Thus, the right to protection of personal data is primarily intended to give data subjects control over their data. The specific content of this right is defined by the protective instruments provided for in the GDPR. Among other things, these instruments consist of a guaranteed right to information about processed data, the right of control, but also the right to object to data processing. Many of these rights are similar to the bundle of rights also found in classical property law structures. However, important differences also exist.

Continue reading “What is the right to personal data?”