Ö: Literaturhinweis - Jahnel, Jahrbuch Datenschutzrecht 2015

Jahnel (Hrsg), Jahrbuch Datenschutzrecht 2015 (2015), Verlag NWV (Inhaltsverzeichnis, pdf):
Das Jahrbuch Datenschutzrecht 2015 enthält Beiträge zu den aktuellen Fragen des Datenschutzrechts, nämlich zur Aufhebung der Safe-Harbor-Entscheidung durch den EuGH und zum Auskunftsrecht bei Videoüberwachungen, welches durch ein Judikat des VwGH erheblich eingeschränkt wurde. Grundlegend untersucht werden darüber hinaus das Verhältnis von Persönlichkeitsschutz, Bildnisschutz und Datenschutz, die Datensicherheitsmaßnahmen nach § 14 DSG und die Frage des Datenschutzrechts bei Unternehmenstransaktionen. Ein weiterer Beitrag macht deutlich, dass auch politische Parteien im Rahmen ihrer Wahlkampagnen auf sozialen Medien gut beraten sind, die Vorgaben des Datenschutzrechts zu beachten. Abgerundet wird das Jahrbuch durch eine praktische und aktuelle Judikaturübersicht zum Datenschutzrecht in Form von systematisch geordneten Leitsätzen.
Quelle: NWV

GDPR: Presidency debriefing, Preparation for trilogue

Note dated 20.11.2015 from Presidency to Permanent Representatives Committee: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [First reading] [pdf; 14319/15]:
- Presidency debriefing on the outcome of the trilogue
- Preparation for trilogue - Chapters I, VI, VII, VIII, IX, X and XI
[This note contains] a comparative table which compares in 4 columns the Commission proposal, the position of the European Parliament in 1st reading, the Council’s General Approach and compromises tentatively agreed at previous trilogues as well as compromise suggestions by the Presidency. Text marked in brackets will be discussed by the Permanent Representatives Committee separately.
Presidency debriefing  [pdf; 14318/15]:
[...] 5. In the context of the European Council’s objective to conclude the reform by the end of the
year, the Presidency submits for examination with a view to confirmation to the Permanent
Representatives Committee compromise suggestions on the main outstanding issues relating
to Chapters I, VI, VII, VIII, IX, X and XI of the draft General Data Protection Regulation. On
the basis of the outcome of this examination, the Presidency will engage in trilogue with the European Parliament with the aim to find an early second reading agreement.
The Presidency invites the Permanent Representatives Committee to focus the discussion on the following main outstanding issues where further input is needed. [...]

Source: Statewatch


Code of Practice on Secondary Use of Medical Data in Scientific Research Projects

Code of Practice on Secondary Use of Medical Data in Scientific Research Projects [pdf]:
This Code of Practice aims to provide a set of harmonised rules applicable to secondary use of medical data. It is intended to be useful to research projects involving multiple legal entities established in one or more EU member countries. Secondary use of data occurs when data is used for a purpose different from the purpose for which the data was initially collected. Enabling secondary use of medical data by healthcare professionals and researchers is important to improve the quality of health care and research effectiveness. At the same time, it is important to protect patient privacy and to ensure that no harm is done to a patient through the use of the data. [...]


EU Commission: Guidance on the Transfer of Personal Data from the EU to the USA

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL [pdf] on the Transfer of Personal Data from the EU to the United States of America under Directive 95/46/EC following the Judgment by the Court of Justice in Case C-362/14 (Schrems)
Press release; excerpts from the Q&A:
Why is the Commission issuing a Communication?
As long as the negotiations are not finalised, companies need to comply with the ruling and rely on alternative transfer tools where available. The Commission's explanatory communication analyses the consequences of the judgement and sets out the alternative mechanisms for transfers of personal data to the US. The Commission will also continue to work closely with the independent data protection authorities to ensure a uniform application of the ruling.
What can companies use instead of the Safe Harbour?
In the meantime, before the reviewed Safe Harbour is agreed, transatlantic data flows between companies can continue to flow using other mechanisms for international transfers of personal data available under EU data protection law.
These other mechanisms include:
  • Standard contractual clauses with companies across the Atlantic, which specify data protection obligations and are approved by the Commission.
  • Binding Corporate Rules for transfers within a multinational corporate group, and which are approved by national DPAs.
Data protection rules also include derogations under which data can be transferred on the basis of:
  • Conclusion or performance of a contract [including pre-contractual situations, e.g. in order to book a flight or hotel room in the U.S., personal data may be transferred;
  • Establishment, exercise or defence of legal claims;
  • If there is no other ground, the free and informed consent of the individual. 
Where do the negotiations towards a safer Safe Harbour stand?
On the Recommendations on transparency, enforcement and redress (1 to 11), there is agreement in principle, but the Commission is still discussing how to ensure that these commitments are binding enough to fully meet the requirements of the Court. [...]


Paper: Quantitative analysis of privacy compromising mechanisms on websites

Timothy Libert, Exposing the Hidden Web: An Analysis of Third-Party HTTP Requests on One Million Websites (pdf)
Abstract: This article provides a quantitative analysis of privacy compromising mechanisms on one million popular websites. Findings indicate that nearly nine in ten websites leak user data to parties of which the user is likely unaware of; over six in ten websites spawn third-party cookies; and over eight in ten websites load Javascript code from external parties onto users’ computers. Sites which leak user data contact an average of nine external domains, indicating users may be tracked by multiple entities in tandem. By tracing the unintended disclosure of personal browsing histories on the web, it is revealed that a handful of American companies receive the vast bulk of user data. Finally, roughly one in five websites are potentially vulnerable to known NSA spying techniques at the time of analysis. 

Update 06.11.2015: Also intriguing: [...] We found that many mobile apps transmitted potentially sensitive user data to third-party domains, especially a user’s current location, email, and name. [...] Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney


Düsseldorfer Kreis: Orientierungshilfe Datenschutzanforderungen an Smart-TV-Dienste

Orientierungshilfe zu den Datenschutzanforderungen an Smart-TV-Dienste (PDF; Stand:
September 2015, Version 1.0)
[...] Diese Orientierungshilfe richtet sich an die Anbieter von Smart-TV-Diensten, insbesondere Gerätehersteller, Portalbetreiber, App-Anbieter, Anbieter von Empfehlungsdiensten und von HbbTV-Angeboten. Sie enthält nach Beschreibung der relevanten Begriffe (Kapitel 2) einen kurzen Überblick über die Struktur der Smart-TV-Nutzung einschließlich der beteiligten Anbieter (Kapitel 3), der gesetzlichen Grundlagen für die jeweilige Kommunikation (Kapitel 4 bis 6) und daraus folgend eine Darstellung der konkreten datenschutzrechtlichen und technisch-organisatorischen Anforderungen an Smart-TV-Dienste (Kapitel 7). [...]