Brussels, 7 April - The EDPB adopted a statement on the announcement of a new Trans-Atlantic Data Privacy Framework. The EDPB welcomes the commitments made by the U.S. to take ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA) when their data are transferred to the U.S. as a positive first step in the right direction.
The EDPB notes that this announcement does not constitute a legal framework on the basis of which EEA data exporters can transfer data to the U.S.. Data exporters must continue taking the necessary actions to comply with the case law of the Court of Justice of the European Union (CJEU), and in particular its Schrems II decision of 16 July 2020. The EDPB will pay special attention to how this political agreement is translated into concrete legal proposals.
The EDPB looks forward to assessing carefully the improvements that the new framework may bring in light of EU law, CJEU case law and previous recommendations of the Board, once the EDPB receives all supporting documents from the European Commission. In particular, the EDPB will analyse whether the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. In addition, the EDPB will examine how the announced independent redress mechanism respects EEA individuals’ right to an effective remedy and to a fair trial. More specifically, the EDPB will look into whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and whether it can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction.
The EDPB reiterates that it remains committed to playing a constructive role in securing transatlantic transfers of personal data that benefit EEA individuals and organisations.
Next, the EDPB adopted a letter expressing concerns about the recent legislative developments in Belgium aimed at reforming the law establishing the Belgian Supervisory Authority (BE SA),as it may negatively impact the stability and the independent functioning of the Belgian authority.
The EDPB stresses that independent supervision, which it fears is impacted by the proposed reforms, is essential to the fundamental right to data protection and for this reason is protected by the Charter and the EU Treaty. It is also the cornerstone of effective enforcement under the GDPR and effective cooperation among SAs. Furthermore, the EDPB is concerned about the proposals’ alignment with the GDPR and strict CJEU case law. In particular, the EDPB pointed out as issues the interruption of the current mandate of the BE SA’s external members and the added grounds of dismissal of members. The EDPB also questions how the various proposals leading to increased parliamentary oversight may relate to the requirement for SAs to “remain free from external influence” in accordance with Art. 52(2) GDPR. In addition, the EDPB states that the legislative proposal to make the use of a shared service centre mandatory may conflict with the SA’s freedom to choose and have its own staff (Art. 52(5) GDPR), which may result in indirect external influence on the stability and functioning of the BE SA.
Finally, the EDPB agreed to request observer status within the Spring Conference of European Data Protection Authorities. The Spring Conference provides a platform for dialogue for data protection authorities all over Europe, including non-EEA countries. This request forms part of the EDPB Strategy 2021-2023 to strengthen engagement with the international community and to facilitate cooperation between EDPB members and the data protection authorities of third countries.
EDPB Deputy Chair Aleid Wolfsen said: “International cooperation is vital to upholding data protection rights in the EEA and beyond. This is another important step forward in reinforcing our engagement with the international community to promote EU data protection standards and to ensure effective protection of personal data beyond EU borders.”
EDPB_Press Release_2022_05
Date of final decision: 08/11/2021
National Case
Controller: TELEFÓNICA MÓVILES ESPAÑA, S.A.U.
Legal Reference: Confidentiality (Article 5.1.f)
Decision: Imposition of a fine of 900,000 euros.
Key words: Loss of confidentiality.
Summary of the Decision Origin of the case
Various claims are filed as a result of the issuance of duplicate SIM cards to third parties other than subscribers. As a result of the above, the holders of the telephone line are not only left without service, but the third parties access their bank accounts.
We find an assumption of using fraudulent practices based on the generation of duplicates of SIM cards without the consent of their legitimate holders in order to access confidential information for criminal purposes (known as "SIM Swapping").
Key FindingsSpanish DPA carries out research actions to analyze the procedures followed to manage SIM change requests by TELEFÓNICA MÓVILES ESPAÑA, S.A.U., identifying the vulnerabilities that may exist in the implemented operating procedures, to detect the causes for which these cases could be occurring, as well as to find points of non-compliance, improvement or adjustment, to determine responsibilities, reduce risks and increase security in the processing of personal data of affected persons.
The data that is processed to issue a duplicate SIM card and the SIM card (Subscriber Identity Module), which unequivocally identifies the subscriber on the network, are personal data, and their treatment must be subject to data protection regulations.
It has been verified that the measures implemented by TELEFÓNICA MÓVILES ESPAÑA, S.A.U. were insufficient, so they generated a loss of confidentiality and the transfer of personal data to a third party.
DecisionThe AEPD imposes a total fine of 900,000 euros for the infringement consisting of a lack of confidenciality.
For further information: https://www.aepd.es/es/documento/ps-00021-2021.pdf
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned