Parliament recently enacted the Third, Fourth and Fifth COVID-19 Acts. Although these laws have significantly changed the Austrian legal framework, none of them include data protection provisions. Thus, the legislature appears to have overlooked a significant data protection issue arising from the new law – namely, the conflict of interests between the amended Social Insurance Act and the EU General Data Protection Regulation.
Due to the COVID-19 pandemic, telecoms providers must now send mass alerts (eg, regional access prohibitions) via text message on order of the government and provide traffic and location data for the purposes of evaluating whether individuals are complying with quarantine orders. In addition, a number of legislative developments have taken place with respect to data protection. This article outlines these recent changes.
With the adoption of the EU General Data Protection Regulation, the EU legislature intended to strengthen the rights of individuals (ie, data subjects or applicants) by giving them greater control over how their personal data is used. Applicants must be informed of the processing of their personal data and be able to verify whether such processing is lawful. Accessing documents is not necessary to achieve that goal. This view is supported by two recent Austrian decisions.
'Influencer marketing' means taking advantage of bloggers and other persons who have their own social media channels to promote goods and services. While the concept of transmitting arguably hidden advertising is problematic, there are many variations of this and the lines between hidden advertising and personal opinion are often blurred. As such, the Advertising Council recently issued guidelines for dealing with influencer marketing as a specific means of marketing communication.
The EU General Data Protection Regulation (GDPR) has created a new understanding and awareness of data protection. Despite being a directly applicable legal act, the GDPR has created significant work for the Austrian federal legislature, which has chosen to impose it by implementing the narrow but general Data Protection Act and introducing amendments to ordinary legal acts individually. However, these amendments are essentially limited to wording adjustments and restrictions on data subjects' rights.
The Personal Information Protection Act (PIPA) was introduced to regulate and protect the use of personal information and embodies eight core privacy principles which are internationally recognised and accepted. As with the PIPA, the General Data Protection Regulation (GDPR) was enacted to govern the use of personal information and data. Bermuda companies should seek legal advice to determine whether the GDPR applies to their operations and, if so, how.
The president recently approved, with a partial veto, the Project for a General Law regarding Data Protection. The law will regulate the processing of personal data in Brazil. Even though this adaptation may be costly and time consuming, the enforcement of the law is expected to guarantee greater protection of personal data, increasing confidence in Brazil's economic environment.
The Tianjin Cyberspace Administration recently issued a circular which requires the operators of apps (including mini-programs and website tools) for the prevention and control of COVID-19 to fulfil personal information obligations in accordance with the law, provide relevant information on personal information protection online and carry out security-based self-assessments and rectification processes, where required.
The Network Security Administration of the Ministry of Industry and Information Technology (MIIT) recently interviewed the party responsible for the Sina Weblog App regarding a data breach caused by malicious use of the user query interface. Sina Weblog replied that it has upgraded its interface security strategy and will perform its data protection obligations according to MIIT's instructions.
The National Information Security Standardisation Technical Committee recently released the Network Security Standard Practice Guidelines – Guidelines for Personal Information Security Protection by Apps for public consultation. Based on the statistics released by certain assessment tools and the typical issues which have come to light due to the COVID-19 pandemic, the guidelines summarise 10 activities which app operators should avoid.
In order to protect personal information during the prevention and control phases of the COVID-19 pandemic, the Office of the Central Cyberspace Affairs Commission issued the Circular on Ensuring Effective Personal Information Protection and Utilisation of Big Data to Support Joint Efforts for Epidemic Prevention and Control. This article examines the circular's main requirements.
The National Financial Standardisation Technical Commission recently issued the Personal Financial Information Protection Technical Specification to regulate the secure management of personal financial information. Based on the damaging effects of unauthorised access to or the modification of such information, institutions without the corresponding financial qualification are not authorised to collect certain types of personal financial information.
Croatia has among the lowest number of infected persons and persons requiring hospital care due to the COVID-19 outbreak. Despite this fact, the government has amended the Electronic Communications Act enabling the legal use of mobile data as an additional tool in its strategy to combat the pandemic. However, the process has been deterred by the opposition finding the amendments potentially unconstitutional and unjustified.
The European Commission's recent communication shows that only two member states have adopted the national legislation required to implement the EU General Data Protection Regulation. Others, Croatia included, are at different stages of the process. To meet the May 25 2018 deadline, Croatia should promptly address its national approach to open issues – in particular, its policies surrounding administrative fines.