Opinion of the Greek DPA on the Greek Data Protection Law
Today, January, 27, the Greek Data Protection Authority issued a very judgmental opinion on the provisions of the Greek Data Protection Law.
The Greek Law 4624/2019 implements provisions of the GDPR, while incorporating Directive 2016/680.
In September 2019, one month after the adoption of the law, Homo Digitalis had filed a petition to the Data Protection Authority together with the Consumers’ Union EKPOIZO, requesting the issue of such an Opinion.
The DPA’s Opinion is very thorough and underlines many important issues arising from the Law 4624/2019. We note that many of the articles, in which the Opinion refers to, were at the centre of our second complaint to the European Commission for non-compliance of the Greek Law with the European legislation. (Complaint no. CHAP(2019)03059).
The DPA notes that it shall not implement any of the provisions of Law 4624/2019, which are contrary to the GDPR.
The full Opinion in Greek is available here.
Homo Digitalis particates in CPDP 2020
On January, 24 Homo Digitalis will have the great honour to participate in Computers, Privacy, Data Protection (CPDP) 2020, the most prominent conference in Europe on ethical and legal issues regarding new technologies.
This year, the conference will focus on the use of Artificial Intelligence and its consequences on personal data protection.
Our organization will contribute to a panel held by European Digital Rights (EDRi) on “AI and Migration Control: New Tools In The Service Of Fortress Borders”
Head of the panel will be Ms. Anna Fielder, EDRi President.\
The members of the panel will be:
– Petra Molnar, coordinator of the Human Rights program in the Faculty of Law of Toronto and EDRi – Mozilla Open Web Fellow,
– Christian D’Cunha, Director of the personal office of the European Data Protection Supervisor -EDPS,
– Patrick Breyer, Member of the European Parliament with European Pirates.
Homo Digitalis will be represented by Mr. Eleftherios Chelioudakis, one of the co-founders of our organization and Secretary of the Board.
The panel will take place at 14.15. If you are in CPDP, come to meet us!
The full schedule of the conference is available here.
It is worth noting that more Homo Digitalis members have taken part in CPDP in the past, representing the organizations they work for.
Homo Digitalis signs a letter to the European Commission
On Tuesday 14 January, European Digital Rights (EDRi) and 41 more organizations, including Homo Digitalis, sent an open letter to the European Commission requesting transparency during the implementation the EU Copyright Directive.
With this letter, we ask the Commission to publish any documents and guidelines it will draft on the topic. We also ask for the proposals submitted by the co-signing organizations to be taken into account during the drafting of such guidelines.
You may read the full letter here.
Open Letter to Alphabet Inc. CEO, Mr. Sundar Pichai
On 8 January 2020, Privacy International and more than 50 other organizations, including Homo Digitalis, sent an open letter to the Alphabet Inc. CEO, Mr. Sundar Pichai.
With this letter, the co-signing organizations, ask Google to take immediate measures to prohibit the use of pre-installed applications on Android smartphones, which constitute a threat to privacy of the users.
These applications are currently permitted to operate outside the Android security protocols. It is notable that 91% of the said apps are not available in Google Play.
These pre-installed apps are usually found in cheap Android smartphones and permit the use of the camera or the microphone, or even access to the device location.
However, privacy and personal data protection are not luxuries, but human rights!
You may read the full letter here and also participate in this campaign here.
Open letter to the Minister of Digital Governance
On Friday 3 January 2020, Homo Digitalis sent an open letter to the Minister of Digital Governance, Mr. Kyriakos Pierrakakis, regarding the ePrivacy Regulation
We sent this letter following another letter sent on 11 October 2019 to the Minister. With this second letter, we ask the Minister to support during 2020 the adoption of an ePrivacy Regulation by the Council of Europe; this Regulation shall enhance the level of protection of digital rights and freedoms for all Greek citizens.
Despite the fact that the draft ePrivacy Regulation was not adopted by the Council on 22 November 2019, Member States may start again negotiations to adopt a Regulation, which shall enhance the privacy of European citizens on electronic communications.
If the draft Regulation is fully rejected, the European Commission shall draft a new proposal for the Regulation, thus, leading to a big delay. This delay shall mean less protection for people’s privacy.
You may read the letter in Greek here.
Anastasia Karagianni at TEDx Lesvos
Anastasia Karagianni, member of Homo Digitalis gave a talk at TEDx Lesvos on September 29, 2019, which was held in Municipal Theatre of Mytilene. Anastasia experienced a strange incident with her smartphone which then becomes the trigger to change her view of online theory.
How can her smartphone know her favourite milk and suggest it to her?
Where is the moral line of privacy and what happens when private companies and governments cross that line?
You can watch her talk here.
Greek Police: Non-compliance with Data Protection Legislation
Today, 3 January 2020, Homo Digitalis sent an open letter to the Greek Data Protection Authority, communicating the violation of article 53 of Law 4624/2019 by the Greek Police.
According to this provision, all law enforcement authorities in Greece must publish general, easily accessible and understandable information on their websites regarding their data processing activities. Such information are for instance the way of communication with the data controller and the rights of the data subject.
The website of the Greek Police and the Ministry of Citizen Protection do not contain such information.
With 5 months having already passed from the adoption of Law 4624/2019, we submitted that non-compliance of the Greek Police with the said provision constitutes an important obstacle to the actual protection of people’s rights.
We have contacted the Greek Police on the issue twice: on 19 November 2019 and 3 December 2019. We did not receive any response.
Therefore, we communicated this violation to the President of the Greek Data Protection Authority.
Our letter and all relevant documents are available in Greek here.
Hellenic Police plans to introduce face recognition technology
Civil society organisation AlgorithmWatch has published on its website an article on the use of face recognition technology by law enforcement authorities in European Union countries. Homo Digitalis’s Lefteris Chelioudakis had the honour to participate in this research.
According to the survey data, at least 10 member states of the EU already use relevant application of face recognition, while many countries including Greece have already planned its immediate implementation.
Specifically in Greece, on Saturday 14/12/2019, an official statement was issued on the website of the Ministry of Citizen Protection where is widely publicised that Hellenic Police Directorate has signed a contract with INTRACOM TELECOM company fot the supply of “Smart Policing” System amounting to 4 million Euro.
According to the new technical specifications issue in the context of implementing these measures, as it has been published on Hellenic Police’s website in April 2018 and in particular on pages 5/178 and 147/178 inter alia, one of this measure’s purposes is the delivery to the Greek Police of a software of photography profile recognition, through which the comparison between digital files and pictures of persons will be conducted in order to identify and verify citizens, vehicles and security documents. In fact, as it appears on page 5/178 of the same document,there’s no such availability of facial recognition as of today. In DIAVGEIA has been published the allocation decision of the results in the public tender for this action in INTRACOM TELECOM on March 2019, while the mentioned company has published the said project on its website in July 2019.
Hellenic Police already participates (from August 2018 till July 2021) in a research programme of of the European Union, named SPIRIT (“Scalable privacy preserving intelligence analysis for resolving identities”), please see available information here.
Homo Digitalis today on December 16, 2019 submitted an open letter to the Minister of Citizen Protection, Mr. Michalis Chrisochoidis in order to ask more information regarding the contract with the company Intracom Telecom (registration number: 20977/17.12.2019). We also seek additional information so as whether the Ministry of Citizen Protection complies with the provisions of Law 4624/2019 on impact assessments on the protection of personal data, especially bearing in mind the prior consultation with the Hellenic Data Protection Authority (Articles 65 and 67). You can read our letter here.
Also, the contract referred to Automatic Number Plate Recognition (ANPR), which according to an article published in the newspaper “To Vima” such technology is already in use since the summer of 2019. We would like to remind you that recently the Austrian Constitutional Court ruled out that the use of ANPR technology by the Austrian police authorities is infringing the national Constitution.
Finally, Homo Digitalis has submitted an official request to the European Union asking for access to information related to the SPIRIT program, in which the Hellenic Police Directorate participates, and the pilot implementation of that project in Greece. You can learn more here.
Reparations for immaterial damage under the GDPR: A new context
Written by Giorgos Arsenis*
A court in Austria sentenced a company to 800 Euros of compensation-payment towards a data-subject, for reasons of immaterial (emotional) harm, according to article 82 of the GDPR (General Data Protection Regulation). The verdict is not in force yet, since both parties have appealed the decision, but in case the verdict will remain unchanged in the second instance, then the company might be facing a mass lawsuit, where about 2 million data-subjects are involved.
The case has gained momentum since its outcome will constitute a legal paradigm, upon which future cases will be based. But let’s take a step back and have a broader look at this verdict and the consequences this application of article 82 might have towards the justice systems of other members of the European Union.
Profiling
The fact that a Post Office gathers and saves personal data of its customers is nothing new. But after a data-subject’s request, it was revealed that Austria’s Post, allegedly, evaluated and stored data that concerned the political preferences of approximately 2 million of its clients.
The said company used statistical methods such as profiling, aiming to estimate the level of affinity of a person towards an Austrian political party (e.g. significant possibility of affinity for party A, insignificant possibility of affinity for party B). According to media, it appears that none of the customers had provided their consent for this processing activity and in certain cases that information was acquired by further entities.
Immaterial harm has a price
The local court of Feldkirch in Voralberg, a confederate state of Austria bordering with Lichtenstein, where the hearing took place in the first instance, ruled that the sheer feeling of distress sensed by the claimant due to the profiling he was subjected to without his consent, constitutes immaterial harm. Therefore, the accuser was awarded 800 Euros, from the 2.500 Euros he claimed initially.
The court acknowledged that the political beliefs of a person are a special category of personal data, according to article 9 of GDPR. However, it also acknowledged that every situation perceived as unfavorable treatment, cannot give rise for compensation claims based on moral damages. Nevertheless, the court concluded that in this case, fundamental rights of the data-subject had been violated.
The calculation of the compensation was based on a method that applies in Austria. In line with that method, the court took two main elements into account: (1) that political opinions are an especially sensitive category of personal data and (2) that the processing activity was conducted without the awareness of the data-subject.
And now?
The verdict is no surprise. Article 82 § 1 of the GDPR clearly foresees compensation payment for immaterial harm. However, with 2,2 million data-subjects affected from this processing activity and simply by doing the math, what derives is the amount of 1,7 billion Euros. Certain is, that if the court of appeal confirms the decision, there will be a plethora of similar cases for litigation. This is the reason why already, in neighbouring Germany, many companies specialize in cases like this.
The Independent Authority
After the decision of the local court in Feldkirch in the beginning of October 2019, towards the end of the same month (29.10.2019) the Austrian Data Protection Authority (Österreichische Datenschutzbehörde), announced that an administrative sanction of 18 million Euros was imposed to the Austrian Postal Service. Beyond political beliefs, the independent authority detected more violations. Via further processing, evidence about the frequency of package deliveries or residence change were obtained, which were used as means for direct-marketing advertisement. The Austrian Postal Service, which by half belongs to the state, reported that it will take legal action against this administrative measure and justified the purpose of the processing activities as legitimate market analysis.
What makes the verdict distinctive
The verdict in Feldkirch shows that the courts are able to impose fines for certain “adversities” caused by real or hypothetical violations of personal data.
Unlike the independent authority, that imposed the administrative sanction due to multiple violations of the GDPR-clauses, the local court in Feldkirch focused on the ‘disturbance’ sensed by the complainant.
The complainant simply stated that he ‘felt disturbed’ for what happened, i.e. without pleading a moral damage resulting from the processing activity, such as defamation, copyright abuse or harassment by phone calls or emails. The moral damage was induced by the fact that a company is processing personal data in an unlawful manner.
You can find the decision here.
* Giorgos Arsenis is an IT Consultant και DPO. He has long-standing experience in IT Systems Implementation & Maintenance, in a number of countries in Europe. He has been active for agencies and institutions of the EU and in the private sector. He is qualified in servers, networks, scientific modelling and virtual machine environments. Freelancer, specializes on Information Security Management Systems and Personal Data Protection.
Digital Sources: