Case Proposal: the service claims to be GDPR compliant for European users

I propose the following data to be a new case:

Fields Data
Name The service claims to be GDPR compliant for European users
Description The service has a different behavior towards users protected by the GDPR.
Classification good
Topic Topic Jurisdiction and governing laws (ToS;DR Phoenix)
Weight 20
2 Likes

Good idea!
This summarizes some important information that other cases could not cover.
I’d modify two things however:

  • The acronym is GDPR in English :wink:

  • Since other good cases include GDPR requirements (such as Case 195 and Case 140); I’d decrease the weight to 20 to avoid favouring a service too much for simply being compliant with laws

2 Likes

I agree with you for this point.

1 Like

I would change the wording to “the service claims to be GDPR compliant for European users”, as we have no way to know whether or not the service is actually compliant just by looking at the terms of service alone.

This would also open up the possibility to add many similar cases for other jurisdictions, e.g. Californa, Brazil, etc., that have similar laws.

3 Likes

I totally agree with you, and it’s true that we could later add points for each “big” law of geographical area as you said for Brazil, California, etc.

1 Like

I allow myself by this message to re-launch the discussions on this proposal of case.

1 Like

No adverse opinions have been expressed, so the case has been created.
I’ve created a similar case applying to CCPA (California Privacy Laws).

Regarding Brazilian privacy laws, I don’t know much about them, but the LGPD looks very similar to European laws (such as rights over personal data according to this article), so I’d propose to add in the description of Case 481 that it also applies to services compliant with similar data protection laws.

1 Like

I don’t know the Brazilian privacy laws, but I suggest to add The Swiss privacy laws.

1 Like

Are Swiss privacy laws transborders too? If soo, I’d agree.

1 Like

I found this in the Swiss DPA (Data Protection Act).

"Art. 6 Communication transfrontière de données

1 Aucune donnée personnelle ne peut être communiquée à l’étranger si la person­nalité des personnes concernées devait s’en trouver gravement menacée, notamment du fait de l’absence d’une législation assurant un niveau de protection adéquat.

2 En dépit de l’absence d’une législation assurant un niveau de protection adéquat à l’étranger, des données personnelles peuvent être communiquées à l’étranger, à l’une des conditions suivantes uniquement:

a.
des garanties suffisantes, notamment contractuelles, permettent d’assurer un niveau de protection adéquat à l’étranger;
b.
la personne concernée a, en l’espèce, donné son consentement;
c.
le traitement est en relation directe avec la conclusion ou l’exécution d’un con­trat et les données traitées concernent le cocontractant;
d.
la communication est, en l’espèce, indispensable soit à la sauvegarde d’un intérêt public prépondérant, soit à la constatation, l’exercice ou la défense d’un droit en justice;
e.
la communication est, en l’espèce, nécessaire pour protéger la vie ou l’intégrité corporelle de la personne concernée;
f.
la personne concernée a rendu les données accessibles à tout un chacun et elle ne s’est pas opposée formellement au traitement;
g.
la communication a lieu au sein d’une même personne morale ou société ou entre des personnes morales ou sociétés réunies sous une direction unique, dans la mesure où les parties sont soumises à des règles de protection des données qui garantissent un niveau de protection adéquat.

3 Le Préposé fédéral à la protection des données et à la transparence (préposé, art. 26) doit être informé des garanties données visées à l’al. 2, let. a, et des règles de protection des données visées à l’al. 2, let. g. Le Conseil fédéral règle les modalités du devoir d’information."

If you want more information, I let you consult the law online : Fedlex

1 Like

It isn’t completely transborders then, but protects its users somehow against data transfers outside Switzerland.
I’ve never seen Privacy Policies claiming to be compliant to Swiss laws, though :thinking:

You have Protonmail, ProtonVPN and all of the Swiss administration at least, and I see them from time to time. In fact I’m swiss and for me It is important this law.
I believe that the Swiss data protection law is one of the strictest in the world but not sure

2 Likes

Indeed, and we have a case for jurisdictions with strong privacy laws: Case 241: The court of law governing the terms is in a jurisdiction that is friendlier to user privacy protection.
What I meant, is that no service outside Switzerland claims being compliant to Swiss Laws, while services outside the EU may try to be compliant with European laws so that they can provide services to users in the EU.

1 Like

Does that also happen in regards to CCPA for Californian users? Could you give an example of a service not in Californa that claims to be compliant with CCPA?

2 Likes

By searching on ToS;DR database, I’ve found for instance Discogs for which the court governing is in the state of Oregon and not California, and yet provides a California Privacy Notice.
Same for the New York Times (California Notice - The New York Times)

3 Likes

Thanks for the example @Agnes_de_Lion, that’s very interesting indeed.

In regard to your proposal of conflating GDPR and LGPD in the same case, if the reasoning is just from the similarity between the two laws, I would advise against it. While the GDPR served as inspiration and motivation for the LGPD, there are some important differences. Like, for instance, the blanket exemption given in the LGPD for financial institutions and credit bureaus.

I suggest that, when we can find an example of a service not originating from Brazil that claims compliance with the LGPD, then we create a new case for the LGPD.

2 Likes

The Endurance International Group is governed by the laws of Massachusetts and yet has a Privacy Policy specially for users in Brazil.
I’m creating the case then! Case 483: The service claims to be LGPD compliant for Brazilian users

4 Likes

Coming back to the Swiss data protection law, I found a service based in California that makes a difference for Swiss residents.

If you are a resident in Switzerland, the contact details for the data protection authorities are available here: Startseite.

They don’t give more rights to Swiss residents, they only provide a specific contact form…

2 Likes

oke oke, so much for me Sorry

2 Likes