Official guidance: first European data protection seal, GDPR harmonisation rules, data breach notification, children’s data protection, artistic and literary works

The EDPB approved the very first GDPR certification seal, (see the detailed opinion here). Europrivacy became the first certification mechanism that demonstrates compliance. It was developed through the European Research Programme Horizon 2020 and is continuously updated by the European Centre for Certification and Privacy in Luxembourg and its International Board of Experts. Companies and services can use the certification scheme to increase the value of their businesses and trust in their services. They can use Europrivacy to:

• assess the compliance of their data processing activities,
• select data processors,
• assess the adequacy of cross-border data transfers,
• assure citizens and clients of the adequate processing of their data.

The scheme applies to a wide variety of data processing activities while taking into account sector-specific obligations and risks, such as AI, IoT, blockchain, automated cars, smart cities, etc. It is supported by a ledger-based registry of certificates for authenticating delivered certificates and for preventing forgery. The GDPR certification seal has an innovative format for criteria, which is both human and machine-readable. It is also aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001). 

The EDPB is also asking the European Commission for clarification and harmonisation of rules on procedures that still differ in each European Member State. This includes clarity about the rights of people making a complaint, criteria for handling complaints, the scope and nature of the documents that must be shared in complex investigations, deadlines for handling cases, how to close cases, investigative powers, and the publication of decisions. Additionally, complaints can sometimes be resolved in a non-contentious way, for example after the intervention of the SA has facilitated the exercise of a data subject’s rights. However, the current lack of harmonisation regarding amicable settlements creates challenges. 

To support children, their parents and educators in the digital world, the French regulator CNIL provides practical sheets, games, and videos, in clear and straightforward language, (in French only). This includes a digital vocabulary for children explaining what terms like IP address, cookies or paywalls mean, but also teaches children the right reflexes when doing things such as subscribing to a social network,(“TacoTac”), downloading online games on parents’ devices, sharing “funny” images/videos of people online, and much more. 

Latvia’s data protection authority DVI explains the principles of data processing within artistic and literary expression, as creators’ final results may contain other people’s data. An artist or writer, when evaluating the result of their work and before making it available to the general public, must conclude that it:

• It was created within the framework of the artist’s right to freedom of speech and expression.
• The right to privacy and data protection of natural persons whose data is included in the artistic or literary object is not threatened.
• Does not threaten the interests of the data subject, which are more important than the interest of the public to get to know the creation.
• It would not be desirable to publish works, (eg, photos), in which natural persons are depicted offensively, or which may cause personal injury, moral or other harm, thereby infringing the right to privacy of that person.
• If the involved natural persons are informed about the planned purpose, it must be expressed clearly, without hidden intentions. 

The EDPB is seeking public comments on updated guidelines on personal data breach notification under the GDPR. Back in 2017, Working Party 29 adopted the document, which was endorsed by the EDPB. The new one is a slightly updated version of those guidelines. In particular, the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated. Any reference to the WP29 Guidelines on Personal data breach notification should, from now on, be interpreted as a reference to these EDPB Guidelines.

Legal processes:  test databases, MiCA draft regulation, bank AML monitoring, debt information collection

The CJEU delivered judgment related to retention and purpose limitation principles: creation and long retention of a database to carry out tests and correct errors, and compatibility of such processing with the purposes of initial collection. The request was made in proceedings between ‘Digi’, one of Hungary’s main internet and television providers, and the country’s data protection regulator NAIH, concerning a Digi test database breach, (by an ethical hacker). Digi had not deleted the test database, with the result that a large amount of personal data had been stored without any purpose for almost 18 months. However, data copied into the test database had been lawfully collected to conclude and perform the subscription contracts. On the request of the Budapest High court, the CJEU clarified that:

• Processing of a database set up for testing and error correction is not exempt from the legitimate expectations of those customers as regards the further use of their data, (such errors are liable to be harmful to the provision of the contractually provided service). 
• It is not apparent that all or part of that data was sensitive or that the subsequent processing had harmful consequences for subscribers or was not accompanied by appropriate safeguards.
• At the same time, a database created for testing and correcting errors should not be kept for a period exceeding what is necessary to carry out those tests and to correct those errors. 

The final text proposal for a Regulation on Markets in Crypto-assets (MiCA) has been endorsed by the European Council, and now awaits formal approval in the European Parliament. MiCA attempts to provide a harmonised framework for the protection of holders of digital assets, including their data. Currently some crypto-assets fall outside of the scope of EU financial services legislation. There are no rules, other than AML rules, for services related to these unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the service of exchanging crypto-assets for funds or other crypto-assets, or the custody of crypto-assets. The lack of such rules leaves holders exposed to risks, in particular in areas not covered by consumer protection rules. 

The proposed regulation states that the issuing, offering, or seeking admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this regulation should be carried out by applicable Union law on the protection of personal data. Furthermore, crypto-assets shall not be considered to be offered for free where purchasers are required to provide or to undertake to provide personal data to the offeror. Also, regarding the transfer of personal data to a third country, the European Banking Authority shall apply Regulation 2018/1725 (‘on the protection of natural persons concerning the processing of personal data by the Union institutions’). 

The Dutch data protection authority, (AP), is concerned that a new anti-money laundering law opens the door to unprecedented mass surveillance by banks. Part of the proposal is to monitor all bank transactions of all Dutch account holders in one centralized database, using algorithms. In addition, banks must start exchanging customer data with each other. In many cases this monitoring could be outsourced to an algorithm-capable third party. Combined, the risks associated with this system are disproportionate to the purpose of the bill, believes the AP. For instance, this system could lead to people losing access to their bank accounts completely wrongly. Banks are already required to carry out individual checks on people or companies that may be laundering money or financing terrorism. And they must report unusual transactions to the authorities. 

The Norwegian data protection authority Datatilsynet responded to the government’s proposal to extend the debt information scheme to also include mortgage-secured debt. The regulator recognizes that banks and other creditors need to process information about existing mortgages and car loans in connection with the assessment of a loan application. However, the proposal conflicts with the data minimisation principle, states Datatilsynet. Banks and other credit institutions already have access to information about mortgages and car loans. It appears that the real purpose of the proposed extension of the debt information scheme is to make the creditors’ collection of information about mortgage-secured debt more efficient. This needs to be done in a more privacy-friendly way, and the regulator also points out that citizens’ debt information is attractive for both public and commercial actors, increasing the risk of purpose slippage.

Investigations and enforcement actions: lost DSAR, generic responses to DSARs, whistleblowing reports management, Clearview AI fine, Zoetop data leak

The Italian privacy regulator Garante fined BPER Banca 10,000 euros for violating Art. 12 and 17 of the GDPR. The complainant asked the bank, via email, to delete his professional account from a job application database. This email was acknowledged by the company, which asked him to repeat the request accompanied by identity documents, which the bank duly received at the same email address. However, this last communication was not followed by any effective action by the person in charge, (HR planning and development service), following an internal misunderstanding: changes in the company’s e-mail system generated some problems in communication flows between the various corporate functions. The account deletion request was finally fulfilled when the complainant’s lawyer sent a registered letter presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation. However, the company noticed that some of the applicant’s data would still need to be processed for administrative, accounting, operational and organizational reasons. Other statutory retention periods would also apply for other litigation, or administrative/judicial proceedings. 

Garante also imposed a 10,000 euro fine on Clio S.r.l for violating Art 5, 6, and 30 of the GDPR, and in connection with similar decisions issued against the Municipality of Ginosa and Acqua Novara.VCO, Data Guidance reports. Clio supplies and manages on behalf of various public and private entities an application used for the acquisition and management of whistleblowing reports. Garante found that Clio had failed to regulate the relationships with various customers, who acted as data controllers, as a result of which Clio had carried out data processing activities in the absence of an appropriate legal basis. In addition, Clio had failed to keep a register of the processing activities carried out on behalf of the data controllers. Garante however noted the collaborative behavior of Clio in the course of the investigation.

The Croatian data protection authority AZOP recently issued a negative statement on a generic response to data subject access requests, (in this case, the location of stored data), by a telecoms provider. The complainant received a generic notice listing the category of data collected along with the legal bases, and was told that any information on the processing of data, (collected with his consent), could only be obtained from the point of sale. Since the applicant was not satisfied with the generic answer, he repeated his inquiry on the same day in greater detail, specifically about where his data was stored, but he did not receive an answer from the company. 

The French regulator CNIL imposed a penalty of 20 million euros, (the maximum financial penalty under Art. 83 of the GDPR), on CLEARVIEW AI and ordered the company to stop collecting and using, without any legal basis, the data of people in France and to delete data already collected. CLEARVIEW previously was given two months to comply with the formal notice and justify it to the CNIL. However, it did not provide any response. CLEARVIEW scrapes photographs from a wide range of websites, including social media, that can be consulted without logging into an account, and extracts accessible images and videos from distribution platforms. Through this collection, CLEARVIEW creates, expands, and markets access to its search engine in which an individual can be searched for using images. The company offers this service to law enforcement agencies. CLEARVIEW boss Hoan Ton-That stated to the media that his company had no clients or premises in France and was not subject to EU privacy law, adding that his firm collected “public data from the open internet” and complied with all standards of privacy.

The New York Attorney General secured 1.9 million dollars from an e-commerce retailer, Zoetop, (owner of SHEIN and ROMWE), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers. Zoetop was targeted in a cyberattack. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. Zoetop also represented, falsely, that it had seen no evidence that credit card information was taken from the systems.

Data security: data breaches, software support practices, password management

A quick reminder from the Latvian data protection authority DVI was published on what constitutes a data breach and how to report it. Breaches can be classified according to three well-known information security principles:

• Confidentiality incident, (hackers have found a security “hole” in the organisation’s information system and retrieved the personal data of customers).
• Integrity incident, (due to an incorrectly organized SQL queue, the integrity of records of a customer database stored in the cloud has been lost. As a result, the new records are assigned to inappropriate reference fields and related information of one customer is attributed to another customer).
• Availability incident, (due to the organisation’s incorrect backup copy policy, the existing database is overwritten with a half-year-old backup copy, without the possibility of restoring to a more current version of the database).

An organisation must therefore have developed and implemented an internal procedure for determining whether a breach has occurred, as well as a procedure for assessing the risks arising. If it is determined that it is likely that the breach could reasonably pose risks to the rights and freedoms of a natural person: the organisation must notify the supervisory authority within 72 hours. If, however, the notification takes place later, the reasons for the delay must be explained. Finally, the causes of the breach must be thoroughly investigated and measures must be taken to prevent repeated breaches in the future.

Privacy International looked into the software support practices for 5 of the most popular smart devices, (smartphones, personal computers, gaming consoles, tablets, and smart TVs), and concluded that they fail to meet the expectations of the vast majority of consumers. The majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product’s expected life cycle. And when it comes to accessibility of information, only a few companies appeared to have detailed policies online. It is therefore critical that software remains up to date for a long time to ensure a device is secure and reduce risks to consumers’ privacy and security, stated PI.

In the context of increasing compromises of password databases, the French CNIL updates its recommendation to take into account the evolution of knowledge and allow organisations to guarantee a minimum level of security for this authentication method. According to a 2021 Verizon study, 81% of global data breach notifications are related to a password issue. In France, about 60% of notifications received by the CNIL since the beginning of 2021 are related to hacking and a large number could have been avoided by following good password practices, (two-factor authentication or electronic certificates). 

If operations relating to password management are entrusted, in whole or in part, to a subcontractor, roles and responsibilities must be precisely defined and formalised and the level of security required and the security objectives assigned to the processor must be clearly defined, taking into account the nature of the processing and the risks it is likely to generate. Finally, if simple software publishers are not subject to the legal framework for data protection, users must comply. In this sense, the documentation of password management software must specify in detail the modalities of generation, storage, and transmission of passwords.

Big Tech: human behaviour that leads to data breaches, Australia data leaks, Meta’s Pixel tracking tool, AI hiring tools, speech to identify mental health problems

London-based cybersecurity company OutThink has raised 10 million dollars in early-stage investments as it looks to help organisations identify human behaviour that can lead to data breaches. The company, which claims human behaviour is the source of 91% of data breaches, uses machine learning, natural language processing, and applied psychology to identify, understand and manage the attitudes, intentions, and sentiments of individuals.

Australia envisages increased penalties for data breaches following major cyberattacks. Australia’s telco, financial, and government sectors have been on high alert since Optus, the country’s second-largest telco, disclosed a hack that saw the theft of personal data from up to 10 million accounts. The attack was followed by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, including medical diagnoses and procedures. Australia’s Woolworths Group also said its online retailer MyDeal identified that a “compromised user credential” was used to access its systems that exposed data of nearly 2.2 million users, Reuters reports. 

At least 47 proposed class actions have been filed since February claiming that Meta Platforms Inc.’s Pixel tracking tool sent the plaintiffs’ video consumption data from online platforms to Facebook without their consent, in violation of the federal Video Privacy Protection Act, a Bloomberg Law analysis of court dockets found. Almost half of the new cases were filed in September alone. The complaints allege they knowingly disclosed protected information by allowing Meta’s embedded Pixel code to share a digital subscriber’s viewing activity and unique Facebook ID with the social media platform.

AI hiring tools do not reduce bias or improve diversity, Cambridge University researchers say in a study of the evolving technique the BBC called “pseudoscience”, reporting on the study. In particular, claims one of the research team, these tools can’t be trained to only identify job-related characteristics and strip out gender and race from the hiring process, because the kinds of attributes we think are essential for being a good employee are inherently bound up with gender and race. Some companies have also found these tools problematic, the study notes. For instance, a German public broadcaster found wearing glasses or a headscarf in a video changed a candidate’s scores. 

Finally, software that analyses snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics, and telehealth platforms, putting privacy activists on alert, according to Axios news. Unlike Siri and Alexa, vocal biomarker systems analyse how you talk — prosody, pauses, intonation, pitch, etc. — but not what you say. While the voice sample is run through a machine-learning model that uses a capacious database of anonymized voices for comparison, it may increase systemic biases towards people from specific regions, backgrounds, or with a specific accent.

The post Data protection & privacy digest 12 – 24 October 2022: first GDPR certification seal, test databases, password management appeared first on TechGDPR.

Legal processes and redress

The Administrative Court of Dusseldorf clarified a non-retroactive applicability of the GDPR. In 2016, charges were brought against the plaintiff, a decades-long civil servant for the police and secret services, for tax evasion followed by an alleged disclosure by the court of details of the investigation to the press. The plaintiff had filed a complaint with the local data protection authority, the DSG NRW. It explained that existing data protection laws were only applicable to the courts where they perform administrative tasks. Thus, the inadmissible disclosure of court files falls within the scope of case-law. In 2019 the plaintiff decided to bring an action seeking the enforcement of the GDPR to the court, based on Art.78 – Right to an effective judicial remedy against a supervisory authority. The DSG NRW decision was upheld with further explanations that, despite a data protection breach being manifestly present, the legal redress would be time-barred. Data protection proceedings of the plaintiff were no longer pending at the time of the entry into force of the GDPR, and neither the GDPR nor the old law contain transitional provisions, and would require specific legislative validation.

Quebec’s Bill 64 and the new requirements for cross-border transfers of personal information are explained in McCarthy Tétrault’s latest blog series. The previous Private Sector Act specified that transferring personal information to third parties was permissible without prior consent if was essential for the original business purposes. The new rules include: conducting a prior privacy impact assessment, a PIA, establishing through a written contract the scope of the mandate, the purposes for which the third party would use the information, the categories of persons who would have access, and data subject rights to objection. The definition of Bill 64’s “adequate protection” in the country of destination remains ambiguous in comparison to PIPEDA’s “comparable level of protection” and the GDPR’s “adequacy decision”. The document also makes no distinction between international and inter-provincial transfers, and does not clarify the frequency at which businesses should conduct PIAs.

The US Court of Appeals 2nd Circuit decided when trivial data breaches of personally identifiable information, PII, are not actionable. To have standing, the plaintiff must primarily establish an “injury in fact.” The court identified three factors courts should consider; whether the PII had been exposed as the result of a targeted attempt to obtain that data, whether any portion of the dataset had already been misused, and whether the type of data that had been exposed is so sensitive that there is a high risk of identity theft or fraud. The decision was inspired by McMorris v. Carlos Lopez & Associates, where former employees brought a class action after an employer accidentally emailed 65 employees a spreadsheet containing social security numbers, home addresses, dates of birth, telephone numbers, educational degrees, and dates of hire for approximately 130 current and former employees. The spreadsheet was not shared with anyone outside the company or otherwise taken or misused by third parties. Read more details in the analysis by Thompson Coburn.

A similar dismissed case of a trivial low-level data breach in the UK was explained by Blake Morgan. In Rolfe & Ors -v- Veale Wasbrough Vizards LLP, it was confirmed that it is not sufficient for claimants to merely establish that there had been a data breach; claimants must go further and establish that they have suffered a material or non-material loss as a result of the data breach which is more than merely trivial. The claim arose from solicitors sending a letter containing some personal information to the incorrect recipient who immediately notified the solicitors and subsequently deleted the e-mail.

In Australia, a draft bill that increases privacy breach penalties was released, inviting industry submissions within the next month. Under the draft bill, the maximum penalties applicable to companies for serious or repeated privacy breaches will increase to whichever is higher: 10 million dollars, three times the value of any benefit obtained through the misuse of the information, or 10% of the corporate group’s annual Australian turnover. It also enables the introduction of an online privacy code, covering a wide scope of organisations to regulate social media services, large online platforms and data brokerage services.

The US Federal Trade Commission announced a newly updated rule that strengthens financial institutions’ data security safeguards, following recent data breaches and significant harm to consumers, including monetary loss, identity theft, and other forms of financial distress. The updated Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. Institutions must also explain their information sharing practices, specifically the administrative, technical, and physical safeguards the financial institutions use to access, collect, distribute, process, protect, store, transmit, dispose of, or otherwise handle customers’ secure information. In addition, financial institutions will be required to designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.

The Danish business authority announced that in future it will not prioritize supervision of the consent rules for simple statistics cookies. It justifies the change by recognising that cookies are a necessity for websites, and that the current negotiations in relation to a new regulation on e-data protection indicate that simple statistics cookies for traffic measurement are exempt from consent requirements.

The Danish data protection agency concurs that there may be a need for data controllers to collect and use information for statistical purposes in order to improve their website. However, the rules of the GDPR still apply whenever personal data about website visitors is collected and processed – for statistical or any other purposes. This means that the data controller – e.g. the owner of the website – must ensure that there is a legal basis for the processing of personal data. This also applies to any subsequent processing of data that takes place either at a data processor or when transferred to other independent data controllers.

Official guidance

The German federal data protection authority, the BfDI, clarified how the COVID-19 vaccination status of employees should be processed by employers. Employers generally may not process the “vaccination status” date of their employees without express statutory authorization – not even in the context of the pandemic. The “vaccination status” data is a special category of data pursuant to Art. 9 of the GDPR. Only in individual cases is processing of the “vaccination status” data possible, on the basis of legal requirements, namely, in the health care sector, daycare facilities for children, in the event of a possible infection and subsequent quarantine due to state-required pandemic control requirements, or on the basis of freely given and recorded consent. If the vaccination status is to be stored, no copies of vaccination cards or comparable certificates, (original or copy), may be included in the personnel file. It is sufficient if it is noted that these have been presented in each case.

There were clarifications on CCTV use on private property from Cyprus’s privacy commissioner. While the GDPR does not apply to personal or household activities, the scope of any recording should not go further than the perimeter of said private property. Also any complaints should be made to the police, as the data protection office does not have the power to enter a private property to examine any footage. Visible signs should state that CCTV is in use, explain why, and include a contact number for an operator. If CCTV is installed by a building’s management committee, then it becomes the principal data controller. CCTV may be installed in building entrances and exits, outside lift doors, and over tills and payment points only as long as the camera is only pointed towards them. Cameras can also be installed in building parking areas if the management committee deems it necessary. Finally, CCTV is not allowed in toilets, corridors, lobbies, inside lifts, and indoor or outdoor areas of cafes, bars and restaurants.

Denmark’s data protection agency has published guidance on the use of personal data for testing IT systems, available in Danish. Depending on the circumstances, it may be reasonable and necessary to use personal information when developing and testing IT systems. For example, it will be acceptable to use personal information in connection with final integration tests with other, (external), IT systems, or where there is significant difficulty in creating accurate anonymised test data, in particular because it can be difficult to reflect all the errors and irregularities that may occur in a production environment. In addition, it may be reasonable to use a limited amount of personal information in connection with troubleshooting and error correction. Sometimes it may even be unsafe to put a system into its final production stage without having first tested it with production data, including personal. However, such testing would require a risk assessment for the data subjects, (eg employees, customers and citizens), and appropriate security measures in accordance with the risk assessment.

Some other important guidance published by regulators in the EU and abroad includes:

• The most common mistakes made by the communities working on draft codes of conduct, by the Polish data protecting authority, UODO. These include the lack of clear justification of the purpose of the code, or the entity applying for approval of the code does not represent the majority of the sector, or a draft code’s scope of consultations is too narrow, not including, for example, data subjects.
• Guidelines on political campaigns were set by Malta’s IDPC, including the legal bases for door-to-door canvassing, postal and telephony communication, as well as online canvassing, and opting out from direct advertising.
• China’s draft guidance on identifying important data sets out the identification principles as well as a list of important data. One of them divides data into three classes, namely public data, personal information, and legal person data, and five levels according to their importance – public, internal, sensitive, important and core. Entities in the industrial and telecom sectors are also required to first divide the data into different types – research data, production operation data, management data, operation maintenance data, business service data and personal information, and then divide data into levels and classes.
• The European Data Protection Supervisor offers ever-so-simple guidance on protecting your personal information from phishing attacks. Suitable even for a young audience, it encourages you to STOP if you receive a suspicious message or email, THINK before you click on any links or attachments contained in the message, and LOOK for clues such as how the email or message is phrased, the time at which the email or message was sent, the list of recipients of the email, the sender’s number or email address, or the tone of the message if there is a sense of urgency.
• California’s Attorney General has provided consumers and businesses with tips on how to defend against cyber threats. The recommendations emphasise complexity – from creating strong passwords, limiting personal information shared online, checking on privacy settings on your device, to encryption, employee training and wifi network security.

Enforcement actions

Spain’s data protection authority, the AEPD, has issued its third-largest fine after finding flaws in the consent acquisition language used by CaixaBank. The investigation also uncovered that Caixabank requested information about an individual from the solvency file, even though the individual had no ongoing contracts with the bank. The individual was also included in the bank’s marketing campaigns for a pre-granted credit, without proper legal basis or consent and adequate information about the data processing, including profiling. The aggravating factors for the significant fine were the volume of the business and the duration and severity of the negligence.

The AEPD also fined a data controller – Servicios Logísticos Martorell, 16,000 euros for implementing a biometric identification system without carrying out a DPIA beforehand. A workers union complained that a company had implemented a biometric identification system to control its 520 workers’ access using their fingerprints, a system that was used along with a card reader system. The union argued that the workplace was so big that employees had a 20 minute walk to reach their work station, so they needed an additional control system to determine when they really accessed their post. The company argued that the biometric system is more reliable than using cards, since people could use another worker’s card.

The Dutch data protection authority, the AP, has rejected the license application of a Dutch association of small and medium enterprises to keep a blacklist of possible fraudsters and share that blacklist with companies from different sectors. The AP may grant such licenses only when it is necessary for the data to be shared, and sufficient safeguards have been put in place, such as implementing a data collection and sharing protocol. Similarly, the AP rejected a license application for Fraudehelpdesk, a governmental initiative that helps victims of fraud find their way to the right authorities, for not having an implemented protocol in place. “In the event of a data breach, telephone numbers, e-mail addresses and other personal data of suspected perpetrators, whose crime was not proven, can roam the internet. If you are known as a fraudster, even if this is unjustified, you could be fired, for example. Then it may be difficult to get a loan or to rent a home”

The Czech data protection authority, the UOOU, has published an overview of data breaches inspections for the first half of 2021. In one of the complaints, a former insurance company employee stated that the IT department did not fill out an exit checklist at the end of any employee’s contract. This checklist includes the data access revocation, infringing Art. 32 (2) of the GDPR by failing to sufficiently consider the risks of unauthorized access to the data, which could have led to unauthorized disclosure of personal information. In another case, a company operating an online store used cookies illegally. When a user decided to obtain more information about the processing of personal data before granting consent, and clicked on the link “Personal data”, this triggered uninformed consent to the processing of personal data through cookies.

Individual rights

A group of 850 professional footballers in the UK challenged use of their personal data. In the opinion of Herrington Carmichael, “Professional athletes’ performance statistics and attributes have become intrinsic to the sports industry. This information is passed through a multitude of platforms, giving information to clubs on potential player transfers and opponents and it is widely published in the media sphere.” The footballers are arguing that the unchallenged use of their personal data by the firms contravenes their data protection rights under the UK’s GDPR. They do not consent to the sharing of their data which may be used for illegitimate purposes by betting companies, scouting platforms or even video game manufacturers. Moreover, it can be damaging if the data being shared about them is inaccurate. They could miss out on transfers which are not only important for their personal careers but the sports industry as a whole. Collectively the group have claimed compensation for the misuse of their personal data from dozens of firms and demand an annual fee for any firms’ future uses of their personal data.

Opinion

Telemedicine and personal health data exploitation is analysed by Privacy International. The provision of real-time, video-based health consultations, as well as health monitoring software with elements of machine learning capabilities, wireless sensors, etc has become widely used by health professional and patients. As an example, during the pandemic everyday communications technologies, such as FaceTime or Skype, were widely accepted and used by nationwide public health services in the US and the EU. Data collected by these applications varies, and ranges from concrete data points, (eg, heart rate, glucose, blood oxygen levels), to video footage. One of the biggest security concerns stems from the fact that the tools, in terms of design, functionality or security, are controlled by a third party, not the healthcare actors.

European legal challenges for manufacturers of connected vehicles regarding personal data are explained in a nutshell by Bird&Bird:

“It could be that different pieces of information, such as vehicle service information, which on the surface don’t appear to constitute personal data, can be collated and linked to an individual via, for example, a Vehicle Identification Number. The consequence of this is that the CV manufacturer as the data controller might be under an obligation to divulge this data in response to data access requests which can be time consuming. There is a solution known as “tokenisation” which involves anonymising the data irreversibly.”

The EU regulator the EDPB has recently published draft Guidelines on the processing of personal data in the context of CVs and mobility related applications. CV manufacturers must abide by the GDPR obligations in full, including privacy notices to car users, guarantees of data security and minimisation during repair or performing data-driven after sales services.

Big Tech

Canada’s Office of Privacy commissioner published observations following the joint statement by a number of data protection authorities on global privacy expectations of video teleconferencing companies, such as Microsoft, Google, Cisco and Zoom. They should include multilayer visual and audible contextual and timely privacy notices, the ability to opt out of attendance or engagement reports, virtual and blurred backgrounds, user consent prior to host unmuting audio or activating video, transparency on third party contractors, and data center location. Whenever possible users should be able to choose which locations and jurisdictions their personal information is routed through and stored, contractual measures should exist to ensure that information is adequately protected when shared with third parties, including in foreign jurisdictions, along with end-to-end encryption, and limitation of the secondary use of data.

China’s market regulator proposed a long list of responsibilities it said it wanted the country’s internet platforms to uphold, in the latest effort by Beijing to establish an oversight framework for its technology sector. Super large platforms are defined as those having more than 500 million users, a wide range of business types, and a market value of more than 1 trillion yuan, (13 billion euros), a description that would apply to the likes of Alibaba Group, Tencent Holdings and Meituan. Customers data should not be obtained without users’ consent and should be transparent when using big data to recommend products. China’s top internet regulator also published draft guidelines that will subject companies with more than 1 million users in the country to a security review before they can send user-related data abroad. Companies that have already sent abroad, or intend to send abroad, the personal information of more 100,000 users or “sensitive” personal information belonging to 10,000 users, would also be bound by the requirement

Meanwhile in the US, an executive at TikTok, owned by Beijing-based internet technology company ByteDance, faced tough questions during the video-sharing app’s first appearance at a congressional hearing, saying it does not give information to the Chinese government and has sought to safeguard U.S. data. Lawmakers were concerned about TikTok’s data collection, including audio and a user’s location, and the potential for the Chinese government to gain access to the information. An executive testified that TikTok’s U.S. user data is stored in the United States, with backups in Singapore. Senators also voiced concerns that TikTok, rivals of YouTube and Snapchat, have algorithms that can be harmful to young people.

The Apple privacy updates, which began rolling out in April and prevent advertisers from tracking iPhone users without their consent, has had investors in digital ad companies on edge for fear that reduced access to data would upend the nearly 100 bln dollars mobile ad market. Ad businesses such as Snap’s or Facebook’s rely on direct response advertising, an industry term that refers to ad sellers and buyers who use information such as what devices consumers are using and what they are searching for, to place ads in front of interested audiences with the aim of quickly generating sales or website visits. Twitter is likely to be spared because the social networking site is mainly used for brand advertising, and Google is also shielded from the iPhone privacy changes because much of its usage comes from desktops, and promoted results placed on Google searches are not dependent on iPhone data.

While everyone is buzzing about Facebook’s rebranding and transition to the future Metaverse, last week privacy experts once again reminded us of the increasing regulatory lash on Meta: “Regulators the world over are seeking to exercise greater restrictions on what the FB platform can do, with a UK watchdog fining it 70 mln dollars for withholding information related to an ongoing antitrust oversight of its acquisition of GIF-sharing platform Giphy. In Ireland, regulators want to fine the company 38 mln dollars for breaching GDPR data collection policies. And in the US, Congress is increasingly discussing the prospect of amending protections given to social media platforms and reforming antitrust laws and data privacy regulations that affect Facebook.”

The post Weekly digest October 25 – 31, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.