Legal processes: EU-US data privacy framework, China’s outbound data rules, international transfer risk assessment, Australian small business to adopt data protection

The EDPB sees improvements under the EU-US Data Privacy Framework, but many more concerns remain. The improvements include the introduction of requirements embodying the principles of necessity and proportionality for US intelligence data gathering and the new redress mechanism for EU data subjects. However further clarifications are needed for:

• rights of data subjects,
• rules on automated decision-making and profiling,
• onward transfers, (eg, to sub-processors in the US), 
• the scope of exemptions, 
•  the practical functioning of the redress mechanism,
• temporary bulk collection, retention, and dissemination of data by the government, (targeted surveillance of foreign persons located outside the US under Section 702 FISA and Executive Order 12333).

Finally, the EDPB recognises the role of special advocates and the supervision of the redress mechanism by the Privacy and Civil Liberties Oversight Board. In addition, it is troubled by the general application of the Data Protection Review Court’s standard reply informing the complainant that either no covered violations were found or a determination requiring appropriate remediation was made, especially given that this decision cannot be appealed.

The German Data Protection Conference also assesses the risks of third-country authorities’ access to personal data processed in the EU/EEA. The mere possibility that a foreign public authority or parent company of a European subsidiary can demand the transfer of data does not constitute a data transfer in itself. However, if a processor does proceed with a data transfer under third-country laws or corporate law instructions, it needs to provide sufficient guarantees, through transfer impact assessments or suitable technical and organisational measures, to ensure GDPR compliance.

Meanwhile, the Cyberspace Administration of China, (CAC), started the approval of outbound data transfers.  All international data transfers from now on must follow one of three procedures in order to be legal: mandatory security assessment measures for significant data transfers, and state-approved standard contractual clauses or certification for less significant data sets. Typically, companies need to prepare a 180-page document mapping out the data flow and then justify to the local and national authorities why certain data must leave China. For less-significant cross-border transfers, newly released standard contractual clauses do not require approval, however, the CAC has the right to intervene at any moment. 

In Australia, small businesses with a 3 million dollar or less annual revenue may soon be required to abide by the Privacy Act, even though they are not currently required to protect user personal information or disclose how it is used. The 20-year-old exemption was introduced prior to businesses’ take-up of online platforms. Now experts say they are no longer a low risk for cybercriminals. Small business associations claim data security obligations will result in severe damages for the whole sector. The Australian government has not yet announced which changes it will adopt. Basically, companies would need to have a privacy policy, assure adequate data security measures, and delete data or de-identify it when no longer required.

Official guidance: international transfers definition, privacy by design and default for developers, deceptive design patterns, ROPAs, video surveillance

The EDPB updated guidelines on the concept of international transfers. A clarification was added regarding the responsibilities of the controller when the data exporter is a processor. In addition, further examples were added to clarify aspects of “direct collection” from individuals in the EU, as well as the meaning of “the data importer in a third country”, with further examples and illustrations. Processing of personal data outside the EU often involves increased risks, for example, because foreign authorities can gain access to the data. This needs to be identified and handled in order for the processing to be permitted according to the GDPR.

The Catalan data protection authority issued guidance on Privacy by design and by default for developers. The regulations governing data protection by design and default do not specify which particular technical and organisational measures must be put in place, says the document. The controller, as well as the developers of the technological solutions, must conduct a prior analysis before determining the necessary measures. Determining the nature, scope, context, and purposes of the processing is the controller’s responsibility. The risks associated with each available technology must be taken into account when choosing a specific technological solution. Collaboration with developers is crucial at this point. 

Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the Dark – These are terms used to describe the main tactics employed in deceptive design patterns, and the EDPB has issued an update on how they apply to social media interfaces, and the best practices to recognise and avoid them. The guide offers assistance in design thinking processes for designers, but also alerts users of social media platforms, with numerous examples and illustrations.

The importance of records of data processing activities, (ROPAs), needs underlining says the Latvian data protection agency. A ROPA is not a document that can be developed, put on the shelf, and forgotten about, explains the regulator. The organisation can assign one or more responsible persons to maintain the register, (either in electronic, excel, or paper format). The responsible person can also be a data protection officer, whose duties include the creation and maintenance of the document. The organisation can include not only the mandatory amount of information for each data processing activity but also supplement the records with supportive documentation, for example, impact assessment reports.

Video surveillance is a strong invasion of privacy because it profoundly affects people’s thinking and actions, states the Estonian data protection agency. The smaller the area of surveillance, the better. The shorter you keep data, the better. Recordings may not be used for purposes other than the original objective, (with rare exceptions). Finally, visual warning signs should be always complemented with more detailed privacy notices on demand. 

Investigations and enforcement actions: security patches and ransomware, non-existent debts and data deletion, conditions for cookie walls, Tesla security camera improvements

The Irish data protection authority fined Centric Health 460,000 euros for a data breach caused by a ransom attack in 2019. The attack, which restricted access to patient data, hit 11 Primacare GP practices integrated into Centric Health’s IT system.  The attack affected the data of 70,000 patients. Of those, 2,500 had their data deleted with no backup available during attempts to mitigate the attack, the Irish Times reports. The investigation into Centric Health discovered ‘Calum’ ransomware on the system, which encrypts data and asks for payment to decrypt it. Back-ups of the system were also affected by the ransomware. 

A forensic expert, hired by Centric, did not find any evidence of data exfiltration: “No evidence of archive files consistent with the attacker compressing large amounts of data for exfiltration was found on any of the systems, but this does not definitively rule it out”. However the regulator’s investigation identified that a large number of patches were released by Microsoft in 2018 that should have been applied to the Windows Operating System by Centric. It demonstrated a serious lapse on the part of Centric and an inability to identify all software operating on its system at the time of the breach.

The Danish data protection authority examined the use of cookie walls in two different cases. Where the user can access the content of a website or service in exchange for the processing of their data, or by paying,  the requirements of data protection rules for valid consent are met concluded the regulator. The exception is when the service offered by consent is different from that offered by payment, and when users are not really presented with a free choice. 

The Dutch privacy authority decided against a fine after Tesla made security camera settings more privacy-friendly. Tesla used ‘Sentry Mode’ to help owners protect themselves against theft or vandalism by filming everyone nearby. Now the cameras respond only if the vehicle is touched; it does not automatically begin filming but the owner receives an alert on their phone; the headlights flash to indicate to the passersby that filming has begun; records are saved in the car and not shared with Tesla, and limited to no more than 10 minutes of footage. 

Finally, the Croatian data protection agency fined a telecommunication company for failure to maintain up-to-date and accurate data. The complainant stated that their personal data was processed by the company, despite not being their client for more than ten years. The respondent found out about this during a security incident notification she received from the telecommunication company and then confirmed by customer service. After the respondent’s inquiry, the company found that it was still processing their personal data, all due to the fact that the data controller linked the existence of a non-existent debt to the respondent for unknown reasons, which is why the computer system did not allow the deletion of data until the non-existent debt was not canceled manually. 

Data security: danger of low-tech hacks, UK’s new certification scheme, genomic data

The UK Information Commissioner’s Office has approved the new set of UK GDPR certification scheme criteria. The scheme is aimed at training and qualification for service providers and will enable their candidates to make informed choices when applying for training programs, having confidence that their personal data will be processed in accordance with the UK’s GDPR. This scheme follows three others: one offering secure re-use and disposal of IT assets and the other two looking at areas including age assurance and children’s online privacy.

The US cyber security expert Brian Krebs demonstrates how low-tech hacks cause high-impact breaches. Last month web hosting giant GoDaddy revealed a multi-year hack had given hackers access to company source code, login information for clients and employees, and customer websites. The incidents could have stemmed from a small number of GoDaddy employees falling for a sophisticated social engineering scam. Attacks using voice phishing or vishing frequently target workers who are based off-site. The phishers typically pose as members of the employer’s IT department when calling. The objective is to persuade the target to enter their login information at a website that the attackers have set up that looks like the company’s corporate email or VPN portal.

The US National Cybersecurity Center of Excellence has published a draft internal report on the cybersecurity of genomic data. Genomic data is immutable, associative, and conveys important health, phenotype, and personal information about individuals and their past and future. In some cases, small fragments of genomic data stripped of identifiers can be used to re-identify persons, though the vast majority of the genome is shared among individuals. The report proposes a set of solutions that address real-life use cases occurring at various stages of the genomic data lifecycle along with candidate mitigation strategies and the expected benefits of the solutions. Additionally, areas needing regulatory/policy enactment or further research are highlighted. The public comment period is now open through 3 April.

Big Tech: TikTok scrutiny, YouTube child data complaint

TikTok announced that it is creating a tool that will enable parents to prevent their teenagers from viewing certain content, as well as limit the amount of time spent on the app. TikTok, owned by China’s ByteDance, is currently facing an international backlash for illicit content, and data security concerns. The app has been banned from government-owned and work-related devices in the United States, and Canada. The European Commission also banned the app on its corporate devices and personal devices that might be connected to the official mobile network provided by the institutions within their premises. 

Finally, in the UK, a member of child advocacy group 5Rights, filed a complaint with the Information Commissioner’s Office, asking Google/YouTube to stop collecting children’s data and potentially make it liable for the maximum penalty- of as much as four percent of annual turnover. It is the first such complaint alleging a major tech firm has broken the new Age-Appropriate Design Code, The Guardian reports. Although YouTube officially forbids users under the age of 13 from accessing its main website, the complaint claims the company failed to ensure that younger users were abiding by the rules and only accessing the main platform with parental permission.

The post Data protection & privacy digest 18 Feb – 3 Mar 2023: practical application of the EU-US Data Privacy Framework remains a concern appeared first on TechGDPR.

Legal processes: Microsoft Office 365 cloud services, privacy complaints, lead supervisory authority, NIS2 Directive, Australia data breach penalties

The German Data Protection Conference negatively assessed the data processing agreements for Microsoft 365 cloud services, regarding the requirements of Art. 28 of the GDPR. The regulators came to the conclusion that “no data protection-compliant use of it is possible”. The assessment is based on the “Data Protection Addendum for Microsoft Products and Services”, including the current updated version. The central and recurring question of the series of talks with Microsoft was: in what cases it acts as the processor and in which as the controller. 

• Microsoft does not fully disclose which processing takes place in detail, including subcontracting relationships. In addition, 
• it does not fully explain which processing takes place on behalf of the customer or which for its own purposes. 

During the discussions with Microsoft, the working group was not able to achieve any significant improvements in the drafting of the contracts, (eg, client specific and detailed).The regulators also were not able to identify additional protective measures that could lead to the legality of data export to the US. Many of the services included in MS 365 require the company to access the unencrypted, non-pseudonymized data. You can read the detailed assessment summary in German here.

The Stockholm Administrative Court held that the data protection authority must investigate complaints. This also applies if the authority opened a parallel ex officio investigation into a similar matter and at the same company. In 2019, a data subject filed a complaint in response to Spotify’s answer to an access request with the Austrian authority. The complaint was forwarded to Sweden as the lead supervisory authority for Spotify. After three years of inactivity, the data subject requested a formal decision. 

The EDPB is finalising an updated guidelines on identifying a controller or processor’s lead supervisory authority. The rule is to  determine the location of the controller’s main establishment or single establishment in the EU, (if any), where decisions about the purposes and means of the processing of personal data are taken. This place has the power to have such decisions implemented. However, there can be situations where more than one lead supervisory authority can be identified, in cases where a multinational company decides to have separate decision-making centres, in different countries, for different processing activities. But the most complicated might be so-called “borderline cases”, when, for example, decisions are taken exclusively outside of the EU/EEA. 

The EU has approved the Directive on measures for a high common level of cybersecurity across the EU, (NIS2 Directive). Member states will have 21 months from its entry into force to incorporate the provisions into their national law. The act will repeal the current directive, amending the rules on the security of network and information systems of critical public and private sectors. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.

In parallel, the UK government is introducing a new mandatory reporting obligation on managed service providers to disclose cyber incidents, alongside minimum security requirements which could see fines of up to 17 million pounds. The announcement was made as the government published its response to a public consultation on amending the NIS Regulation after Brexit.

After several major data leaks in Australia, the Parliament has approved a draconian privacy penalty bill. Companies which fail to take adequate care of customer data will face much higher fines – from the current 2.22 million dollars penalty to whichever is the greater of:

• 50 million dollars;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The bill also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers. The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department, currently being finalised.

Official guidance: EU-US data transfers, BCR-C, transfer risk assessment, trusted processors, Google Fonts, whistleblowing management

The Hamburg Data Protection Commissioner published its observations on the proposed EU-US Data Privacy Framework. The regulator advised data transfer impact assessments must follow the ruling by the CJEU on lawful EU-US transfers until the proposed framework is finalised. At the current time, nothing decisive has changed in the legal situation in the USA. Joe Biden’s recent Executive Order provides for a transitional period of up to one year. That’s how long the eighteen US secret services have to integrate the guarantees provided for in the legal act into their practical work. This applies in particular to the new requirement to restrict data access to a reasonable level. The same applies to the institutional guarantees through the creation of a complaints body and a data protection court. These committees are still under construction. The ability to work will only be guaranteed in several months.

The UK Information Commissioner’s Office has updated its guidance on international data transfers. This includes a new transfer risk assessment section and a TRA tool. It gives an initial risk level for categories of data, and transfers that significantly increase the risk of either privacy or other human rights breaches. Earlier this year the UK adopted an International Data Transfer Agreement and Addendum that replaced Standard Contractual Clauses for organisations transferring personal data outside of the UK. 

The EDPB has updated recommendations on Controllers Binding Corporate Rules, (BCR-C). The holders are asked to make the changes according to the instructions provided in the document. The GDPR expressly provides for the use of such data transfer policies by a group of undertakings. The BCR approval only covers transfers to third countries or to international organisations, however, groups may design BCR to be used as their global data protection policy. The updated recommendations also bring the existing guidance into line with the requirements in the CJEU’s Schrems II ruling, which invalidated EU-US data transfers. 

The Baden-Wuerttemberg data protection commissioner has presented a Code of Conduct for data processors, to create more legal certainty. By committing themselves to the code, processors make it clear to the outside world that they follow the guidelines and submit to monitoring by a body accredited by the regulator. Those interested can find the Trusted Data Processor code of conduct here. 

Meanwhile, the Hessen data protection authority issued a  warning about the use of Google Fonts. If they are integrated online, the user’s browser loads these fonts when the website is accessed and contacts the Google servers for this purpose. User data is transmitted to Google at this point. If personal data is transferred to a third country, such as the US, the requirements for third-country transfers must also be met. If these requirements cannot be met, the transfer is inadmissible. It is also advisable to self-host Google Fonts locally on your own web server. This applies equally to other font providers.

Who becomes a data controller when outsourcing an internal whistleblower scheme? In various scenarios an external supplier can handle reports from whistleblowers via a) direct contact, b) an available  IT platform, or c) a combination of both. In the case of direct contact, the subcontractor gets a level of independence and decision-making, and both parties would act as data controllers, (unless the employer provides very strict instructions to the supplier). However, the supplier can become a processor in relation to the operation, (hosting), of the IT platform, and there may be a need for a data processing agreement. 

Enforcement actions: M&A customer data, retention periods, account ownership, consent forms, data brokers, consent layers, misleading and incomprehensible commercial prospecting

The Italian regulator Garante fined the Douglas perfume chain 1.4 mln euros: the data of millions of customers was kept for many years. The company was born in 2019 having incorporated three companies in the sector. Douglas decided to keep the data of almost 3.3 million customers of the previous companies,without requesting their consent. The company will have to destroy data dating back more than 10 years and delete or pseudonymise the more recent files, properly secure them, and inform the customers. It will have to change the setting of the Douglas app, clearly distinguishing the contents of the privacy information. Customers must be allowed to express free and specific consent for the various activities, (marketing of the company, marketing of third parties and profiling).

The French CNIL imposed a fine of 800,000 euros on Discord Inc. also with regard to retention periods and the security of personal data. This US “voice over IP” service offers instant messaging, in which users can create servers, text, voice and video rooms. The company did not have a written data retention policy: there were 2,47 mln accounts of French users who had not used their account for more than three years. Discord’s password management policy was not robust, (only six characters including letters and numbers), and when a user logged into a voice room closed the app window by clicking the “X” icon, they were  just putting the app in the background and staying connected. 

The CNIL also sanctioned EDF 600,000 euros for commercial prospecting practices. The standard prospect data collection forms were made available by a data broker. However , the EDF was not able to communicate to the CNIL the list of partners receiving the data, whereas such a list must be made available to individuals at the time of giving their consent. Finally, the measures put in place by EDF with its data brokers to ensure that consent was validly given were insufficient. At the time of the audits, the EDF did not check the consent forms used and it did not conduct due diligence on data brokers.

The Spanish AEPD fined online banking service Bankinter 80,000 euros for violating security obligations. The complainant had access to the data of a third party alongside their personal data, whilst accessing their monthly statement on Bankinter’s website. The incident occurred due to an error in managing the ownership of the accounts. The AEPD also fined BBVA 80,000 euros for violating the integrity and confidentiality principle: the claimant had requested a certificate of ownership for their account from the bank, however they received a copy of a third party contract. Moreover, it took BBVA too long to remove the link to the file, so the claimant could not access, download or view the document.

The Danish data protection authority Datatilsynet criticised JP/Politik’s consent procedure. It gave visitors three options, (Necessary only, Customize Settings and Accept all). From the “first layer” it appeared that JP/Politiken processed personal data for statistical and marketing purposes. In the “second layer”, which the visitor could access by clicking on Customize Settings , the visitor could select the processing purposes preferences. However, the regulator assessed that visitors who clicked on Accept all did not receive information about all processing purposes.

The Italian competition authority AGCM fined Enel Energia and partner agencies over 5 million euros for unfair commercial practices. Various complaintants received misleading messages disseminated by an answering machine and call centre operators, which were intended to induce consumers to sign a contract with Enel Energia. In most cases, the consumers involved had never provided their consent, and some had been contacted despite their telephone numbers being in the Do Not Call register. 

The Italian Garante also issued a similar fine to the one above against Vodaphone. In this case, a woman over 80 was offered a contract at a speed of 200 words per minute for 6 minutes, in a so-called “vocal order“, (contract concluded directly by telephone). The offer was judged to be incomprehensible, even after repeated listening. The fine of 500,000 euros imposed on Vodafone was calculated taking into account the aggravating circumstances of having committed other telemarketing violations in the previous three years. 

Data security: public WI-FI, World Cup apps, M&A due diligence

Ahead of the festive season, America’s NIST reminds consumers of secure use of public Wi-Fi networks. They are wireless local area networks that are available to the public and do not require a password. Unfortunately, many public Wi-Fi hotspots and access points do not provide encryption. Networks that lack data-in-transit protections are at risk of unauthorised eavesdropping taking place to access sensitive information. Employees can use public Wi-Fi to work remotely from numerous public places such as hotels, airports, and coffee shops. If information is compromised, it may lead to serious harm, financial loss, or reputational damage for an organisation. To mitigate this threat, individuals or enterprises should be mindful of using secure connections to websites and resources:

• a virtual private network (VPN) solution can ensure all communication to and from their applications is encrypted prior to leaving the device.
• Websites that use Hypertext Transfer Protocol Secure (HTTPS), which is HTTP transmitted over Transport Layer Security.

Visitors to the World Cup in Qatar are asked to pay close attention to their digital security. Two apps are required to attend the festivities. They are advised to use a telephone that they do not use for anything else. No other personal data, such as telephone numbers, image or sound files should be stored on this device. After using the apps, the operating system and all content on the phone used should be completely deleted.

The Starwood/Marriott data security breach in Canada provides an important signal for parties to M&A transactions and for all organisations that handle personal information. After the two hotel chains merged Marriott delayed measures to improve the security of the Starwood networks as they were due to be decommissioned. Then Marriott discovered a breach of the Starwood network involving unauthorized access to approximately 339 million customer records. The regulator concluded that Marriott failed to perform an ongoing assessment of the security safeguards in breach of the PIPEDA requirement. Class action lawsuits also were commenced against Marriott in Canada and the US. 

Big Tech: Meta Ireland “data scraping”, Amazon Prime subscriptions, Voodoo gaming apps, Google location tracking

The Irish data protection commission concluded an inquiry into Meta Platforms Ireland, data controller of the “Facebook” social media network, imposing a 265 million fine and a range of corrective measures. The regulator commenced the inquiry after media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of data security measures of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU.

A recent class action filed in Washington alleges that Amazon used dark patterns to make cancelling customers’ Prime subscriptions more difficult. Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships, leads to further subscription fees, and allows the company to continue collecting, retaining, and using the personal data of misdirected subscribers.

The UK ICO published the Age Appropriate Design Code audit report for Voodoo mobile gaming apps. Among high priorities, Voodoo does not have an accurate understanding of the age demographics of the players, (users are asked to confirm that they are 16 or over via a self-declared age-gate). Younger users are not provided with age-appropriate prompts, information messages, or explanations. There has not been a documented assessment of serving a high volume of advertising at minors, and no consent options were provided.

Finally, Google agreed  to a 391.5 million settlement in most US states over misleading location tracking practices, the biggest of its kind. The confusion arose around the Location History setting and the extent to which users could limit Google’s location tracking by adjusting their account and device settings, CNN reports. Location data collected by Google could be used to target advertising and build profiles on internet users; or disclose highly sensitive information to law enforcement.

The post Data protection & privacy digest 9 – 30 Nov 2022: Microsoft 365 non-compliance, Meta “data scraping” fine, Amazon Prime class action appeared first on TechGDPR.