The French data protection regulator CNIL has studied the economic benefits of the presence of a Data Protection Officer within companies. Statistical analysis shows that it is often profitable, especially for companies taking a positive approach to GDPR compliance. The two most represented sectors were research, IT and consulting, and banking, insurance and mutual insurance companies. There are different types of benefits related to the DPO function – leverage to win calls for tenders, avoidance of sanctions, avoidance of data leaks and rationalisation of data management. Here are some examples:

• The DPO is the point of contact for the supervisory authority and the persons whose data is processed. As such, they can take charge of organising the processing of people’s requests to exercise their rights so that a complete response is provided within the set deadlines.
• The DPO contributes to a better knowledge of the company’s information assets. In doing so, their action helps to facilitate the use of data by centralising information and avoiding duplicates or data silos. This makes it easier for teams to access relevant data, which improves the efficiency of internal processes and decision-making.
• A DPO ensures the main GDPR principles of purpose limitation, data minimisation, and limitation of retention, which leads to operational savings in terms of storage space (as well as fewer entry points for cybercriminals).
• Finally, DPOs advise companies on the security measures to be put in place and participate in privacy impact assessments. They can carry out checks and audits and alert managers when security flaws are found.

Stay up to date! Sign up to receive our fortnightly digest via email.

There is also a return on investment in the sense that DPOs who have more time to dedicate to their function have better conditions to ensure the company’s compliance, which reduces the likelihood of being sanctioned. However, these benefits are not received by all companies with DPOs. They are better realised by large companies and by those that are most invested in GDPR compliance and consider compliance as a lever and less as a constraint. The adoption of certain good practices can make it possible to generate economic gains for the DPO function: 

• Involving DPOs in certain executive committee meetings allows them to articulate compliance with the company’s overall strategy. 
• Integrate GDPR compliance with the CSR strategy and the ISS strategy to promote consistent planning and operations. 
• Try to quantify the economic benefits linked to the role of the DPO in the company, informally or through internal consultations.
• Increase other business lines’ understanding of the importance of compliance concerns in the organisation’s strategy, acknowledge a DPO as a value creator, and coordinate their efforts with those of other departments.

EU-UK data transfers

According to a draft document released by the European Commission on 22 July, the UK maintains an adequate level of protection for EU-UK data transfers under the new Data Use and Access Act 2025 (DUAA), aligning with the EU GDPR and the Law Enforcement Directive. While the scope of the DUAA, which amends the UK GDPR and the DPA 2018, goes well beyond the protection of personal data, it provides for limited changes to several aspects of the data protection regime:

a) the rules on data processing for purposes of scientific research, b) the legal bases for data processing, c) the rules relating to the purpose limitation principle, and d) the conditions for automated decision-making.  In addition, the DUAA makes amendments to the governance structure of the ICO. Once implemented, these measures will replace the ICO with a new entity, the Information Commission. The role and functions of the regulator will remain unchanged in the UK. The Act also introduces new enforcement powers for the regulator. 

More legal updates

UK children’s data: On 25 July, the Protection of Children Code of Practice for regulated search services came into force, as required under the Online Safety Act 2023. The code imposes specific duties on search service providers to implement measures addressing content that is harmful to children, including requirements for governance and accountability arrangements, search moderation systems, content reporting mechanisms, complaints procedures, user support functionalities, and publicly available safety statements, digitalpolicyalert.org reports. 

EU AI Act provisions: Provisions of the EU AI Act on general-purpose AI models entered into force on 2 August. These mean clearer information about how AI models are trained, better enforcement of copyright protections and more responsible AI development. The Commission has also confirmed that the GPAI Code of Practice, developed by independent experts, is an adequate voluntary tool for providers of GPAI models. Providers who sign and adhere to the Code will benefit from a reduced regulatory burden and increased legal certainty. Providers must comply with transparency and copyright obligations when placing GPAI models on the EU market. Models already on the market must ensure compliance by 2 August 2027.

AI Act implementation in Germany: EU member states were required to designate competent market surveillance authorities to oversee the AI Act by 2 August. This deadline has been missed by Germany, according to the Hamburg Data Protection Commissioner HmbBfDI. The regulator is therefore appealing to the federal government to promptly designate the AI market surveillance authorities stipulated by the AI Regulation, which, at least in some areas, also include the data protection supervisory authorities. Due to the delay, companies and authorities now lack a reliable contact person for questions about the AI regulation. This is also a disadvantage for Germany as a centre of AI innovation.

Web filtering

A web filtering gateway, often referred to as a web proxy, is a device or service used to control and monitor internet access by filtering web content according to predefined policies. Its main role is to block access to certain websites or categories of content for security and compliance reasons.

Web filtering gateways can help organisations meet their data security obligations (Art. 32 of the GDPR). However, they are based on data processing that must also be ensured to comply with the GDPR. To that end, the French data protection regulator CNIL opened to public consultation a draft guideline (in French) to promote such cybersecurity solutions that comply with the GDPR, both in their use and in their design.  The draft document targets data controllers, who, as employers, deploy a filtering web gateway (URL filtering and detection and blocking of malicious payloads) to secure internet browsing on their information system. This applies to the browsing of employees, agents, service providers or external visitors. It does not deal with the use of web filtering gateways by data controllers providing internet access via a public Wi-Fi, as is the case with retailers, media libraries or other public or private organisations. 

More from supervisory authorities

Human intervention in automated decisions: The Dutch data protection authority AP has developed guidelines for meaningful human intervention in algorithmic decision-making for organisations (in Dutch only). Art. 22 of the GDPR prohibits a decision based solely on automated processing that produces legal effects for data subjects or significantly affects them in another way.  For example, if an employee is hindered, or a credit application is assessed under time pressure or an unclear automated system, this can impact the outcome of any decision. The recommendations have been written as practically as possible to best address the questions organisations have.  

Profiling online: The UK ICO prepared a draft of guidelines on Profiling Tools for Online Safety. This guidance applies to any organisations that carry out profiling, as defined in the UK GDPR, as part of their trust and safety processes. It is aimed at user-to-user services that are using, or considering using, profiling to meet their obligations under the Online Safety Act 2023. But it also applies to any organisations using, or considering using, these tools for broader trust and safety reasons. 

However, due to the Data Use and Access Act (DUAA) coming into law on 19 June 2025, this guidance is under review and may be subject to change. 

Data to train AI models

The European Commission presents a template for General-Purpose AI model providers to summarise the data used to train their model (under Art. 53 of the EU AI Act). General-purpose AI models are trained with large quantities of data, but there is only limited information available regarding the origin of this data. The public summary will provide a comprehensive overview of the data used to train a model, list the main data collections and explain other sources used. This template will also assist parties with legitimate interests, such as copyright holders, in exercising their rights under Union law, test particularly powerful models with systemic risk for vulnerabilities and risks, report serious security incidents, etc. 

The template is part of a broader initiative linked to the EU-wide rules for general-purpose AI models kicking in on 2 August 2025. It complements the guidelines on the scope of the rules for general-purpose AI models, published on 18 July, and the General-Purpose AI Code of Practice released on 10 July. Also, France’s CNIL offers a guide on how best model makers should ensure their systems comply (in French). It also suggests solutions for companies to avoid using personal data when training their models.

Public disclosure of personal data

The UK ICO released guidelines for public bodies managing Freedom of Information requests and organisations answering Subject Access Requests, which can involve a lot of personal data. It includes simple checklists and how-to videos, covering topics such as:  

• Deciding on an appropriate format for disclosure to the public 
• Finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters 
• Converting documents to simpler formats to reveal hidden data  
• Avoiding using ineffective techniques to keep information secure 
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)  
• Reviewing the circumstances of a breach to prevent a recurrence 
• Removing and redacting personal information effectively 

Data protection complaints increase

In the first half of 2025, significantly more people complained to the Lower Saxony State Commissioner for Data Protection about possible data protection violations than in the same period of the previous year. The authority recorded 1,689 data protection complaints from January to June 2025, compared to 1,186 in the same period of the previous year. This represents a sharp increase of approximately 42 per cent. The authority also noted significant increases in complaints from the health, social services, and municipal sectors, as well as from the real estate industry, credit reporting agencies, and the financial sector. One reason for the high number of data breaches and complaints is the increasing digitalisation of business and administration – more personal data flows, and the risk of data protection violations also increases. 

Similarly, the Lithuanian regulator VDAI counted that in the first half of 2025, most data breaches occurred due to human error, as well as due to actions that cannot be protected from by normally applied technical and organisational measures and other reasons (IT system errors, improperly performed programming work, etc.). Also, it was found that a third of data security breaches occurred due to cyber incidents (data encryption and ransomware attacks, unauthorised access to IT systems, social engineering attacks, login data and Brute Force attacks, and SQL injection and system disruption). 

In other news

Temporary password fine: In Croatia, the personal data protection agency imposed an administrative fine of 320,000 euros on HEP-Toplinarstvo (an Electric utility company). The agency received a report from a respondent that when requesting a change of a forgotten password on the HEP District Heating “My Account” portal, the user was sent a temporary password by e-mail, which was actually the last password set by the user. Also, all the passwords of users of the “My Account” portal (almost 16,000 of them) were stored in the controller’s database in readable form. This meant that the controller knowingly chose a solution that did not include basic data security measures, such as generating a temporary password or using data encryption methods, did not take into account the risks to the security of personal data, nor did they conduct an assessment of the risks of processing users’ data. 

McDonald’s fine: The Polish UODO has fined McDonald’s Polska approximately 3,9 mln euros after a personal data breach. The shared file in the public directory contained data on McDonald’s employees and its franchisees: first and last names, passport numbers, McDonald’s restaurant number, work start date and time, work end date and time, number of hours worked, position, days off, type of day, and type of work. 

McDonald’s entrusted the processing of personal data of its restaurant chain’s employees to an external company to manage work schedules. The controller did not have the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor had such authority. At the same time, the provisions of the personal data processing agreement, particularly those related to audits and inspections, were not implemented. The controller failed to exercise proper oversight over the entrusted personal data.

In case you missed it 

Agentic AI: The move to AI assistants and agents risks a sea change in privacy and security, states Privacy International. These services’ usefulness increases with the quantity and quality of the data they have access to, and the temptation will be to lower the friction of data controls to allow the processing of personal data. In one example, ChatGPT’s agent uses ‘connectors’ to interface with third-party applications, such as cloud data stores, calendars, email accounts, etc.

This allows ChatGPT’s agent to search data on those services, conduct deeper analysis, and sync data. This seems analogous to Anthropic’s ‘Model Context Protocol’, which provides context data from applications to LLMs. Consequently, Privacy International is worried that:

• the AI tools would generate new datasets on you that create new risks
• could access and share your data at unprecedented levels, and
• will store this data beyond your reach, across their services and in the cloud.

Bias in AI systems: The Federal Office for Information Security in Germany issued a white paper on Bias in Artificial Intelligence (in German). The term “bias” describes the resulting unequal treatment of individuals or organisations. This can have various causes. The document outlines bias identification and mitigation as a continuous process. It describes 11 different forms of bias, such as historical bias and automation bias. Along with 13 mitigation strategies that include pre-processing to post-processing methods, it highlights bias as a cybersecurity issue that compromises availability, confidentiality, and integrity.

The post Data protection digest 18 Jul – 1 Aug 2025: DPO as a value creator and return on investment for companies appeared first on TechGDPR.

The deadline pertains to the validity of old EU standard contractual clauses (SCCs) issued by the European Commission under the previous Data Protection Directive (the old EU SCCs). Note that the EU has also replaced the old EU SCCs and the last month of their validity was December 2022. If your organisation relies on these clauses for restricted transfers in the UK, they are no longer valid for restricted transfers after March 21, 2024. The ICO has issued 2 sets of standard data protection clauses for restricted transfers under the UK GDPR. Organisations must either enter into a new contract based on the International Data Transfer Agreement (IDTA) or annex the Addendum provided by the Information Commissioner’s Office (ICO).

Standard data protection clauses are pre-approved contracts that organisations can use to ensure personal data transferred outside the UK receives adequate protection.

How to determine if this deadline affects your organisation in the UK

If your organisation transfers personal data outside the UK (restricted transfers), you need to act now if you were previously relying on the old EU SCCs. These old SCCs are no longer valid for restricted transfers under UK GDPR after March 21, 2024.

1. Assess your current restricted data transfers

Review your organisation’s current data transfer practices to ascertain whether they involve restricted transfers under the UK GDPR. Do you transfer personal data from the UK to countries outside the UK? If yes, were you previously relying on old EU SCCs approved under the Data Protection Directive for these transfers? Did you answer yes to both questions, then you need to switch to the International Data Transfer Agreement (IDTA) provided by the ICO. If you answered no to the second question, you may not need to take further action.

Note that in the UK, if you currently rely on the new EU SCCs adopted in June 2021, it is not necessary to sign the IDTA; the ICO allows you to annex the Addendum to your existing EU SCCs. However, if the SCCs are old, you will have to stop relying on them completely.

2. Evaluate existing Agreements

Determine when your organisation entered into the contracts. Contracts entered into under the Data Protection Directive are valid only until March 21, 2024, after which any transfer of personal data out of the UK under such Agreements will most likely constitute an illegal transfer of data.

As an indication, the new EU SCCs were adopted in June 2021, therefore any EU SCC document dated before that would be the old version.

The ICO restricted transfers deadline affects my organisation, what can I do?

The UK Information Commissioner’s Office (ICO) offers two options for compliant data transfers after March 21, 2024.

Organisations in the UK can choose to do either of the following:

1. Use the UK International Data Transfer Agreement (IDTA)

This Agreement is specifically designed for restricted transfers under the UK GDPR.

2. Use the UK Addendum with the new EU SCCs

This option allows you to leverage the new EU SCCs (adopted in June 2021) but requires an additional agreement (the Addendum) to ensure compliance with UK GDPR. If your organisation relies on the new EU SCCs, it will need to annex the Addendum to comply. It will not need to enter into an entirely new agreement. Before annexing the UK Addendum to previously signed SCCs, ensure to check with the other contracting party or parties. This ensures that they are aligned on the additional obligations introduced by the UK Addendum.

3. Conduct a Transfer Risk Assessment:

Regardless of the option you choose, you must conduct a transfer risk assessment. This assessment evaluates the potential risks to personal data in the recipient country. This is a requirement by the ICO.

Conclusion

It is essential for organisations to act proactively. Doing this prevents disruptions in data transfers and potential non-compliance with data protection laws. Not sure about how the required changes impact your organisation or need assistance in navigating the required changes? Get in touch with us. We can carry out a quick assessment and design custom-made solutions to align your organisation with the ICO’s directive.

Generally, we can help your organisation stay ahead of compliance requirements and safeguard the integrity of data transfers in accordance with UK data protection laws.

In summary…

• Review your data transfer practices. Identify all instances where you transfer personal data from the UK to countries outside the UK.
• Determine if you were using old EU SCCs for these transfers.
• If the deadline applies to you, explore the IDTA and Addendum options.

The post UK Restricted Transfers: Standard data protection clauses by the ICO appeared first on TechGDPR.

Regulatory updates

5 years of the GDPR: The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. It is too early to revise the regulation, although several important challenges lie ahead, such as procedural rules relating to cross-border enforcement. The EDPB will keep on supporting the implementation of the GDPR in particular by SMEs, seeking greater clarity and uniformity of guidance and powers available. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. In addition, the supervisory authorities need sufficient resources to continue carrying out their tasks. 

“Cookie fatigue”: The EDPB also welcomed the voluntary business pledge initiative by the European Commission to simplify the management of cookies and personalised ads choices by consumers. It would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. However, the EDPB flagged that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive.

COPPA: The US Federal Trade Commission plans to strengthen children’s privacy rules to further limit companies’ ability to monetize children’s data. The new rule would require targeted ads to be off by default, limit push notifications, restrict surveillance in schools, limit data retention, and strengthen data security. COPPA rules require US websites and online services that collect information from children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from these children, (persistent identifiers, geolocation data, photos, videos, and audio). 

UK BCRs

The UK Information Commissioner updated a guide on the binding corporate rules for organisations managing data transfers between the UK and EU. Organisations with an existing EU BCR can add the UK Addendum thus creating a new UK BCR, to include UK-restricted transfers. It contains all relevant provisions of Art. 47 of the UK GDPR, meaning that your EU BCR will work in the UK. Finally, under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.

Log data access

An administrative court in Finland has published a decision regarding the right to inspect log data. An employee of the bank, who was also a customer of the bank, demanded to know the persons who had reviewed his customer information during the bank’s internal audit. The bank refused to disclose the identity of the employees because the log data resulting from viewing the data was the personal data of the employees in question. However, the bank did give the reason why customer data had been viewed. 

The person complained about the bank’s procedure to the data protection commissioner’s office. The regulator rejected the request and stated that the bank does not need to provide information about the identity of employees. The case ended in the CJEU. The EU top court ruled that everyone has the right to know the times and reasons for queries made to their data. However, there is no right to receive information about persons who have processed information under the authority of their employer and by the employer’s instructions.

Health data processing

Certain processing of health data is subject to the performance of preliminary formalities with the data protection authority. To facilitate the procedures of the bodies concerned and the compliance of their processing, the French regulator CNIL has published, (in French), reference standards to which they must refer: 

• “soft law” and guide frameworks (eg, data retention periods,  processing of personal data for the management of pharmacies); and
• the repositories for processing subject to authorisation, (eg, creation of a health data warehouse, research requiring the collection of consent).

Other official guidance

Sports archives: The storage of sports archives must comply with the regulations on the protection of personal data. Some personal data collected on athletes, federal officials or club presidents, such as results, awards, photographs and posters, may be of historical interest, invoked by the players in the ecosystem, (in particular institutions, clubs, sports federations, professional leagues), to justify the retention of data without limitation in time. In practice, the purposes associated with the retention of this data are very numerous, and the retention periods will vary. 

Also, depending on the status of the person who produced or received them, these records are either public or private. For example, the results of a sports competition organised by a delegated federation, (eg, the results of the championships of France), constitute public archives. On the other hand, in the context of a gala, if a sports competition is organised by the same delegated federation, the documents produced constitute private archives (the gala does not fall within the scope of the public service missions assigned to the organising delegated federation).

Purchase data: The Finnish data protection authority considers that keeping purchase data for the entire duration of the customer relationship does not adhere to the data minimisation principle. In the related Kesko, (retail company), case, the purchase data of a loyalty system, detailed and product-specific, had been processed for various reasons including for business development, and targeting of marketing. The customers themselves had been able to see their purchase information for five years. Kesko was then ordered to clearly define retention periods, clarify the purposes of the use of personal information, and delete or anonymize data that had been stored longer than necessary. 

Cross-border enforcement

Joint controllership: The EDPB published the final decision of the Hungarian supervisory authority about infringement of Art. 26 of the GDPR. The Slovak supervisory authority objected to processing carried out by a foundation as the presumed controller of two Hungarian–language websites. Certain recordings available on the foundation’s websites presumably feature children performing and singing specifically from a Slovak primary school. The Hungarian regulator established that there was no arrangement between the foundation and the school within the meaning of Art. 26 (1) of the GDPR, concerning joint processing and their respective responsibilities.  

Sanctions

Illegal university telemarketing: In the US, the Federal Trade Commission has sued Grand Canyon University for deceptive advertising and illegal telemarketing. The agency says the university, its marketer, and its CEO deceptively advertised the cost and course requirements of its doctoral programs and made illegal calls to consumers. Prospective students were told that the total cost of “accelerated” doctoral programs was equal to the cost of just 20 courses.

In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The defendants also used abusive telemarketing calls to try to boost enrollment. The university advertised on websites and social media urging prospective students to submit their contact information on digital forms. Telemarketers then used the information to illegally contact people. 

AI facial recognition banned: Also in the US, Rite Aid will be prohibited from using facial recognition technology for surveillance purposes to settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in hundreds of stores. From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behaviour. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were falsely accused of wrongdoing. 

Deleted CCTV footage: The Greek data protection agency fined Alpha Bank for failure to satisfy the right of access of its customer, who exercised the right of access to the recorded material from the store’s video surveillance system. It emerged that the bank failed to deal with the complainant’s request promptly, resulting in the material being scheduled to be deleted when the retention period expired. The authority found a violation of Art. 12 and 5 of the GDPR.

Audit reports

Cyber security framework: The UK Information Commissioner has carried out a voluntary data protection audit of Lewisham and Greenwich NHS Trust. One of the areas of improvement found included a cyber security framework that should be further embedded, by integrating new cyber staff roles into the organisation, and ensuring staff with key cyber security responsibilities complete additional specialised training relevant to their responsibilities. 

This should be supported by continuing security controls in place, such as plans to implement multi-factor authentication to protect higher risk or more sensitive personal data processing activities, and a regular programme of practical social engineering or phishing tests to ensure staff are familiar with such scams and what action to take.

Cyber risks relating to third-party suppliers should be reviewed periodically to ensure the Trust has assurance that cyber security controls are in place and effective. Further to this, Data Protection Impact Assessments should identify cyber risks and mitigating controls. Additionally, Information Asset Owners should be actively involved in assessing the cyber risks and monitoring the effectiveness of the mitigating controls. 

Ongoing work to replace or decommission legacy devices that cannot receive security patches and phase out or update servers with unsupported operating systems should continue. All network devices should be able to receive security patches that address cyber vulnerabilities, and systems approaching the end of life should be removed or updated on time.

Data breaches

Car parking data stolen: Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data. EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack, the Guardian reports. The breach brings to light the centralisation of parking services, as physical meters and parking attendants are gradually replaced by websites and apps. 

Data security

Children’s privacy: The Spanish data protection authority presented its age verification system. It consists of the principles that an age verification system must comply with, a technical note with project details and practical videos that demonstrate how the system works on different devices and using several identity providers. The risks of the age verification systems currently used on the Internet, eg self-declaration or sharing credentials with the content provider, have demonstrated clear risks of the location of minors, lack of certainty on the declared age, exposure of the identity to multiple participants, and mass profiling. 

PETs: Privacy-enhancing and preserving technologies generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals. While there is no unified definition denoting a technology as a PET, the Centre for Information Policy Leadership’s year-long study investigates and provides 24 case studies on its three main categories: 

• cryptographic tools that allow certain data elements to remain hidden while in use; 
• distributed analytics tools where data is processed at the source; and 
• tools for pseudonymisation and anonymisation. 

Authentication: Logging in with a password is still one of the most commonly used forms of authentication. Depending on what you have to protect, this may also be enough, states the Dutch data protection authority. Yet logging in with a single factor remains unsafe. It is better to use multiple factors, such as a password combined with a code via SMS. Using biometric data, even if very reliable, demands extra protection and must therefore meet stricter security requirements. Another alternative is a digital token – the unique series of numbers is not generated from your characteristics but is stored on a chip in your access card. However, it would only work if it is and remains strictly personal. 

Big Data

TikTok Australia: The Australian Information Commissioner has launched an inquiry into the platform’s use of marketing pixels to track people’s online habits, The Guardian reports. This can include where they shop, how long they stay on websites and personal information, such as email addresses and mobile phone numbers of non-TikTok users. The probe will determine whether TikTok is harvesting the data of Australians without their consent. Chinese conglomerate, ByteDance, which owns the video-sharing platform has denied it violated Australian privacy laws. New privacy legislation in response to a review of the Privacy Act is expected to land in the Australian parliament this year and will allow more inquiries like this.

Body-related data: Organisations building immersive technologies, from everyday consumer products like mobile devices and smart home systems to advanced hardware like extended reality headsets, often rely on large amounts of data about individuals’ bodies and behaviours, states the Future of Privacy Forum. Thus, it offers detailed and illustrated instructions, on how to document body-related data categories, (raw voice recording, facial geometry, fingerprints), handle complicated data practices, (eg, eye tracking), evaluate privacy and safety risks, and implement best security practices. Download the framework here. 

Cookie depreciation: Google begins the next step toward phasing out third-party cookies in Chrome: testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. The company will roll this out to 1% of Chrome users globally, (a key milestone in their Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024).  Participants for Tracking Protection are selected randomly — and if you’re chosen, you’ll get notified when you open Chrome on either desktop or Android.

The post Data protection digest 18 Dec – 2 Jan 2024: EDPB says too early to revise GDPR, cross-border enforcement challenge ahead appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.

Legal redress

Pseudonymised (non-personal) data processing: In the instance of SRB v. EDPS, the European General Court ruled that pseudonymised data communicated by one party with another would not be regarded as personal data in the recipient’s hands if that party lacks a legal way to obtain the extra, identifiable information. The lawsuit resulted from the Single Resolution Board, (SRB), decision to conduct a shareholder poll in the case of Banco Popular Español, as part of which it shared the results with a consulting firm. In order to guarantee that replies could not be traced back to specific respondents, SRB pseudonymised the data. The decoding key that might identify specific responses from the alphanumeric codes was not given to the consulting company.

Additionally, the court did not rule out that personal views or opinions may constitute personal data. However, such a conclusion must be based on a case-by-case examination. View the court’s ruling here.

Right to GDPR compensations: The CJEU has recently published a number of rulings related to data subject rights. In one case, Österreichische Post collected information on the political affinities of the Austrian population, using an algorithm. Following lawsuits for compensation from upset citizens who did not consent to that, the Austrian supreme court asked the CJEU whether mere infringement of the GDPR is sufficient to confer that right and whether compensation is possible only if the non-material damage suffered reaches a certain degree of severity. It also asked what are the EU-law requirements for the determination of the amount of damages. 

The EU top court responds that mere infringement of the GDPR does not give rise to a right to compensation. However, there is no requirement for the non-material damage suffered to reach a certain threshold of severity. The court notes that the GDPR does not contain any rules governing the assessment of damages. It is therefore for the legal system of each Member State to prescribe the detailed rules. 

“Copy” of personal data definition: The CJEU also ruled that the right to obtain a ‘copy’ of personal data means that the data subject must be given a faithful and intelligible reproduction of all those data. The Court notes that the term ‘copy’ does not relate to a document as such, but to the personal data which it contains and which must be complete. That right entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain those data. 

The case relates to the CRIF in Austia, (a business consulting agency that provides, at the request of its clients, information on the creditworthiness of third parties). It sent the applicant in question a summary of his personal data undergoing processing. However, the individual had expected a copy of all of the documents containing his data, such as emails and database extracts. After the Austrian data protection authority rejected his complaint, the applicant went to court. 

CJEU opinions

Data controllers’ strict liability: A non-binding opinion by a CJEU Advocate General limits the strict liability of data controllers for GDPR fines: they may only be imposed on intentional or negligent conduct, (‘mens rea’). The referring court wanted to know whether the state agency could be fined on the simple basis that it breached the obligations imposed on it by virtue of being a controller, (strict liability), or whether an element of fault in committing the relevant breach is required. 

The case concerns the Lithuanian Public Health Centre in the design and deployment of a mobile application for tracking COVID-infected people. After funding for the project failed the state agency asked the app developers, (initially defined as joint controllers), not to use the LPHC details or any association with them in the mobile product. However it continued to be available for download by the public unaltered. To that end, the data protection authority decided to impose a fine on both entities in their capacity as joint controllers. 

The CJEU’s opinion confirmed that an entity which initiates the development of a mobile application can only be regarded as the ‘controller’. Furthermore, the absence of any agreement or even coordination between joint controllers cannot exclude a finding that the controllers are ‘joint controllers’.

Concept of lawful “data processing”: In the above case, the referring court also called for clarification as to whether the fact that the unlawful processing of personal data was not done by the controller itself but by a processor affects the ability of supervisory authorities to impose a fine on the controller.

The CJEU reasoned that a controller may be fined even though the unlawful processing is carried out by a processor. That possibility is open for so long as the processor acts on the controller’s behalf. However, if the processor uses personal data outside of, or contrary to, the lawful instructions of the controller, then the controller cannot be fined. 

The concept of ‘processing’ encompasses a situation in which personal data is used during the testing phase of a mobile application, unless such data has been anonymised in such a way that the data subject is not, or no longer, identifiable. 

Official guidance

Direct marketing: Effective direct marketing relies on you having a positive relationship with individuals you are marketing to and that is usually rooted in them having consented to you contacting them, states the latest guidance by the Guernsey data protection authority. The document answers the questions on how to obtain people’s consent in a lawful way, while being able to pursue commercial communication and inform people about what you are doing; explains lawful processing conditions under consent and legitimate interest; looks at the dangers of soft opt-in and automated calling systems and silent calls; and provides options for stopping direct marketing. See the full guidance (in English) here.

Client databases: The Latvian data protection agency also looks at client databases. Customer personal data permeates almost every aspect of business, from the delivery address of an order to the use of customer data to creating a company’s marketing campaign. Whether you only store a customer’s first name, last name and email address, or a personal identification number and bank details, you need to make sure that customer information is kept as correct and as secure as possible. The main principles to be followed are:

• Determine the purpose for which the database is being created  (eg, administration of fees, sending news, ensuring access).
• Evaluate and decide exactly what personal data is required from the client, and don’t collect or store personal data just because you think it might come in handy someday, (eg, if you plan to send information only to e-mail, you do not need to ask the customer for a phone number).
• The information included in the customer database must also be accurate and must be updated as necessary, (eg, inaccurate data may allow the service to be used by a person who has not paid for it).
• The necessary technical and organisational requirements must be implemented, (eg, limit personnel who can access customer information, maintain employee training, and if you transfer personal data, ensure that it is encrypted).

Enforcement decisions

Concept of warning and expansion of investigation periods: Spain has modified its law on the protection of personal data and clarified that a warning should not be considered a sanction, but rather an appropriate measure, of a non-punitive nature, included within the corrective powers of the supervisory authorities. Additionally, the increase and greater complexity, (including a one-stop-shop mechanism), of the issues addressed by the data protection agency in the sanctioning procedures show the need to extend some of the resolution deadlines. In particular, for this reason, the modification contemplates an increase from nine to twelve months in the maximum duration of disciplinary procedures, and from twelve to eighteen months in previous investigation actions.

TikTok fine: The UK Information Commissioner’s Office has issued a 12,7 million pound fine to TikTok Information Technologies UK Limited and TikTok Inc, for a number of breaches of data protection law, including failing to use children’s personal data lawfully. Whilst TikTok purports to rely on, in part, a contractual necessity as its lawful basis for processing the personal data of children under 13, the Commissioner considers that the legal test for contractual necessity is not met in this case. In addition, TikTok failed to make reasonable efforts to ensure that consent was given or authorised for underage child users of its video-sharing platform or to prevent children under 13 from accessing its services. Read the full list of TikTok’s infringements in the original decision.

Information obligation: The Romanian data protection agency fined Libra Internet Bank for not fulfilling its data subject rights obligation. It was found that a response sent to a plaintiff by e-mail did not contain information about the possibility of filing a complaint before a supervisory authority and introducing a judicial appeal for the bank’s refusal to communicate a copy of a requested video recording, thus violating the provisions of Art. 12 in conjunction with Art. 15 of the GDPR. On the same occasion, the regulator noted that the data controller did not present evidence to show that it had adopted measures to facilitate the exercise of the right of access.

Grocery data: The Norwegian data protection authority has taken a decision to ban Statistics Norway’s planned collection of data from the population’s grocery purchases. Through bank data and bank transaction data, Statistics Norway would have information on what a significant proportion of the population buys for groceries. This in turn could be linked to socio-economic data such as household type, income and level of education. No sufficient legal basis for such intrusive processing of personal data exists. Even if the purpose of the collection is anonymous statistics for societal benefit, the intervention in the individual’s privacy will have already occurred once the personal information was collected, (from private actors). Finally, citizens have no real opportunity to oppose such a collection, other than by using cash as a means of payment.

Debt collection data: Croatia’s privacy regulator issued an administrative fine of over 2 million euros on the debt collection agency. The data controller didn’t inform its data subjects, in an accurate and clear manner, about the processing of their personal data. In addition, it did not conclude a data processing agreement with the service of monitoring consumer bankruptcy. The debt collecting agency also did not apply appropriate technical and organisational measures while processing quite sensitive personal data, so it would probably never have noticed a data breach. 

Data security

Encryption pros and cons: The Spanish data protection agency has published a guide for the supervision of cryptographic systems as a security measure in data protection. Encryption is a procedure by which information is transformed into an apparently unintelligible data set using various techniques. The GDPR mentions it as a measure that is part of the conditions for the compliance of the treatment and as an aid to mitigate the risks in the event of a possible breach of personal data. However, if not well designed it can give a  false sense of security, that relaxes the application of other complementary measures, in particular, privacy by design. The document also proposes a list of controls to facilitate the data protection specialist in selecting those that could be the most appropriate in validating the encryption system. Read the full guide, (in Spanish), here.  

Password hurdle: Reportedly, the average internet user has between 70 and 80 passwords for a wide variety of services, explains the Slovenian data protection agency base on recent research. Considering that a strong password is (at least) 12 characters long, complex and of course unique, it is extremely difficult to remember them all. 

Password managers also offer effective management and safe storage of passwords. In this case, it is important to have a very strong master password, which is also the only one we need to remember. Two-factor authentication solves two of the most common problems: short, weak, and repeated passwords are no longer so problematic since access to the service requires an additional unique code that is obtained over the phone. 

Finally, most information security experts do not recommend saving passwords in browsers. The reason is primarily the rapid spread of Trojan horses that specialize in stealing user data. Nothing helps if we have long and unique passwords, because the virus simply copies them and sends them to attackers.

International data transfers

US data transfers: The European Parliament has rejected the draft US adequacy decision during the plenary vote. However the resolution is not binding, MEPs concluded that the EU-US Data Privacy Framework fails to create essential equivalence on the level of protection, and calls on the Commission to continue negotiations with its US counterparts to provide the adequate level of protection required by Union data protection law as interpreted by the CJEU. MEPs call on the Commission not to adopt the adequacy finding until all the recommendations – on safeguards against American intelligence activities, and practical deployment of the redress mechanism for individuals are fully implemented. 

To that end, a parliamentary group from the Civil Liberties Committee visits the US capital this week to meet with members of the House of Representatives and Senators working on privacy, and cybersecurity issues, including sponsors of different federal privacy acts – the Federal Trade Commission, US Courts administration, Department of State, the Data Protection Review Court, the Office of the Director of National Intelligence, NGOs, and think-tanks. 

UK privacy reform: According to govinfosecurity.com, the Information Commissioner gave assurances to UK lawmakers considering changes to the country’s national privacy legislation that they won’t jeopardize the adequacy decision made with the EU in 2021. The Data Protection and Digital Information Bill was once again proposed this spring by the Conservative government as an alternative to the GDPR that is more pro-innovation and less bureaucratic. External observers, however, are less certain, citing rulings by the ECHR that British mass intelligence collecting infringed private communications. 

Supporting documents assessing the impact of the Data Protection and Digital Information Bill can be seen here.

The post Data protection & privacy digest 3 – 16 May 2023: data processing roles and obligations elaborated by EU top court appeared first on TechGDPR.