Legal processes: future US data privacy law, Canada’s Bill C-27

Last week the “American Data Privacy and Protection Act” was officially introduced to the US House of Representatives. The document, be it enforced by Congress, promises to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The future US data privacy law consists of two key provisions: federal preemption over many state privacy laws and a private right of action. According to dataprotectionreport.com, it is the only bill currently under Congressional consideration that contains both of these components. The bill’s four titles draw upon many of the EU GDPR key principles.

• Duty of loyalty (data minimization, privacy by design, loyalty to individuals with respect to pricing).
• Consumer data rights (consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms).
• Corporate accountability (executive responsibility, service providers and third parties, technical compliance programs, approved compliance guidelines, digital content forgeries).
• Enforcement, applicability, and miscellaneous (Enforcement by the Federal Trade Commission, by State Attorneys General, by individuals, relationship to Federal and State laws, COPPA, etc.).

Meanwhile in Canada, a new draft Digital Charter Implementation Act (Bill C-27) was introduced by the ministers of Industry and Justice. It would strengthen Canada’s existing legal framework for personal information protection in the private sector and introduce new rules related to artificial intelligence: 

• the Consumer Privacy Protection Act, (CPPA), would repeal and replace the Personal Information Protection and Electronic Documents Act with a more robust framework in line with the General Data Protection Regulation;
• the Personal Information and Data Protection Tribunal Act would establish an administrative tribunal for organizations and individuals to seek a review of Privacy Commissioner decisions, as well as impose administrative monetary penalties for certain violations of the CPPA; and
• the Artificial Intelligence and Data Act would regulate the development and deployment of high-impact AI systems, establish an AI and Data Commissioner and outline criminal prohibitions and penalties for certain uses of AI.

Official guidance: proxy servers for US data transfers, advertising and address trading, health sector professionals

The French regulator CNIL has recently published a guide, (in French), on how to bring your audience measurement tool into compliance with the GDPR with reference to the case of Google Analytics. In February 2022 the CNIL, after a process of cooperation with its European counterparts, issued formal notice to several organizations using Google Analytics because of their illegal data transfers to the US. Only modifying the configuration of the conditions of treatment of an IP address is not enough, in particular because the latter continues to be transferred to the US, says the CNIL. Another defence often put forward is that of using “encryption” of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little or no additional safeguard against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. 

However, the use of a correctly configured proxy can constitute an operational solution to limit the risks for people’s privacy, as it breaks the contact between the user’s terminal equipment and the server. Beyond the case of Google Analytics, this type of solution can also make it possible to reconcile the use of other measurement tools with the rules of the GDPR on the transfer of data. The proxy server must also be hosted under conditions guaranteeing that the data it will have to process will not be transferred outside the EU/EEA to a country that does have an adequacy decision. It will be up to the data controllers to carry out an analysis on how to put in place the necessary measures in the event that they wish to use this type of solution, as well as to verify that these measures are maintained over time, as products evolve.

The Berlin data protection authority published guidance on advertising and address trading, (in German). Advertising is relevant to data protection law whenever your personal data is used for advertising purposes. Examples are personally addressed advertising mail or e-mail advertising that is directed to e-mail addresses with personal references or addresses those affected by name. On the other hand, for example, direct mail in the mailbox that is not addressed personally or advertising inserts are not covered by data protection law. 

The address traders may collect personal data from business directories, commercial registers, telephone directories and other publications. As a precautionary measure, the regulator therefore generally recommends that consumers use their own data sparingly. When ordering online, also consider whether they  are interested in advertising from the company and, if not, object to advertising when placing the order. It also offers some sample letters for excercising data subject rights for: information about the data stored about the person, deletion of stored personal data, objection to the use of personal data stored for advertising purposes, objection to the use of personal data stored by Deutsche Post. 

And for those who can read Spanish, the AEPD has published a guide aimed at professionals in the health sector. The document addresses frequent issues such as the legitimacy to process health data, (beyond informed consent of the patient – ed.), who can access the clinical history and in what cases, the responsibility and obligations derived from these treatments, as well as the management of the rights of patients or situations that may involve communication of data to third parties. To that end, the guide attempts to respond to the various situations that arise when health professionals develop their services in hospitals or clinics, indicating the criteria that allow to identify, in each case, who is responsible for the treatment of patients’ data and of the corresponding clinical histories.

Investigations and enforcement actions: sound recording, cookies, ban on GA in Italy, unauthorised disclosure and data storage

The Polish data protection regulator UODO fined the Warsaw Center for Intoxicated Persons some 2000 euros, related to the monitoring system it used. The center was accused of recording sound in the facility without legal basis. The administrator has confirmed that the system records both video and sound, and the purpose of the processing is, inter alia, exercising constant supervision over persons brought in to sober up to ensure their safety. The monitoring record covering all rooms, including audio and video signals, is kept for 30 to 60 days, except when the recording is secured as evidence in any pending proceedings. As the legal basis, the center indicated that the data processing is necessary to fulfill the legal obligation incumbent on the controller. In addition, the administrator referred to the regulations contained in the Act on Upbringing in Sobriety and Counteracting Alcoholism. 

In the opinion of the supervisory body, the legal provisions did not authorize the controller to process sound data as well as video. In this case, sound recording is a redundant activity, which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism. Finally, the fact that audio was recorded for such a long time means that the infringement may potentially affect a very large number of people. In the opinion of the UODO, recording the voices of people who are often intoxicated, making it impossible for them to consciously formulate their statements or control the sounds produced, is an excessive, pointless activity.

The Belgian data protection authority GBA imposed a fine of 50,000 euros on the Rossel press group for its management of cookies on the websites lesoir.be, sudinfo.be and sudpressedigital.be. The fine mainly relates to violations related to the required consent for the placement of non-essential cookies. This is the second decision taken by the GBA as part of its thematic research into the management of cookies on the most popular Belgian press sites. During its investigation in this area, the GBA identified several violations on the above sites:

• several cookies were placed on the visitor’s device by these websites before the visitor’s consent,
• analytical and social network cookies placement was based on legtitmate interest, and not user’s consent,
• the cookie policy was incomplete and difficult to access,
• further browsing was considered as a sign of the user’s consent, while consent can only be considered valid if it is the result of a clear and sufficiently specific, active action to confirm the acceptance of cookies,
• the consent boxes for the placement of cookies by third parties were already pre-ticked. 

Moreover, when a user withdrew their consent, the procedure was ineffective.   

The Italian data protection supervisor Garante ruled that a website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the US, which does not have adequate levels of data protection. The regulator came to this conclusion after a complex fact-finding exercise it started in close coordination with other EU data protection authorities, after receiving complaints.

In the related case, the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the US. Based on the above findings, the regulator adopted a decision, to be followed by additional ones, reprimanding Caffeina Media – a website operator – and ordering it to bring the processing into compliance with the GDPR within 90 days. If this is found not to be the case, suspension of the GA-related data flows to the US will be ordered. The Italian authority calls upon all controllers to verify the use of cookies and other tracking tools on their websites. 

The Garante also recently imposed a fine of 2,500 euros to Isabella Gonzaga High School, for violations of Articles 5, 6, and 9 of the GDPR  for unathorised disclosure of a special category of data, Data Guidance reports. According to the complaint, the high school had published, in a special section dedicated to teachers in the electronic register, a document relating to the final timetable for the school year 2020-2021, containing a reference, next to the plaintiff’s name, to the benefits received by the same due to their disability. The regulator found that: 

• the document in question contained detailed information about personal and family events or information linked to the specific employment relationship of other teachers, (eg, maternity leave due to serious pregnancy complications), 
• the restricted document had been published due to a human error to a very wide range of unauthorised persons, namely all of the plaintiff’s colleagues among the teaching staff.

The Danish data protection agency hit Gyldendal A/S with a fine of approx. 135,000 euros for storing information about 685,000 book club members for longer than necessary. Gyldendal kept the information in a so-called “passive database”. Information on some 395,000 of the former members had been intentionally retained for more than 10 years after they had resigned from the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database. After the inspection visit, Gyldendal deleted all the information in the passive database and informed the regulator that, according to the company’s assessment, it would be necessary to store information about announced members for up to six years. Also, according to Gyldendal, only two employees had access to the passive database.

Big Tech: pregnancy-related data, coffee-shop location data, new ways to verify age, ‘watched from home’ employee monitoring

The US Tech sector is bracing for the possibility of having to hand over pregnancy-related data to law enforcement, after the Supreme Court overturned women’s constitutional right to an abortion, Reuters reports. As state laws could limit abortion after the ruling, technology trade representatives reportedly fear police will obtain warrants for customers’ search history, geolocation and other information indicating plans to terminate a pregnancy. Prosecutors could access the same via a subpoena, too. In one example, Mississippi prosecutors charged a mother with second-degree murder of her new-born baby after her smartphone showed she had searched for abortion medication in her third trimester. 

Canada’s provincial and federal regulators recently investigated privacy and data management practices of a well-known ‎coffee shop and restaurant chain, DLA Piper reports.  The received complaint alleged that the mobile app unlawfully collected a ‎significant amount of personal information and location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the US. The data collected by the app, (either on its own or combined with other data), could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. The business did not:

• conduct a privacy impact assessment before launching its application,
• adequately inform users of how the data would be collected before obtaining their consent,
• obtain clear and detailed consent for such uses of data, 
• clarify contractual obligations with the third party on the use of the data collected for its own purposes.

Privacy International investigated Office 365 and found features that can enable employers to access all communications and activities on Microsoft services. One of these features, the “Microsoft Office 365 Admin Center” can inform administrators about productivity and efficiency of employees within their company. Another source of far more granular employee information is the “Microsoft Teams Admin Center”, followed by “Audit” and “Content Search” features.  From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. These features can be operated without the employees’ knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose, PI says: “This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail”. 

Finally, Instagram is to introduce new ways to verify age. In addition to providing an ID, people will now be able to ask others to vouch for their age or use technology that can confirm their age based on a video selfie. For that Meta is partnering with Yoti, a company that specializes in privacy-preserving ways to verify age. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age (social vouching)”, says a company statement. Finally, in addition to testing the new menu of options to verify people’s ages, Meta also claims to be using AI to understand if someone is a teen or an adult. Read more in the original statement by the company. 

The post Weekly digest 20 – 26 June 2022: future US data privacy law, new ban on GA, ‘watched from home’ employees appeared first on TechGDPR.

Official guidance: ‘cookie-walls’, US governmental inquiries, cross-border data transfers

The French regulator CNIL published its first evaluation criteria on ‘cookie walls’ or ‘pay walls. All the principles of the GDPR remain applicable to the processing of data related to the use of cookie walls. Particular attention must in particular be paid to informing individuals regarding the question of data transfers outside the European Union that the use of certain solutions would apply. Most of the services offered on the Internet are presented as free. However, this pecuniary gratuity is not without a counterpoint: the personal data of Internet users collected are very often used by web players to finance the services they offer by resorting, in particular, to targeted advertising. 

So, when an Internet user refuses the use of tracers on a website, (for example by clicking on a “refuse all” button), the CNIL recommends that publishers offer a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data. The fact, for a publisher, of conditioning access to its content, either on the acceptance of trackers contributing to monetising its service, or on the payment of a sum of money, is not prohibited in principle since this constitutes an alternative to consent to trackers. However, this monetary compensation must not be so expensive as to deprive Internet users of a real choice: we can thus speak of a reasonable price.

In the US, a government inquiry in the context of data security typically arises in one of two ways, says a K&L Gates article, either a data security incident involving a threat actor occurs, or a government agency is alerted to the possibility that a company is engaging in unlawful practices involving sensitive data. In both cases, it is not uncommon for a government agency to open an inquiry that could last months or even years. Thus, the most important factor is preparedness. Organizations should have a written policy for responding to government inquiries involving the storage, use, and management of sensitive data. 

Also a careful analysis of the inquiry is crucial to formulating the best response. For example, if the company receives an inquiry letter or a subpoena, there may be ways to negotiate the scope, breadth, and timing of a response. On the other hand, if the inquiry is through the form of an investigation notice, such a notice may be followed by requests for information, documents, interviews, or inspections that warrant a careful, forward-looking plan of response, including planning for a potential dispute. 

Meanwhile, the Berlin Data protection authority published new cross-border data transfers guidance, (in German). If personal data is to be transferred to third countries outside the EU or EEA, additional requirements apply. A two-stage check is then required: a) would data processing be permitted if it took place in the EU/EEA? b) is the data export to the third country also permitted, (eg, existence of adequacy decision, transfer tools like SCCs, approval of the supervisory authority)? Exceptions, (Art. 49 DS-GVO), also allows data exports in exceptional cases if certain special cases exist. These include in particular  consent from the data subject, the necessity of the transmission to fulfill a contract with or in the interest of the data subject, (eg, hotel booking).

In view of the market power of US IT companies, data exports to the US are particularly relevant in practice. The ECJ analyzed the legal situation in the USA and came to the conclusion that the level of protection for personal data from the EU that prevails there does not meet the requirements for permissible data export in the light of the GDPR and the Charter of Fundamental Rights of the EU, (Schrems II decision). In order for the standard contractual clauses to be able to continue to be used after the “Schrems II” judgment, the data exporters must take additional measures, (eg, secure encryption or pseudonymization, although these are not possible with many US cloud services), and a detailed examination of the legal system and practice of the third country with regard to any access by the authorities there to the transmitted personal data. 

The Berlin regulator also clarifies some ambiguity on which companies fall under the US secret service legislation, the data categories recorded and the legal protection options that are open to the addressees in the event of official orders. In addition, the question arises as to whether the US authorities have access rights even if data is processed exclusively in Europe.

Legal processes: administrative fines calculation, AML/CFT data protection obligations

The EDPB has adopted guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of fines. Throughout every stage, the fact that the calculation of a fine is no mere mathematical exercise must be taken into account. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum. The guidance set out applies to all types of controllers and processors except natural persons when they do not act as undertakings. This is not withstanding the powers of national authorities to fine natural persons. Taking into account these parameters, the EDPB has devised the following methodology:

• Identifying the processing operations in the case and evaluating the application of Art. 83(3) of the GDPR. 
• Finding the starting point for further calculation based on a) classification; b) the seriousness of the infringement; c) the turnover of the undertaking.
• Evaluating aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly. 
• Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount. 
• Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Art. 83(1) of the GDPR, and increasing or decreasing the fine accordingly. 

The EDPB also draws the attention of the European Institutions to the important data protection issues raised by the implementation of the AML/CFT obligations, as provided by the AML legislative proposals. Obliged entities are required to process personal data which allows to draw intimate inferences about individuals and which can notably lead to the exclusion of legal and natural persons from a right and/or a service, (for instance, a banking service). It is therefore crucial that the AML legislative proposals are in line with the GDPR. Among the safeguards the EDPB offers:

• Consultation of the EDPB in the context of the drafting and adoption of regulatory technical standards, (RTS), guidelines and recommendations, (eg, the RTS shall specify, notably, the information to be collected for the purpose of performing standard, simplified and enhanced customer due diligence, on an ongoing monitoring of a business relationship and on the monitoring of the transactions carried out in the context of such relationship).
• The need to better specify the conditions and limits of the processing of special categories of data and of personal data relating to criminal convictions, (eg, in order to avoid that decisions are made on a basis of discriminatory factors, it should be also specified that the assessment made by obliged entities shall not be solely based on the processing of special categories of personal data).
• The need to provide additional provisions in relation to the sources of information, (eg, the obligation to use reliable, accurate and up-to-date sources should be extended to every information processed by obliged entities for the purpose of AML/CFT).
• The need to provide specific provisions for the processing of personal data by providers of so-called “watchlists”. The providers of these “watchlists” are acting as data controllers, as defined in Art. 4 of the GDPR. Moreover, the legal basis, (Art. 6), for the processing of personal data by such providers is not clear, says the EDPB.

Investigations and enforcement actions: Google’s Lumen no opt-out, website without privacy policy, restaurant’s 14 unmarked cameras, unprotected whistleblower data

The Spanish privacy regulator AEPD fined Google 10 million euros for GDPR infringements, IAPP News reports. The AEPD found third-party data sharing by Google with legal database Lumen Project lacked an opt-out mechanism for data subjects, and, therefore, without valid consent for that communication to be carried out. The shared data, (processed in the US), included personally identifiable data, email addresses and individuals’ legal claims. In addition, in the privacy policy of Google, there is no mention of this processing of personal data of users, and communication to the Lumen Project does not appear among the purposes. The sanction also calls for Google to delete all the personal data shared with Lumen and halt further use of that data. Read the summary of the decision in Spanish here.

The AEPD also fined Movalia Traslados 1,200 euros for GDPR failures regarding the privacy policy on their website. The AEPD received a complaint related to Movalia Traslados’ website, where, in connection with an advertisement for a taxi service, website visitors could insert their personal data on a form to request a taxi. The data subjects had not been provided with information about the processing of their personal data via the form, and that they were able to submit the form to request a taxi without having read and accepted the company’s privacy policy. Furthermore, the AEPD noted the lack of a privacy policy and information on the nature of the data processing.  

Meanwhile, the Italian privacy regulator ‘Garante’ fined restaurant operator Rebirth for privacy and data protection violations. The Garante noted that it had sent a request for information, and that it had launched an investigation in the absence of a response from the operating company Rebirth. In the end, the Garante found that 14 cameras were installed in the restaurant (‘Caffè Antica Roma’), in the absence of any notice providing information on their presence. Additionally, the regulator noted that the video surveillance system had been installed without prior authorisation from the Labour Inspectorate and from the relevant trade union, Data Guidance reports.

The Danish data protection agency expressed serious criticism of the Danish Financial Supervisory Authority for not having complied with the requirement for adequate security, as it handed over information about whistleblowers to a journalist, in connection with a request for access to documents. The unintentional disclosure took place because the financial authority had not removed personal data from the material that had been provided with information in a sufficiently secure manner. It had thus crossed out personal data in the handed out pdf documents with ‘Hold the mouse cursor’ on crossed out passages. It appears that the financial authority was not aware that it is necessary to delete the hidden information behind the displayed document, (metadata, etc.), in order to ensure that it will no longer be available.

Data security: ransomware gangs using AI

The strongest alarm yet has been sounded about ransomware gangs using AI and machine learning to expand their criminal activity. In itself this is nothing new, but what has changed is the criminals’ rapidly increasing cash, or crypto, pile, which may allow them to trump the tech giant’s salaries for specialists and lure them into illegal activity. Just one outfit, Conti, extorted over 180 million dollars in 2021, a bumper year for the cybercriminals who raked in over 600 million dollars, a doubling of attacks year-on-year, with many of the groups Russian-based. One expert predicted the gangs will start using the technology in 12 to 24 months time, as the currently tiny pool of experts grows with new graduates entering the jobs market.

Big Tech: Google’s Incognito mode, Tesla’s Bluetooth Low Energy, Snapchat’s Lenses app

Texas Attorney General Ken Paxton has amended an ongoing lawsuit against Google, adding a new complaint, that the search giant’s Incognito mode is anything but. In the suit Paxton calls the privacy claims made for Incognito mode “false, deceptive, and misleading” when it “represents that Incognito Mode allows Texans to control what information Google sends and collects.” Google denies the accusation, but industry experts agree that Google’s efforts fall short of safeguards in place at Firefox and Safari, for example. Along with four other Paxton suits Google is facing a 2020 class action lawsuit over continuing to track users while in Incognito mode, for which damages of a minimum of five billion dollars is being sought. Reportedly CEO Sundar Pichai was warned in 2019 to stop calling Incognito “private”, but he continued to do so anyway.

A major security vulnerability has been exposed with Teslas, but essentially the same vulnerability applies to any of the millions of vehicles worldwide that have Bluetooth Low Energy installed, Reuters reports. Researchers were able to break into a Tesla and drive it away using a simple relay and laptop to fool the car into thinking it was communicating with an authorised key. Only Model 3 and Model Ys appear to be at risk, but with BLE also embedded in smart locks in homes and businesses, and the technique able to be used by hackers from anywhere in the world, and not just in close proximity, the risks are exponentially multiplied.

Snapchat’s Lenses app is facing a class action lawsuit from two Illinois residents who allege the app violates the US state’s Biometric Information Privacy Act. The app adds effects to photos, but to do so it scans the user’s face. However BIPA states that written consent must be obtained by any company before collecting certain biometric data, including facial scans, and no such feature is incorporated into Lenses.

The post Weekly digest May 16 – 22, 2022: cookie-walls, US governmental inquiries, cross-border transfers, AI for hackers appeared first on TechGDPR.

Legal processes and redress: EU data governance, traffic and location data, consumer rights, hospitals

The EU Data Governance Act, approved by the Parliament on April 6, promises to boost data sharing in the EU so that companies and start-ups will have access to more data they can use to develop new products and services. The new draft rules also aim to build trust in data sharing, making it safer and easier as well as ensuring it is in line with data protection legislation. This will be achieved through a range of tools, from technical solutions such as anonymisation and pooling of data to legally binding agreements by the reusers. The rules will enable:

• data collected in some public sector areas to be better used;
• the creation of common European data spaces for important areas: health, environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills;
• new rules for data marketplaces – usually online platforms where users can buy or sell data – will help new intermediaries be recognized as trustworthy data organizers;
• new rules for companies, individuals, and public organizations that wish to share data for the benefit of society (data altruism).

The Data Governance Act must be formally adopted by the EU countries in the Council before it becomes law. Also to further encourage data sharing, the Commission proposed in February a Data Act that the Parliament is working on.

The European Court of Justice confirms that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. In the related longstanding case in Ireland, a man was sentenced to life imprisonment for murder and appealed, saying the court of the first instance had wrongly admitted traffic and location data of telephone calls as evidence. “The privacy and electronic communications directive does not merely create a framework for access to such data through safeguards to prevent abuse, but enshrines, in particular, the principle of the prohibition of the storage of traffic and location data”, the highest EU court stated. However, it held that EU law does not preclude legislative measures for the purposes of combating serious crime and preventing serious threats to public security for: 

• targeted retention of traffic and location data which is limited, according to the categories of persons concerned or using a geographical criterion; 
• general and indiscriminate retention of IP addresses assigned to the source of an internet connection; 
• general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and 
• the expedited retention, (quick freeze), of traffic and location data in the possession of those service providers. Read the full decision by the ECJ here.

The Irish government has approved a draft bill – the General Scheme of Representative Actions for the Protection of the Collective Interests of Consumers. The aim is to permit qualified and designated entities to represent consumers in a representative action, (civil claim), where a trader has infringed consumer rights under one or more of the legislative provisions listed, including the major data protection legislation at EU and national levels – the GDPR, ePrivacy Directive, and the Irish Data Protection Act 2018. You can examine the full draft bill here.

Utah followed California, Virginia, and Colorado in adopting a comprehensive consumer data privacy law, JD Supra News reports.  Utah’s Governor signed the Consumer Privacy Act, which will take effect on December 31, 2023. The consumers include individuals who are Utah residents and are acting in an individual or household context, and not an employment or commercial context. Under the Act, data controllers, (certain entities that conduct business or target consumers in Utah on a big scale), have obligations to, among other things: 

• disclose in a privacy notice various processing activities;
• provide consumers with clear notice and an opportunity to opt out of the processing of sensitive data, including biometric and geolocation data;
• provide consumers with a right to opt out of targeted advertising or the sale of personal data;
• comply with requests from consumers to exercise their other rights to access, obtain a copy of, or delete personal data, and confirm whether a controller processes personal data; and
• maintain reasonable administrative, technical, and physical data security practices. 

However, the law does not create a private right of action and grants exclusive enforcement authority to the Attorney General. 

The Czech Supreme Administrative Court upheld a fine by the national data protection authority imposed on a hospital for insufficient security in the processing of personal data, (Art. 32 of the GDPR). In the landmark decision, the court stated that the hospital in question is a joint-stock company, not a public entity, although it is financed mainly from public health insurance funds and provides its healthcare services in the public interest.

Thus, it can not enjoy the exemption which derives from Art. 83 (7) of the GDPR: “each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”. In particular, the court rejected the application of the national data protection legislation, which do not allow the imposition of a sanction on a public entity. The full text of the judgment, (in Czech), can be found here.

Official guidance: data processing agreements, digital products security, AI knowledge base

The Danish data protection authority Datatilsynet responded to some questions regarding data transfer provisions in processing agreements, Data Guidance reports. In the given case, a company, (KOMBIT), supplies IT systems to Danish municipalities and uses a subcontractor/processor, (Netcompany), which in turn uses Amazon Web Services, (AWS). According to KOMBIT, the information is generally processed within the EU/EEA, but it also appears from the data processing agreement between Netcompany and AWS that this can be deviated from if it is necessary to comply with the legislation or a binding decision from a public authority in a third country. The question is:

• whether there is an intentional or unintentional transfer to third countries and,  
• whether the municipalities must comply with the requirements for transfers to third countries, and
• whether this gives rise to a question of adequate security of processing.

In the eyes of the Danish regulator, this will be an intentional third-country transfer. Therefore, municipalities must ensure that the rules on transfers to third countries are complied with when or if AWS makes such transfers in accordance with the instructions set out in the data processing agreement.

The EU Commission is holding an open public consultation on the establishment of new horizontal rules for digital products and associated services placed on the internal market, in the view of a new European Cyber Resilience Act, (CRA), Bird&Bird Insights reports. The consultation and call for evidence will be open for stakeholders’ feedback until May 25. The future CRA aims to create:

• baseline cybersecurity requirements for manufacturers and vendors of a wide range of digital products and ancillary services, the absence of which would prevent the tangible product from performing its functions, (wireless and wired, embedded and non-embedded software), and would cover their whole life cycle;
• obligations on economic operators; and 
• provisions on conformity assessment, the notification of conformity assessment bodies, and market surveillance.

The CRA would add to the existing cybersecurity framework, the NIS Directive, the EU Cybersecurity Act, etc. The consultation questionnaire and its outcome can be found here. 

The French regulator CNIL presented a knowledge base, (in French), referring to the Artificial Intelligence concept. The CNIL explains, through various tools and publications, the challenges in terms of data protection and the way in which it acts to support the deployment of solutions that respect the rights of individuals. The project includes:

• a short glossary of AI;
• accessible resources for everyone, (books, films, factsheets, articles);
• guidance for data protection specialists on the application of the GDPR in AI systems, (impact assessment questionnaires, rules on assigning responsibilities, documenting requirements, etc.) 

Investigations and enforcement actions: unsecured visa applications, failed data deletion, unauthorised disclosure, accidental alterations of customer data

The Dutch data protection authority, (AP), has fined the Foreign affairs ministry 565,000 euros for potentially breaching the privacy of people making visa applications over a number of years, DutchNews.nl reports. The AP identified the ministry as a data controller and stated that its visa information system is not secure enough, and there is a risk of unauthorised access and changes to files. Sensitive information, such as fingerprints, name, address, the purpose of the trip, nationality, and photo could have been accessed because of inadequate physical and digital security. Also, people applying for visas were not given proper information about the way their data is shared with third parties. In addition, the AP imposed an extra fine, subject to periodic penalty payments, for fixing the security provision, (50,000 euros every two weeks), and the information obligation, (10,000 euros per week).

The Irish supervisory authority fined Bank of Ireland Group 463,000 euros for violating Art. 32-34 of the GDPR. This inquiry was opened after 22 personal data breach notifications in 2018-2019. The notifications related to the corruption of information in the Group’s data feed to the Central Credit Register, a centralised system that collects and securely stores information about loans. The incidents included unauthorised disclosures and accidental alterations of customer personal data. The decision considered as a preliminary issue whether the incidents met the definition of a “personal data breach” under the GDPR, and found that 19 of the incidents reported did meet the definition. Additionally:

• the group failed to issue communications to data subjects without undue delay in circumstances where the personal data breaches were likely to result in a high risk to data subjects’ rights and freedoms; and
• the group failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by its processing of customer data in the centralised register. 

Meanwhile, the Danish data protection agency Datatilsynet assessed that Danske Bank has not been able to document that they have deleted personal information in accordance with the data protection rules, and therefore set the bank a fine of approx. 1,3 mln euros. In 2020 the regulator initiated a case after the bank itself had stated that they had identified a problem with the deletion of unneeded personal data. It has emerged that in more than 400 systems there were no rules laid down for deletion and storage of personal data, and that no manual deletion of personal data had been carried out. These systems process the personal data of millions of people. At the same time, the regulator emphasized Danske Bank’s active participation in the disclosure of the case and its continuous attempts to align its practices with legal requirements and minimize the risks for data subjects.

Data security: UK cybersecurity survey, US law enforcement outreach

The UK Department for Digital, Culture, Media & Sport published the latest cyber security breaches survey. It is an annual survey detailing the cost and impact of cyber breaches and attacks on businesses, charities, and educational institutions. Here are some key findings:

• Cyberattacks are becoming more frequent with organizations, (businesses and charities), reporting more breaches over the last 12 months.
• Almost one in three businesses and a quarter of charities suffering attacks said they now experience breaches or attacks at least once a week.
• Data shows two in five businesses use a managed IT provider but only 13 percent review the security risks posed by their immediate suppliers.

Four out of five senior managers in UK businesses now see cyber security as a ‘very high’ or ‘fairly high’ priority, a significant rise since 2021. Read the full survey here.

A Guardian article reveals that very little data is secret from US law enforcement that has multiple ways to obtain personal data, either openly, or covertly. It was reported last week that hackers obtained the information of some Apple and Meta users by forging an emergency legal request, (explained in the previous digest), one of several mechanisms by which law enforcement agencies can demand that tech companies hand over data such as location and subscriber information. US law enforcement requests include gag orders, meaning the company cannot notify users that their information has been requested for six months or more. There are a few types of legal requests and other legal ways that have recently sparked concern among activists and experts:

• geofence warrants,
• keyword search warrants,
• administrative subpoenas,
• cell-tower dumps, 
• inter-agency data sharing at the local, state, and federal levels, or from companies like Palantir, 
• location and purchase history data from data brokers,
• surveillance tech companies like Clearview AI and Voyager, etc.

Big Tech: Google complaint in Germany, China surveillance, Clearview expansion, Mailchimp data breach, banned apps on Google Play

Google in Germany is facing a legal complaint in which the North Rhine Westphalia consumer’s office says Google’s cookie banners violate data protection rules, Reuters reports. The office maintains refusing cookies requires more steps than consenting to them on Google’s search engine websites. The company says it is soon changing its consent banner and cookie policy Europe-wide to comply with regulations.

Using publicly available documents Reuters has identified an explosion in software using AI in China to crunch big surveillance data and rising demand from police and civil authorities around the country for the equipment. Vast quantities of data used to require human input to organize. The new software is built around the “one person, one file” concept, facilitating the tracking of individuals. Since 2016’s first patent application at least 28 firms have entered the market for file archiving and image clustering algorithms for facial recognition, extracting data from social media, and details on relatives, social circles, vehicle records, marriage status, and shopping habits.

Google has banned dozens of apps from its Google Play store after finding embedded software that secretly harvested user’s data, including location and personal identifiers, IAPP News reports. The code, developed for Android and used in millions of devices worldwide, was developed by Measurement Systems, which reportedly has links to a Virginia defense contractor.

Major email marketer Mailchimp has reported a data breach after hackers exploited a weakness in an internal customer support and account administration tool, TechCrunch says. A social engineering attack led to 300 client accounts being hacked, with 102 losing audience data, with customers from cryptocurrency and finance sectors being targeted. Mailchimp says it detected the breach quickly and has taken steps to ensure it won’t happen again.

Controversial facial recognition startup Clearview AI is looking to expand beyond providing services to police forces, AP News reports. In March it reportedly offered its services for free to the Ukrainian military to help identify casualties and prisoners with images scraped from the Russian social media website VKontakte, and it is now going to offer a new “consent-based” product using algorithms, and not its 20 bln image library, to banks and other private businesses for identity verification purposes.

The post Weekly digest April 4 – 10, 2022: EU data governance, digital products security, US law enforcement outreach & privacy appeared first on TechGDPR.