The goal of information security is to protect an organisation’s business processes. This means responsibility for the security of the entire operating system and the ability to resist any activities that threaten the availability, authenticity, integrity, and confidentiality of data processed in the system or the services provided and accessed through the system, according to the Estonian data protection regulator.

The information assets include all IT resources – hardware, software, various data communication devices, etc. However, people working in an organisation and customers can also be considered information assets. Therefore, it can be said that data protection and information security are like two sides of the same coin: data protection determines the basic principles of personal data processing, while information security helps to implement these principles. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Beyond the simple fact that it makes good business sense to ensure information security and protect assets, the obligation to implement information security comes among other things from data protection laws, which state that personal data security must be ensured by appropriate and secure measures. This means that each situation must be assessed individually. To start with: 

• Map out what your organisation does and what business processes it involves. 
• Identify the assets you have in place—whether they’re customer data, documents, employees, information systems, or security equipment. 
• Don’t forget your “global defense zone”: your physical office, home office, coworking spaces, and other locations where your organisation’s assets and information might be located.
• If something major happens in any of these components, you need to know immediately if and how it will impact your organisation.

As a general approach, try to process as little personal data as necessary and only when needed, stresses the Estonian regulator.

List of AI companies signed up to the EU Code of Practice

The Commission has published the full list of signatories to the EU’s generative AI Code of Practice initiative so far, known also as the Code of Practice for General Purpose AIs (GPAIs), published on July 10, 2025. This will reduce their administrative burden and give them more legal certainty than if they proved compliance through other methods.

Among signatories there are: Amazon, Anthropic, Google, IBM, OpenAI, Microsoft, Mistral AI and a dozen other companies, (some signatories may not appear immediately on the list). In addition, xAI signed up to the Safety and Security Chapter; this means that it will have to demonstrate compliance with the AI Act’s obligations concerning transparency and copyright via alternative adequate means.

The code has also been complemented by Commission guidelines and the Q&A on key concepts related to general-purpose AI models. 

More legal updates

European Biotech Act: The Commission opened a consultation, until 10 November, as part of the development of the European Biotech Act. It will propose a series of measures to create an enabling environment to accelerate the transition of biotech products from laboratory to factory and to the market, while maintaining the highest safety standards for the protection of the population and the environment. The act will address growing dependencies in biotech on data, storage, computing power, and AI. 

In the EU, biotechnology reached a gross value added in 2022 of 38.1 billion euros: the highest contribution came from medical and pharmaceutical biotechnologies, and the fastest-growing area was industrial biotechnology. At the same time, European biotech companies face an opportunity gap, with the US having twice as many early-stage venture capital deals and three times as many late-stage deals. Over the last six years, 66 of the 67 biotech companies going public have targeted the US NASDAQ rather than European stock markets. 

California privacy updates: The California Privacy Protection Agency (CPPA) has filed a judicial action seeking to enforce an investigative subpoena against Tractor Supply Company, a Fortune 500 company that bills itself as the nation’s largest rural lifestyle retailer. The CPPA’s petition alleges that Tractor Supply failed to comply with a subpoena seeking information about the company’s compliance with the California Consumer Privacy Act of 2018. The petition marks the CPPA’s first public disclosure of an ongoing investigation into a company and its first judicial action to enforce an investigative request. The agency has been investigating whether Tractor Supply failed to honour Californians’ right to opt out of the sale and sharing of their personal information online. 

More from supervisory authorities

GDPR from A to Z:  The German Federal Data Protection Commissioner (BfDI) has updated a catalogue that provides a compact compilation of the most important legal texts: the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). In addition to the legal texts and the references to the GDPR, it contains explanations of specific topics and vague legal terms.

Data memorisation in LLMs: Additionally, the BfDI has finished its consultation on processing personal data in large language models in a way that complies with data protection laws. Civil society, industry, and scientific groups were all included in the consultation. It looked for information about the limits of anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of the rights of data subjects under the GDPR in AI systems.

AI in healthcare: The EU Publication Office offers a study on on the deployment of AI in healthcare. Present-day healthcare systems face several complex challenges, including rising demand due to an ageing population, increasing prevalence of chronic and complex conditions, rising costs, and shortages in the healthcare workforce. AI has the potential to address some of these by improving operational efficiency, reducing administrative burdens, and enhancing diagnosis and treatment pathways. 

E-store data minimisation

The Latvian DVI explains what is the minimum amount of data to place an order in an e-store. In order to ensure the fulfillment of an order, certain personal data must be collected and processed. This process can be conditionally called a mutual agreement. The following data is required to place an order:

• customer’s name and surname (for indication in a supporting document, for example, an invoice);
• email address (for sending invoices and order status messages);
• phone number (to ensure delivery, the courier also receives this information);
• delivery address or parcel machine address (depending on the selected delivery method).

The merchant must be able to clearly indicate why each type of data is necessary. For example, first and last name is necessary to fulfill a legal obligation. Other data, on the other hand, is necessary to fulfill the requirements of the contract. For example, if the service is “intangible” (online courses), first name, last name and email address are sufficient, which are necessary for sending the invoice and access data. A merchant may also need additional information if the product or service is individually tailored to the customer (eg, tailored clothing, selection of skin care products manufacturing of spectacles).

Customer data may only be used for the purposes originally specified. It may not be transferred to other parties unless there is a legal basis for this, such as the customer’s consent, a legal obligation or a legitimate interest. It may also be justified to use the data for related purposes such as archiving, if this does not conflict with the original purpose of obtaining the data.

Data deletion request

The DVI has also tried to answer the question: Should the deletion request itself be erased if someone has asked for data processed with their consent to be deleted? If a person withdraws consent to the processing of their data and requests the deletion of all data related to this consent, the organisation is obliged to stop processing this data as soon as possible and delete it, unless there is another legal basis for continuing to store or use it. This means that all data that was collected on the basis of consent must be deleted (eg, the person being removed from the list of recipients of commercial communications).

However, the request document itself, by which the person withdraws consent, as well as the organisation’s response to it, cannot be deleted at the same time as the aforementioned data, since the basis for processing such information is not the person’s consent within the meaning of the GDPR. They may be stored to fulfill the institution’s interests in managing its documentation and ensuring the protection of its rights (so that, if necessary, it can be confirmed that the request has been received, fulfilled and when it occurred).

More official guidance

Biometrics: Canada’s Privacy Commissioner has published guidance on biometrics for the public and private sectors. While biometrics can enhance security and help in service delivery, they can also raise privacy issues. Biometric information is intimately linked to an individual’s body and is often unique, and unlikely to vary significantly over time. It can reveal sensitive information such as health information or information about race and gender characteristics. The guidance among other things addresses key considerations for organisations when planning and implementing initiatives involving biometric technology – transparency, safeguarding data, and accuracy, including testing for biometric systems.

IoT data security: America’s NIST finalized its ‘Lightweight Cryptography’ Standard to Protect Small Devices. Four relevant algorithms are now ready for use to protect data created and transmitted by the Internet of Things and other electronics. The standard is built around a group of cryptographic algorithms in the Ascon family, which NIST selected in 2023 as the planned basis for its lightweight cryptography standard . They require less computing power and time than more conventional cryptographic methods do, making them useful for securing data from resource-constrained devices. For more technical information on the standard, visit the NIST Lightweight Cryptography Project page. 

Optus data breach in Australia

The Australian Information Commissioner has filed civil penalty proceedings against Optus (telecommunications), following an investigation in relation to the data breach made public by Optus on 22 September 2022. The data breach involved unauthorised access to the personal information of millions of current, former and prospective customers of Optus, and the subsequent release of some of this information on the dark web. This included names, dates of birth, home addresses, phone numbers and email addresses, passport numbers, driver’s licence numbers, Medicare card numbers, birth certificate information, marriage certificate information, and armed forces, defence force and police identification information.

Based on this case the Australian regulator asks all organisations to: 

• implement procedures that ensure clear ownership and responsibility over internet-facing domains
• ensure that requests for customers’ personal information are authorised to access that information
• layer security controls to avoid a single point of failure
• implement robust security monitoring procedures to ensure any vulnerabilities are detected and that any incidents are responded to in a timely manner
• appropriately resource privacy and cyber security, including when outsourced to third party providers
• regularly review practices and systems, including actively assessing critical and sensitive infrastructure, and act on areas for improvement in a timely manner.

Voiceprint for authentication purposes

The Swiss Federal Data Protection Commissioner has examined whether PostFinance (a retail banking and business client) is violating data protection regulations when using voice recognition as a means of authentication. It concluded the investigation on 16 May with a ruling instructing PostFinance to obtain the express consent of the person concerned when creating voiceprints for voice recognition and to delete voiceprints for which no consent has been explicitly given.

Voiceprints are a type of biometric data. Under data protection law, they are considered sensitive personal data if they enable the identification of an individual. Unlike a password, it cannot be recreated in case of misuse. 

In other news

Meta AI: According to the privacy advocacy group Noyb, just 7% of consumers want Meta to utilise their personal information for AI, despite the fact that over 75% of users were aware of Meta’s ambitions. Noyb has commissioned the Gallup Institute to survey 1,000 Meta users in Germany in order to learn more.

In May this year, Meta decided to begin using EU personal data to train its AI systems by just asserting that they had a “legitimate interest” under Article 6 of the GDPR. Although nearly two-thirds of the participants claim to have heard about Meta’s announcement, just 40% of Instagram or Facebook users can recall seeing the in-app message that was concealed under a notification menu, (or can recall the email notice that was sent with a subject line designed to make people ignore it).

But as people age, knowledge about this issue increases significantly, while women are less inclined to give AI their data.

IBAN: The IBAN can in some cases allow a hacker to issue illegitimate direct debit orders. The hacker can also, more directly, usurp another person’s IBAN by communicating it when creating a direct debit mandate as part of a subscription to a service. In order to reduce the risk of fraudulent use of your IBAN and minimise its consequences, the French regulator CNIL recommends:

• Monitor your bank account transactions regularly and block your bank account if necessary.
• Contact your usual bank advisor if you have any doubts.
• Check the list of authorised creditors (eg, the beneficiaries of direct debits) in your online banking space.
• When receiving a pre-filled direct debit mandate, or an alleged update of it, be vigilant about the information describing the creditor.

One click was nothing. But you gave away a lot

As digital technology allows for limitless information sharing with just a single click, the Latvian DVI is launching an educational public awareness campaign to encourage every digital user, but especially young people, to realise that personal data is a value, not an accidental footprint left on the internet. The campaign emphasizes that seemingly harmless digital actions, such as posting your photos on social networks, participating in a free game, or clicking the “I agree” button without reading the contents of a document, can mean widespread and irreversible data transfer consequences that are not always easy to predict or reverse.

Similarly, Privacy International publishes a series of educational case studies to answer the question of “Why privacy matters” for schoolchildren, workers, people with disabilities, protestors and even sports fans and many others. Here are some outstanding points of the analyses:

• When surveillance creeps into classrooms and digital learning platforms, it threatens the freedom of pupils to feel safe to explore ideas, make mistakes and develop into their own unique selves.
• Employers are using surveillance to monitor, control, and exploit workers in ways that many may not even be aware of.
• The growing threat of intrusive surveillance such as AI-powered facial recognition in stadiums risks turning a vibrant cultural space into one of control and suspicion.
• Privacy is a universal right, but for people with disabilities, it’s often compromised in the very systems designed to support them.
• In society, dissent – especially through protest – is vital for progress, change, and holding power accountable. Without privacy, protestors risk losing their voices, and their own safety.
• Migrants have the same right to a private life and to be free from intrusive surveillance as anyone else. Yet, for people on the move, this right to privacy is under constant threat.

In case you missed it

Meta’s “story” photos: The Icelandic data protection regulator explains that Meta launched a feature that goes through photos on your phone and suggests what to post on Facebook. The social media app automatically selects photos or videos from your phone and sends them to Meta’s servers. The photos are then processed using artificial intelligence to display post suggestions in “Story”.

This is done without the user having specifically uploaded the photos or videos to the social media platform for publication there. Since this may be a significant intrusion into people’s privacy, and since the regulator has received reports that people have not realised that this feature has been enabled, the regulator provided the instructions on how to disable the feature:

• Open the app on your phone.
• Press + at the top of the screen.
• Tap “Story”.
• In the top right corner: Press the “Settings” gear.
• At the bottom is “Camera roll settings”.
• Turn off “Get camera roll suggestions when you’re browsing Facebook”.

Political advertising in the EU: Google and Meta announced that they will suspend all political advertising services in the EU due to the application of the Political Advertising Transparency and Targeting Regulation in October 2025, the Estonian regulator reports. The implementation of the new regulation will bring a number of operational and legal requirements that are difficult to implement. As a result, Google has decided to suspend all political advertising services, including on YouTube, until there is greater clarity on the implementation of the regulation. However, Meta believes that the implementation of the new regulation will make the current transparency and targeting systems too complex and ineffective, significantly reducing the ability of advertisers to reach the electorate.

The post Data protection digest 2-17 Aug 2025: “Data protection says what should be done, information security says how we do it” – Estonian regulator appeared first on TechGDPR.

Official guidance: secure multiparty computation, public procurement, risk analysis, DPIAs

The Spanish privacy regulator AEPD has published a tech-savvy blog post on Privacy by Design: Secure Multiparty Computation. It is possible to create federated data spaces, which avoid the communication and exposure of data to third parties, and at the same time provide access to the necessary information to multiple stakeholders, optimizing networks and processes, allowing, in addition, implement controlled data reuse policies. All this is independent of the additional data protection measures by design and by default that can be added, together with a governance model, for the guarantee of rights in the source data. 

One such enabling technology is Secure Multiparty Computation, (SMPC). This is a cryptographic protocol that, through additive secret sharing, allows you to segment secret data into different parts, so that, when the data is shared, the original data cannot be revealed by any of the sources. For example, if three companies wish to collaborate to carry out a study of the sector to which they belong and thus jointly benefit from the results obtained. However, legal, strategic, and technical constraints might make this collaboration impossible.

In order to help the professionals concerned identify their responsibilities in different contexts of public procurement, the French regulator CNIL clarifies, (in French), the elements to be taken into account and the legal consequences to be drawn from the qualification of “(joint) controller”, and  “subcontractor“. Administrations often entrust another body, (economic operator), with the mission of meeting needs in terms of works, supplies, or services, for example, the management of extracurricular services, water, transport, or parking. To perform these public contracts they are required to collect and use personal data which may concern staff or users of the public service: this data processing must comply with the GDPR. The designation of actors as “controller”, “subcontractor” or “joint controller” must occur as early as possible and be carried out with regard to factual elements and each contractual context. This establishes who will have to guarantee compliance with the main principles of the GDPR, in particular:

• the existence of an explicit and legitimate objective, (purpose), for each use of data;
• collection of relevant and non-excessive data;
• data security;
• a limited data retention period;
• proper consideration of people’s rights.

Dealing with risks. The Bavarian data protection commissioner explains how this works in data protection law. A new guide, (in German), helps to detect and manage risks in the processing of personal data even more easily. The paper attaches particular importance to the idea of ​​scaling: risk analyses do not always have to be complex. Depending on the occasion, different “expansion stages” are possible. This is illustrated using several case  studies. The new orientation guide and an information package, (with a set of forms that guide the implementation of risk analyses and are intended to support proper documentation), can be downloaded free of charge from here and here.

The Latvian data protection authority DVI also explains how to conduct a Data Protection Impact Assessment. A DPIA is the process by which a data controller can carry out an inventory, analysis, and assessment of the possible consequences, (in terms of severity and likelihood), of different risks, individuals’ rights, and freedoms. Carrying out a DPIA is not a one-off exercise, but a set of data processing assessments that need to be carried out on a regular basis. Additionally, organisations should not expect data processing to be constant, (even if no changes are made), as externalities also pose risks to continuous data processing. They should consider, for example, the following aspects:

• internal processes and planned activities with personal data;
• how the internal exchange of data takes place and whether the current exchange mechanisms are considered secure;
• the location of the data and access to how the data is transferred – on a computer, in folders, physically, etc.;
• employees’ knowledge of how to handle personal data in compliance with data protection requirements;
• internal documentation;
• whether data protection system rules have been developed, taking into account possible risks, (eg, unauthorized access, deletion, etc.).

The following questions will also help to assess the above aspects of processing:

• Does the protection of the organisation’s data system correspond to the risk posed by the data processed in it?
• Are the personal data processed and grouped more carefully, taking into account potential risks and high-risk?
• What devices are connected to the local network, (do the devices themselves and their connections pose a security risk)?
• What software is used in the organization’s information systems?
• Are computers equipped with security systems, passwords?
• Are employees’ access to processed personal data recorded?
• What more could be done to achieve higher security standards? 

Legal processes: no united position on the AI Act, UK data protection reform

Members of the European Parliament have submitted hundreds of amendments to the upcoming AI Act, setting the tone for future discussions, according to the Euractiv news website. Reportedly, one of the most controversial topics is the definition of artificial intelligence itself. Another hot issue is the burden of obligations, not excluding data protection issues, for AI creators, introducing different requirements for new, former, and original providers of AI technology. At the same time Green MEPs made major proposals on prohibited practices, extending this category to biometric categorisation, emotion recognition, and any automated monitoring of human behaviour. Finally, conservative lawmakers want to exclude systems designed to assess creditworthiness from the high-risk list. Read more about the opposing proposals for the AI act from the EP’s left and right political groups in the original publication.

In a pre-emptive strike ahead of the publication of the Data Protection Reform Bill in the UK, Privacy International publishes its response here.  It states that the right to privacy and data protection is linked to some of the most important political and existential questions of our time. At the core of the proposal is the suggestion that data protection is a burden on companies. It appears to be driven by the commercial interests of a few companies who may benefit from weaker rights protection, the result being the proposed loss of many important protections for people. The PI report looks at such privacy issues as:

• How can exploitation of the vulnerable be prevented? 
• How does the UK treat immigrants who bring key skills and prosperity to the country? 
• What safeguards are there against potential corruption of the democratic process by new technologies and their use by political parties and third parties?

In PI’s opinion, the UK proposal is a backward step. For example, innovation, (eg. in AI), relies on people sharing data; in order for people to share their personal information, they need to feel confident about doing so. 

Investigations and enforcement actions: public bodies and IT incidents, unauthorized access, absence of legal purpose, DPOs, insufficient testing of software updates

The French regulator CNIL  issued notice to twenty-two municipalities to appoint a data protection officer. The GDPR makes the appointment of a data protection officer mandatory in certain cases, in particular when the processing of personal data is carried out by a public authority or a public body, (Art. 37 of the GDPR). This obligation, therefore, concerns all local authorities, regardless of their size. In the case of local authorities, the delegate can be an internal agent or subcontractor shared between several municipalities. The 22 municipalities, in metropolitan France and overseas, have a period of 4 months to comply by appointing a data protection officer, under the conditions set by the GDPR, (expertise, independence, sufficient resources, etc.). If they do not comply with the formal notice, the CNIL may use its powers to pronounce sanctions – which can include fines and public reprimand.

The data protection officer, explains CNIL, plays an essential role in the compliance of data processing implemented by public authorities. They are the main point of contact for agents and citizens on all subjects relating to data protection: a) internally, they answer all questions regarding data protection and ensure that you are familiar with the GDPR “first steps”, (in the event of a computer attack, design of a new digital project, etc.), b) with regard to stakeholders, they oversee the organization of the processing of requests to exercise rights and any requests for clarification from the CNIL in the event of an audit.

Meanwhile the Italian privacy regulator ‘Garante’ fined Inail, (a financially independent public body which manages compulsory insurance against accidents at work and occupational diseases on behalf of the state), 50,000 euros. An investigation revealed that at least three IT incidents resulted in unauthorized access to the data of some workers, in particular details on health and injuries suffered. The application “Workers Virtual Desk” managed by the authority allowed some users to accidentally consult the accident and occupational disease files of other workers. In one case, however, the accident occurred following the execution of an outdated version of the “Workers Virtual Desk”, due to human error.

‘Garante’ emphasized that a body with such significant institutional skills, which processes  particularly delicate data, including vulnerable data subjects, is required to adopt, in line with the principle of accountability required by the GDPR, technical and organizational standards that ensure the confidentiality of the data processed on a permanent basis, as well as the integrity of the related systems and services. The regulator’s judgement took into account the full cooperation offered by the public administration during the investigation and the small number of people involved in the identified data breaches.

In Norway the regulator Datatilsynet notified NAV, (Norwegian Labour and Welfare Administration), of a fine of approx. 495,000 euros for making CVs available on the service arbeidplassen.no without legal purpose. In order to receive services and benefits, job seekers have had to provide a quantity of information, including a CV. NAV has also set as a condition that the CV must be made available to employers on arbeidplassen.no, a condition NAV itself discovered that they have no authority to impose.  NAV took immediate action, closing employers access to jobseekers CVs and notifying those affected. 

Denmark’s data protection authority expressed serious criticism of the University of Southern Denmark’s insufficient testing of software updates. The university uses an HR system where employees can be assigned a grade to access applications. In connection with a software update, however, the system’s rights management was reset, which meant that all employees had access to the applications. This gave 7011 employees potential access to applications from a total of 417 applicants. Out of these, only some 400 employees had a conditional need to be able to access personal information in the HR system. Furthermore, the university did not keep a log of access to the applicants material and therefore could not identify what had been accessed.

Big Tech: voice recognition systems, UK’s Labour party lost database, the end of Google Assistant

According to Wired, voice recognition systems—such as Siri and Alexa become better at understanding people through their voices. Machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data, says the publication. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them:

• Simple voice-changing hardware allows anyone to quickly change the sound of their voice. 
• More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.
• Distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system.
• Encrypted infrastructure to protect people’s voices from snooping, and
• Voice anonymisation, (eg, altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output).

Britain’s Labour party is facing several class-action suits for failing to inform members after its database, hosted by a third party, was hacked with ransomware in 2021. The third party in question, the digital agency Tangent, was responsible for handling party membership data, and was reportedly targeted by an unknown ransomware gang that held the information hostage. Tangent refused to pay the ransom, leading the hackers to corrupt the database, rendering it inaccessible: “Labour claims that its own systems have not been affected by the breach, although its membership webpage has been down since it happened and, as a result, the party doesn’t have a complete or up-to-date membership list beyond December 2021”, according to the Bylinetimes newspaper.

Google wants to end location reminder capabilities on mobile and smart devices that use Google Assistant, Gizmodo and IAPP News report. The feature reminds users to do tasks when they arrive at specific locations. In just one example an investigation by Canada’s privacy regulator showed that people who downloaded the app for a popular coffee chain had their movements tracked every few minutes, even when the app wasn’t in use. Investigators said the app collected info to infer where users lived, worked, and traveled. The tech giant points to its privacy policy to claim it only collects data based on users’ settings, and that the app will only collect data when the app is active. However, third party apps can also share private information with Google when going through Google Assistant, based on user settings, says Gizmodo.

The post Weekly digest 30 May – 6 June 2022:  secure multiparty computation, public procurement, voiceprints & privacy appeared first on TechGDPR.