The European Commission has announced that a new age verification app designed to protect children online is ‘technically ready’ and will soon be available for citizens to use. The app will allow users to prove their age when accessing online platforms, helping protect children from harmful or inappropriate content. It can be set up with a passport or ID card, enabling users to prove their age when accessing online services. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Reportedly, the app is ‘completely anonymous’, works on any device, and is fully open source. Cyber and privacy experts, however, immediately examined the source code on the GitHub software platform and reported several issues with the app’s design, including low cybersecurity standards and the possibility of bypassing the app’s biometric authentication features.

Unjustified parking fines through automated means

The deployment of scanning vehicles to check parked cars has resulted in an estimated 500,000 unjustified fines. This is evident from a new thematic study by the Dutch Data Protection Authority AP. Municipalities carry out an estimated 250 to 375 million scans yearly. This results in 3 to 5 million parking fines per year.  According to calculations, more than 10 per cent of these are unjustified. People who object to the fine are successful in 40 to 62 per cent of cases. 

A scanning vehicle only takes a snapshot, and the algorithms in the monitoring system do not see the circumstances. As a result, a scanning vehicle cannot, for example, determine that someone is loading or unloading. In such a situation, an exception may apply. The disabled parking permit, which is not registered to the license plate by default and is placed behind the windshield, is also not ‘seen’ by the scanning vehicle. If payment has not been made, the systems are unforgiving, and a fine follows automatically. 

Other legal updates

Alabama comprehensive privacy law: The Alabama Personal Data Protection Act (APDPA) was enacted on April 16. It includes one of the lowest applicability thresholds for businesses in the US that: 

• handle personal data of more than 25,000 consumers (excluding data processed solely for completing a payment transaction), or 
• derive more than 25% of gross revenue from selling personal data. 

From 1 May 2027, it will empower a consumer to confirm whether a controller is processing any of the consumer’s personal data, correct inaccuracies, delete, obtain a copy, and opt out of the processing of their data. Controllers will be required to respond to consumer requests within 45 days, with a possible 45-day extension, and provide a secure and reliable method for consumers to exercise their rights; the analysis from vitallaw.com sums up. 

Scientific research in the EU:  The EDPB has, in the meantime, adopted Guidelines on processing of personal data for scientific research purposes.  Many areas of scientific research rely on the processing of individuals’ personal data. In the guidelines, the EU data protection regulator provides clarifications on the:

• concept of ‘scientific research’  
• further processing for scientific research purposes  
• reliance on “broad consent” where the purposes of research are not fully known 
• rights of individuals to erasure and objection when their personal data are processed for scientific purposes 
• qualifications of data controller, joint controllers or processors.

The guidelines will be subject to public consultation until 25 June. 

DPIA template

The EDPB has also adopted a template for Data Protection Impact Assessments (DPIA). The template will help organisations structure, harmonise and substantiate their DPIA reporting processes. The template is complemented by an explainer document providing concise explanations for completing this template effectively, by breaking down key concepts in a simple language and addressing possible questions and knowledge gaps controllers might have.

Controllers can conduct their risk analysis and management processes as they prefer, using the DPIA methodology of their choice. A DPIA is a process required in situations where the processing is likely to result in a high risk, to describe how personal data will be processed, assess whether the processing is necessary and appropriate, and identify and reduce risks to individuals’ rights and freedoms. 

Frontier AI systems

According to the Guardian, British banks will be given access in the next week to Antropic’s latest AI tool, highly skilled at cyber-security and hacking tasks, that was deemed too dangerous to be released to the public. Advances in the Claude Mythos model capabilities have come with concerns about hackers using such tools to figure out passwords or crack encryption meant to keep data safe.

Anthropic, which has so far limited the release of the new model to a small clutch of primarily US businesses, including Amazon, Apple and Microsoft, said it would expand that to UK financial institutions. UK regulators are due to raise the issue of Mythos’s risks with bank bosses and government officials in the coming weeks. 

According to the presented results, Mythos can detect vulnerabilities faster and link them into complete exploits and attack chains. This can strengthen defences, but can also accelerate digital attacks.  Defenders can deploy AI to detect vulnerabilities earlier and remedy them faster. But attackers with access to similar models will scale up investigation, identification, and exploitation as well. To that end, the Dutch National Cyber ​​Security Centre suggests practical steps to adopt: 

• Explicitly incorporate AI developments into your security measures, particularly patch management; delaying action by days or weeks no longer fits the current threat landscape.
• Anticipate attacks that occur faster, more automatically, and in larger numbers, for example, in the detection of anomalous behaviour in networks.
• Maintain solid basic security and supplement it with appropriate additional measures, as attackers already use AI to improve and automate existing techniques.  

More official guidance

Secure database configurations: The German Federal Office for Information Security (BSI) has published a collection of secure configurations for database systems. It provides recommendations for optimally configuring encryption, authentication, authorisation, and other security-relevant aspects. It serves as a template for securely operating the database management systems MariaDB, MongoDB, and Weaviate. The repository is continuously being developed and will be expanded to include support for other database management systems.

Healthcare institutions’ data security audit: The Lithuanian State Data Protection Inspectorate VDAI carried out 10 scheduled audits of the security measures of healthcare institutions. Security checks related to access control, backup management, and event log management were assessed. As a result, several areas for improvement were identified:

• Only 11% of institutions use multi-factor authentication (MFA).
• Only 56 % of institutions centrally store and encrypt log entries.
• 67% of institutions have implemented automated alerts for suspicious events.
• 78 % of institutions have a log entry management policy and review it regularly.
• 78% of institutions document backup and recovery procedures.

Pixel tracking: The French data protection authority CNIL publishes the final version of its recommendations on tracking pixels in emails (in French). The tracking pixel is an alternative tracking method to cookies, usually implemented in the form of a reduced image (1 pixel by 1 pixel). Loading this image, which contains a user ID, tracks a user when they visit a page or read an email. This technique is used for personalising communication according to the interests of users, measuring the audience, improving the proper reception of emails, etc. 

The recommendation specifies the cases in which consent will be required for the use of tracking pixels in emails and those which are exempt. It also specifies the procedures for withdrawing consent.  

In other news

Data breaches on the rise: The Estonian data protection agency provides an analysis of the received data breach notifications in Q1 2026. One of the most insidious threats in today’s cyber landscape is data-stealing malware. (eg, RedLine, Vidar). It is often downloaded onto personal devices unintentionally – through illegal software, malicious ads, or fraudulent links generated using artificial intelligence. Data thieves don’t just limit themselves to passwords: they also steal session cookies, which allow attackers to bypass even multi-factor authentication by “hijacking” the active logged-in session.

If employees use personal devices to check work emails or access SaaS platforms like Slack or Salesforce, a single infected home computer can compromise the entire corporate network.

Illegal GPS tracking: The Slovenian Information Commissioner found that one of the providers of public utilities was continuously and indiscriminately collecting location data of employees, obtained through GPS transmitters installed in company vehicles, without clearly defining the purpose of the data processing. Employees were not properly informed about the scope and purpose of such tracking. Besides, the objectives could be achieved with less stringent measures (eg, manual entries, use of vehicle odometer data).

Employee computer monitoring: In a similar inspection procedure, a Slovenian regulator found another employer’s covert surveillance (via Spyrix Employee Monitoring software), was carried out without a legal basis, without informing employees and to an extent that exceeded the permissible limits of interference with privacy in the workplace, as it targeted the content of employees’ communication via private e-mail and completely private conversations. The regulator imposed a fine of 71,474 euros due to the violations found. 

Amazon multimillion fine annulled

The Administrative Court of Luxembourg has annulled a 746 million euro GDPR fine imposed on Amazon, citing procedural failings by the national regulator. Judges ruled that authorities did not properly assess the company’s level of fault before setting the penalty, DigWatch News platform reports. The sanction was issued in 2021 by the national data protection commission over Amazon’s targeted ad system and appealed in March 2025. While the violations were upheld, the court found the regulator failed to determine whether the conduct was intentional or negligent.  

Other enforcement decisions

Access to an employee’s email after the end of employment: An employee can access messages on their company email account and documents stored on their computer after the end of their employment. Any restrictions must be justified by specific and proven reasons, such as protecting company secrets. This is what Italy’s ‘Garante’ established in accepting the complaint of a former employee of an insurance company who had requested a copy of his company email messages and documents saved on his computer. 

The company had accessed the former employee’s email and, after examining the contents, provided only the messages deemed “strictly personal,” excluding those related to work. According to the regulator, the right of access applies to all personal data, including communications exchanged through an individualised company account. Therefore, it is unlawful to pre-select the content to be provided, nor to limit or obscure it based on the distinction between personal and professional contexts. For the violations identified, a fine of 50,000 euros was imposed.  

Face recognition in the airport: Garante also declared the processing of biometric data of passengers at Milan Linate Airport using the facial recognition system “FaceBoarding” to be unlawful. The system was used to allow passengers to access the security-restricted area and board at the gate after registering at special kiosks or via an app and subsequently associating their face with their identification document and boarding pass. The system requires that the acquired biometric data be stored entirely centrally on the servers, preventing passengers from exercising exclusive control over their data. 

And Finally

AI awareness: While almost half of internet users in Germany feel capable of recognizing AI-generated content, in reality, hardly anyone looks closely: only a minority have ever searched for inconsistencies in the image or checked the source (28 % and 19%, respectively). Knowledge about potential fraud scenarios is also limited. Only 38 per cent believe it’s possible that cybercriminals could, for example, manipulate an AI program to transmit sensitive data. Similarly, only 40 percent consider it conceivable that criminals could insert invisible instructions for AI systems into documents. 

In fact, both scenarios are technically possible.

Police data reach: US police have access to a wide range of databases that they can use to look up and misuse information about people. This can result in humiliating and bad decisions, sometimes causing long-term damage to people’s lives. In-depth research by Rights & Security International and Privacy International reveals the impact of this and argues for more effective limits on what kinds of personal information police can view, when, and why. The US is not alone in this trend. The UK and the EU are also expanding law enforcement’s data-access powers, introducing facial-recognition surveillance and proposing scanning of private messages, PI resumes. 

The post Data protection digest 4-18 April 2026: questions rising over new EU age verification app & unjust automated parking fines appeared first on TechGDPR.

Blockchain is transforming industries by enabling transparency, trust, and decentralization. However, when it comes to handling personal data, blockchain presents significant challenges. The GDPR places strict requirements on data processing, many of which are difficult to reconcile with blockchain’s core characteristics. The European Data Protection Board (EDPB) recently issued draft guidance (Guidelines 02/2025 on processing of personal data through blockchain technologies, for public consultation) where they suggested that when personal data is processed on a blockchain a Data Protection Impact Assessment (DPIA) has to be carried out, and with a low threshold for data being ‘personal’, even transactions would be personal data in many cases.

We created a comprehensive Blockchain DPIA Template that helps organisations meet these requirements by providing a structure and toolkit to assess, document, and manage privacy risks in blockchain systems.

Why Blockchain Needs a Data Protection Impact Assessment 

A Data Protection Impact Assessment, or DPIA, is a crucial process mandated by the GDPR for processing activities that pose a high risk to the rights and freedoms of individuals, or are on specific blacklist. It helps organizations identify and minimize the data protection risks of a project. For emerging technologies like blockchain, which often involve novel data processing methods, conducting a thorough DPIA is not just a legal requirement but a fundamental step towards responsible innovation. This article introduces our new blockchain specific DPIA template, designed to help navigate the complexities of GDPR compliance in decentralized environments.

The challenge of the GDPR in decentralized systems

Blockchain technology introduces features that directly affect privacy and data protection. The GDPR requires organisations to uphold data subject rights, such as the right to erasure, the right to rectification, and the right to access. These rights can be difficult to enforce on an immutable and distributed ledger.

In a typical blockchain network, data is stored across many nodes, sometimes in different legal jurisdictions. This raises questions about international data transfers and how organisations can maintain control over the information they process.

Blockchain’s inherent characteristics present unique challenges for GDPR compliance. Its immutability, for instance, clashes with the fundamental right to erasure. The global distribution of blockchain nodes also complicates data transfers and jurisdictional oversight.

Risks of non-compliance

If an organisation fails to adequately assess and mitigate data protection risks, it may face regulatory action, reputational harm, or loss of user trust. A blockchain DPIA is a critical step to show accountability and demonstrate compliance with the GDPR.

Failing to comply with the GDPR can result in significant fines and severe reputational damage. For blockchain projects, where trust and transparency are paramount, avoiding such risks is critical for long term success.

About the Blockchain DPIA Template

Who is it for?

The blockchain DPIA template is designed for privacy professionals, compliance officers, legal teams, blockchain developers, and project leads. It provides a structured way to assess the data protection implications of blockchain-based processing.

This template is an invaluable resource for privacy professionals, blockchain developers, and data protection officers, or DPOs, who are grappling with GDPR compliance in the blockchain space.

What does it include?

The template guides users through all required areas of a DPIA under the GDPR:

• Description of the processing operations
• Legal basis and necessity assessment
• Identification of risks
• Safeguards and technical measures
• Data subject rights and governance structures

It focuses on blockchain-specific concerns such as data immutability, public ledger transparency, pseudonymisation, and decentralised accountability.

The template provides a comprehensive framework covering various aspects of a blockchain project. It systematically addresses processing operations, establishes the appropriate legal basis, facilitates thorough risk assessment, and outlines necessary safeguards to uphold data subject rights.

Alignment with GDPR Article 35 and privacy by design principles

Our template is meticulously aligned with Article 35 of the GDPR, which mandates DPIAs for high risk processing. It also strongly promotes privacy by design principles, encouraging privacy considerations from the very initial stages of development.

Key Features and Structure of the Template

Comprehensive processing description

The template helps users map how personal data flows through blockchain systems. This includes both on-chain and off-chain components, data categories, infrastructure models, and participating entities. The template offers a structured approach to mapping how personal data flows and is processed within blockchain environments, a critical first step in any DPIA.

Risk identification tailored to blockchain

The template includes a detailed risk taxonomy specifically designed for blockchain environments. It highlights risks such as:

• Immutability preventing data deletion
• Broad visibility of data on public chains
• International data transfers to unknown jurisdictions
• Difficulties in exercising data subject rights

It specifically addresses the unique risks posed by blockchain technology, including issues related to immutability, transparency, and decentralized governance.

Measures to reduce risk and demonstrate compliance

The template includes practical tools and suggestions for implementing effective risk mitigation strategies and technical safeguards, such as encryption, pseudonymization, and the appropriate use of off chain storage solutions. These are aligned with the GDPR principles of data protection by design and by default.

Benefits of Using This Template

Saves time and ensures completeness

The blockchain DPIA template includes ready-to-use sections, prompts, and examples. It reduces the risk of overlooking key aspects of the GDPR and ensures all critical issues are addressed. Using a pre designed template significantly saves time and helps ensure that no critical aspect of your DPIA is overlooked.

Builds trust with regulators and stakeholders

A well-documented DPIA shows that your organisation takes data protection seriously. It provides a clear record of decisions, risk mitigation strategies, and safeguards, which can be shared with regulators or partners. Demonstrating a commitment to data protection through a thorough DPIA builds trust with regulators and enhances user confidence in your blockchain project.

Supports privacy-respecting innovation

The template helps teams think about data protection from the start. It supports innovation that respects individual rights and meets the expectations of users and regulators alike. Ultimately, this template supports and promotes responsible innovation, allowing blockchain projects to thrive while respecting individual privacy rights.

How to Use the Template Effectively

• Integrating it early in the blockchain development lifecycle.
• A collaborative approach involving legal, technical, and compliance teams is essential for a holistic and accurate DPIA.
• Periodic reviews and updates as the project evolves.

The TechGDPR Blockchain DPIA Template

Our blockchain DPIA template provides a practical solution for navigating these complexities. It helps ensure that blockchain projects are built with privacy and accountability in mind. DPIAs are not merely a bureaucratic hurdle; they are an indispensable tool for ensuring that blockchain technology develops in a privacy respecting manner. By proactively identifying and mitigating data protection risks, we can foster a future where decentralized systems empower individuals while upholding their fundamental rights.

Our Blockchain DPIA Template is available for free and can below.

The post Introducing the Blockchain DPIA Template for GDPR Compliance appeared first on TechGDPR.

What does this mean around the world?

Countries such as the United States and United Kingdom are increasingly moving towards reliance on these technologies. Countries in the EU are also recording findings of some trial projects related to the use of Facial Recognition Technology. However, as the technology continues evolving and becomes increasingly more widespread, concerns arise in relation to potential consequences of using said technologies. A majority of concerns focus on biases and consequences in relation to law enforcement. In addition, concerns with regard to all individuals’ privacy rights are also at the forefront of the discussion, including: 

• Whether an indiscriminate recording of all individuals captured by cameras is aligned with the principle of data minimization;
• Concerns on the lawfulness and transparency of the use of said technology, as further discussed below; and
• Appropriate processing of special categories of personal data in accordance with legal requirements. 

Both the GDPR and its UK equivalent (the ‘UK-GDPR’) provide for some legal framework setting standards for the use of this technology. However, the departure of the UK from the EU in 2020 means that the two jurisdictions are now implementing entirely different approaches when it comes to the use of Artificial Intelligence. This blog post analyses said differences, and the implications thereof, with a focus on FRTs.

The history of public surveillance systems in the EU and the UK

Looking at the history of implementation of public surveillance systems in the EU and in the UK, sets the stage to highlight the difference in framework that applies to this day. 

Public authorities and private actors have implemented video surveillance as one of the measures to ensure security since the middle of the 20th century. Camera systems such as CCTV have been increasingly appearing in UK cities since the 1950s, and have progressively evolved technologically. As a result, we are now at the point where South London will be installing its first permanent facial recognition cameras.

Similarly, Germany saw its first shift in the usage of cameras for public security reasons in the 1960s.  By the 2000s, the majority of large European cities were deploying CCTV systems.

However, based on this history and according to researchers, the evolution in technical capabilities of CCTV and its respective use in the EU has always lagged behind that of the UK. One of the reasons for this was a lack of constitutional protections for the right of privacy. Meanwhile, EU countries have demonstrably had a stricter approach to privacy even prior to the Data Protection Directive passed in 1995. The EU has implemented further protective measures since, such as the AI Act. 

How does the use of facial recognition change between the EU and the UK?

While both jurisdictions use Facial Recognition Technology with the goal of enhancing public and national security, they differ vastly in how extensively they have applied it in practice.

The main difference is in its application, which is in turn related to the current regulatory differences. In the EU, current deployments of RBI systems are primarily experimental and localised. Examples of case studies include Facial Recognition Cameras at Brussels Airport, Facial Recognition at Hamburg G20, and the DragonFly Project in Hungary. There is currently no example of fully implemented and permanent FRT or RBI systems in the EU.

Additionally, the UK’s implementation of such systems is a current point of discourse across the country. As an example, part of MET police deployment policy for overt implementation of live facial recognition to locate people on a Watchlist is to be able to implement Live Facial Recognition onto “hotspots” for a number of crimes, ranging from theft and drugs to terrorism and human trafficking. 

Additionally, the use has extended to private companies, such as the retail and hospitality sector, to take advantage of the technology to enhance security and prevent theft and revenue loss.

Regulatory similarities

In both the EU and the UK, the GDPR regulates the usage of all data processing technologies, including Facial Recognition Technology. The UK also implemented the regulation at national level with the Data Protection Act 2018. Therefore, a number of legal requirements, and issues of public concern are common for both jurisdictions:

• Data needs to be processed lawfully, fairly and in a transparent manner. Where public interest can be an applicable legal base for public authorities and law enforcement (albeit not without justification). However, private companies are required to jump through more hurdles to justify the necessity and proportionality, and outright lawfulness, of the use of FRTs, typically under legitimate interest;
• Processing of biometric data means that Art. 9 special categories of personal data are being processed, adding an extra layer to the lawfulness argument. Such categories of data can only be processed pursuant to one of the exceptions listed in the Article 9. Again, reliance on substantial public interest could be an option, but not without having to make a balancing exercise, which leads to: the requirement to carry out a Data Protection Impact Assessment in accordance with Art. 35.3, where the usage of said technology arguably meets all 3 criteria;
• Further considerations and concerns include breaches to the principles of purpose and storage limitation, and data minimisation. 

What is the regulatory approach to facial recognition in the EU?

However, in the EU, the newly implemented AI Act regulates the specific usage of real-time remote biometric identification systems in its Article 5. The article outright bans the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage and the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, although the latter comes with exceptions. These include:

• Search for abducted individuals, and victims of human trafficking and sexual exploitation;
• Prevention of a specific, substantial and imminent threat to life or threat of terrorism; and
• Localisation of a person suspected to have committed a criminal offence listed in Annex 2 of the Act (which does not include property damage, theft and/or burglary). 

Said exceptions, however, must still take into account rights and freedoms of the individuals involved. Additionally, Article 27 of the AI Act require a fundamental rights impact assessment and law enforcement authorities registering the system in the EU database according to Article 49.

How does the regulation framework differ in the UK?

Since its departure from the EU due to Brexit, the regulation of such technologies in the UK is entirely different. There is currently no AI-specific regulation in place. UK Parliament is currently discussing the only related legislation for the usage of such technologies, namely the Data Protection and Digital Information Bill.

Importantly, the draft of this bill demonstrates how the UK’s approach is opposite to that of the EU, possibly leading to less regulation. For example, through the abolishment of the Biometrics and Surveillance Camera Commissioner (BSCC). The underlying argument is that the removal of this office, in a period of fast technological change, will result in the loosening of safeguards designed to raise standards and protect citizens, and may ultimately result in the deployment of technologies that are not in the public interest. 

That is not to say that the use of said technologies will go entirely unchecked. The Information Commissioner Office made a statement about the usage of said technologies and calls for the responsible and lawful use of Facial Recognition Technology, and published guidance on appropriate use of Biometric recognition systems. However, the guidance still relies on mostly GDPR-based principles and rules. It does not add anything new to the conversation on the increased use of FRTs by law enforcement agencies or private companies, which might have legal implications for individuals. Therefore, the status quo remains that in comparison with the EU, the UK remains a regulatory sandbox for the use of such technologies. As a result, concerns arise about the ways this compliance vacuum could be exploited and relevant risk for individuals. 

Looking forward

Despite the technology being substantially more regulated in the EU, there is still criticism on the general use of FRTs, even with the existence of the GDPR and AIA rules in relation to the technologies. The vagueness of the definitions in the AI act, the changes made to the AI Act draft from an outright ban for the technologies to an approach with “exceptions” and the lack of clarity on the implementation of these technologies by private companies outside of law enforcement agencies.

The post Comparing the UK and EU’s framework on facial recognition technology appeared first on TechGDPR.

• a description of the implementing entity’s processes in which the high-risk AI system will be used for its intended purpose;
• a description of the period and frequency of intended use;
• the categories of natural persons and groups likely to be affected in the specific context;
• the specific risks of harm likely to affect the categories of natural persons or groups of persons identified;
• a description of the implementation of human control measures;
• measures to be taken in the event of the materialisation of those risks, including internal governance arrangements and complaints mechanisms.

If both a FRIA and a DPIA need to be conducted, the regulator recommends combining these two analyses to complement each other. At the same time, FRIA is mandatory for introducing a high-risk AI system, while a DPIA must be carried out at the very beginning, before the development of an AI system. A DPIA should also be carried out if it is not a high-risk AI system, but the processing of personal data within the AI ​​system is considered to be high-risk.

The regulator provides an example: A chatbot will in most cases be considered a medium-risk AI system. However, if the chatbot is used in a sensitive context, it may result in processing activities that would be classified as high-risk, even if the system itself would not be high-risk. Therefore, an FRIA may not be required, but a DPIA is required.

Stay up to date! Sign on to receive our fortnightly digest via email.

EHDS

On 5 March, the European Health Data Space Regulation was officially published in the EU Official Journal. It enters into force on 26 March, marking the beginning of the transition phase towards its application in the next decade. The law is designed to benefit all EU residents, including patients, healthcare professionals, researchers, policymakers, and industry players.

EHDS aims to establish fast and free access to electronic health data across systems and countries, security and privacy protections by default, opt-out rights from secondary use, more cost-efficient access to high-quality health data for research, innovation and public health monitoring. 

Parental control in app stores

According to CNN, Utah approved a first-of-its-kind law in the US mandating that app stores confirm users’ ages and get parental approval before allowing children to download programs to their devices. The legislation, which is pending the Utah Governor’s signature, is a victory for Meta and other platforms that have been under pressure to do more to protect minors online. It may significantly change how all users—not just the young—use app stores. Similar legislation has been presented in at least eight other states. However, Apple and Google provide other ideas including app shops and app developers sharing accountability for age verification. 

AI Code of Practice

The third draft of the General-Purpose AI Code of Practice was published by the European Commission. It is only relevant for a small number of providers of the most advanced general-purpose AI models that could pose systemic risks, by the classification criteria in Art. 51 of the AI Act. The first two sections of the draft Code detail transparency and copyright obligations for all providers of general-purpose AI models, with notable exemptions from the transparency obligations for providers of certain open-source models. The final Code should be ready in May, as a tool for general-purpose AI model providers to demonstrate compliance with the AI Act.

More legal updates

Whistleblowing rules in the EU:  Five EU Member States, Germany, Luxembourg, the Czech Republic, Estonia and Hungary, have been ordered to pay financial penalties for failing to transpose the Whistleblowers directive. Persons who work for a public or private organisation or are in contact with such an organisation in the context of their work-related activities are often the first to know about threats or harm to the public interest.

By reporting breaches of Union law that are harmful to the public interest, such persons act as ‘whistleblowers’ and thereby play a key role in exposing and preventing such breaches and safeguarding society’s welfare. However, potential whistleblowers are often discouraged from reporting their concerns or suspicions for fear of retaliation. Among many things, respect for privacy and protection of personal data, are areas in which whistleblowers can help to disclose violations of law. 

The Data Act implementation: In Germany, with few exceptions, supervision of the processing of personal data by controllers in the non-public sector is the responsibility of the respective state data protection authorities. In contrast, responsibility for monitoring the application of the GDPR within the framework of the Data Act is to be transferred to the Federal Commissioner for Data Protection (BfDI). This results in the opposite of the intended simplification of responsibilities for companies, authorities, and data subjects. There is also a risk of dual supervision by a federal and a state authority for the same matter. 

Union digital access rights

The Ius Laboris law blog examines the limits of unions’ freedom of association in Germany via the digital communication tools of the employer. Since the groundbreaking 2009 decision, the Federal Labour Court granted unions a digital right of access to the employer for the first time. Unions may use company email addresses as a means of communication for information and advertising purposes, and the employer must tolerate this as long as it does not lead to an impairment of the operational process or a disruption of industrial peace.

Later on, for data privacy and security purposes following GDPR implementation, important prohibitions were set, including: 

• receiving all company email addresses of employees;  
• accessing the group-wide communication platform; and 
• receiving a link on the homepage of the company’s intranet. 

Video surveillance in Sweden

Since 2018, certain businesses have had to apply for a permit from data protection regulator IMY for camera surveillance. The Riksdag has now decided that the permit requirement will cease. This can make it easier for those who want to use camera surveillance to prevent, deter or investigate crimes. At the same time, a great responsibility is placed on those who want to monitor to ensure that the surveillance is permitted under the GDPR – identify the legal basis and properly document the activity, and investigate whether other measures may be sufficient to create safety and security. 

More from supervisory authorities

What are the data processing operations that do not require a DPIA? The Latvian data protection authority offers some suggestions: 

• Processing of employees’ data only within the country, if no processing, profiling or systematic monitoring of biometric or genetic data is carried out.
• Processing of personal data of customers by companies for the provision of services and advertising within the country, if the company’s core business is not related to large-scale processing or special categories of data.
• Processing of member and donor data by associations and foundations.
• Processing carried out by apartment owners’ associations and cooperatives related to the management of residential buildings, if it is not carried out on a large scale.
• Processing of collective applications by local governments, for example, when residents submit a collective application to the local government, etc.

Differential privacy guide: America’s NIST meanwhile finalized guidelines for evaluating differential privacy guarantees to de-identify data. Differential privacy works by adding random “noise” to the data in a way that obscures the identity of the individuals but keeps the database useful overall as a source of statistical information. However, noise applied in the wrong way can jeopardize privacy or render the data less useful. To help users avoid these pitfalls, the document includes interactive tools, flow charts, and even sample computer code that can aid in decision-making and show how varying noise levels can affect privacy and data usability. 

AI human oversight: The Dutch AP initiated a public consultation on tools for meaningful human intervention in algorithmic decision-making, which will be open until 6 April. The document focuses on meaningful human intervention in automated decision-making, distinguishing between substantive and symbolic human oversight under the GDPR and the Law Enforcement Directive. The consultation process is open to contributions from data protection officers, data controllers, and other relevant stakeholders.

Weather camera

The Austrian data protection authority in a recent case observed that the operation of a weather camera violated a homeowner’s fundamental right to data protection. The recordings could be viewed by anyone online. The camera was mounted on a roof and offered an overview of the town. The owner of a house, which is visible in the images, complained.

The operator of the weather camera argued that the recordings were for tourism purposes so that people could find out about the weather. This was countered by the homeowner’s interest in not having their presence and absence visible to everyone online. The decisive factor for the regulator was that this purpose could also be achieved without the (worldwide accessible) recording of the house.

Online retailers and guest access

In a complaint-independent review, the Hamburg data protection regulator HmbBfDI examined relevant online shops in Hamburg and found that a large online clothes retailer did not offer the option to order as a guest. Purchases were therefore only possible after creating a permanent customer account. The HmbBfDI requested that the company allow guest orders in the future to comply with data protection requirements.  

In principle, it is incompatible with data protection law to create permanent customer profiles if customers may only wish to place a one-time order. The principle of data minimisation stipulates that only as little data as necessary should be processed – customer accounts, on the other hand, often contain more extensive information. Creating password-protected access via the internet also exposes the entered data to the risk of hacker attacks – a risk that not all customers are willing to take.

Right to be forgotten

The EDPB has launched another coordinated action for 2025. Following the action on the right to information in 2024, this year’s focus is on implementing another key data protection right, namely the right to erasure, (the “right to be forgotten”), under Art. 17 of the GDPR. 32 data protection authorities from across Europe will participate in this initiative. The authorities will soon contact several companies and organisations from various sectors – either by initiating formal inspections or to collect information. In the latter cases, further follow-up measures could also be taken if necessary. 

Swiss cyberattacks

Reporting cyberattacks on critical infrastructure in Switzerland will be mandatory from 1 April. Operators of critical infrastructures will be required to report cyberattacks to the National Cyber Security Centre within 24 hours of discovery. This reporting obligation is under certain circumstances also relevant for non-Swiss entities. The Federal Council has decided to implement the relevant legislation for fines on 1 October to give those concerned sufficient time to prepare for the new reporting obligation. 

The regulator recommends entities check if they fall under the rather broad term of “critical infrastructures” before the deadline.

More enforcement decisions

Wrong recipient fine: Vitallaw.com legal blog reports the case by the Spanish data protection authority AEPD that has fined Ibermutua Mutua Colaboradora 600,000 euros. Over 3,395 people’s data was impacted by the breach, and 354 recipients—including businesses and consultants working with Ibermutua—received the data.

The fine came after people complained that they had received a notification from Ibermutua’s data protection officer stating that their data, including health data, had been transferred to other organisations because of a computer fault. Ibermutua contacted the companies to request that the personal data be deleted and took technical, organisational measures, including: 

• correcting the error in programming and undertaking a series of exhaustive tests to ensure correct functioning; 
• restriction of attachments to prohibit the sending of multiple attachments in a single e-mail; 
• verification of the identity of the attachment with the corresponding recipient;
• testing before sending e-mail remittances;
• implementing training for staff, and 
• launching an external audit.

Finally, Telenor ASA, (telecommunication company), in Norway has been sanctioned approx. 342,000 euros for deficiencies in its data protection officer scheme and internal controls. In particular, the company had not carried out all necessary assessments and documentation of the role of the DPO, including their independence and possible conflicts of interest. There was also no established and documented direct reporting line for the DPO to the highest management level. 

In case you missed it

Device code phishing: A recent Microsoft cyber security blog explains the malicious technology behind device code phishing attacks, targeting governments, NGOs, and a wide range of industries in multiple regions. In device code phishing, threat actors exploit the device code authentication flow to capture authentication tokens, which they then use to access target accounts, and further gain access to data and other services that the compromised account has access to. 

In one example, the phishing attack masquerades as Microsoft Teams meeting invitations delivered through email. When targets click the meeting invitation, they are prompted to authenticate using a threat actor-generated device code. The actor then receives the valid access token from the user interaction, stealing the authenticated session. Read more about queries to detect phishing attempts and email exfiltration attempts in the original article. 

‘Verify you are a human’ malware deployment: Krebs on Security law blog describes another ‘clever’ malware deployment scheme first spotted in targeted attacks last year that has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. ClickFix attacks mimic the “Verify You are a Human” pop-up tests that many websites use to separate real visitors from content-scraping bots. 

The post Data protection digest 3-17 Mar 2025: Combining FRIA with DPIA is possible, but not once the development of an AI system has begun appeared first on TechGDPR.

In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.  It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU – B2B, B2C, and B2G. The guide elaborates among other things on:

• the definitions of data users, data holders and third parties, as well as 
• cloud and service interoperability requirements, 
• fairness of data-sharing contracts, and 
• enforcement and dispute resolution frameworks. 

The GDPR is fully applicable to all personal data processing activities under the Data Act.  In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.

Stay up to date! Sign on to receive our fortnightly digest via email.

US data transfers

The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these rules will sooner or later be challenged in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, there will most likely not be a transition period. It is important to be aware of this when purchasing US services. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. 

DORA implementation updates

On 18 February, the European Supervisors, (ESAs) —EBA, EIOPA, and ESMA – published a roadmap to designate critical ICT third-party service providers (CTPPs), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.

By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).  

Legal updates worldwide

China data audits: With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper’s legal analysis. The measures provide the conditions and rules for both self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.  

US privacy enforcement: In the past two months, New York state has amended several rules on data breach notification. The amended law requires New York residents to be notified of a data breach, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state’s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the template of the notice sent to affected persons must also be provided. 

Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor, (under 16 years of age), and to limit a minor’s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.

Automated decision CJEU ruling

The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a data subject is entitled to an explanation as to how a decision was taken in respect of him or her, and the explanation provided must enable the data subject to understand and challenge the automated decision. 

The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer’s credit standing carried out by Dun & Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.

Algorithmic discrimination and the GDPR

The European Parliament’s recent research meanwhile states, that one of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the act allows ‘special categories of personal data’ to be processed, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through legislative reform or further guidance, states the report. 

More from supervisory authorities

DPIA guidance: The Swedish Data Protection Authority IMY has published guidance on impact assessments for activities that process personal data, (in Swedish). The practical guide is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some legal interpretation support, as well as detailed templates for an assessment.

Urban data platforms: As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on optimized traffic control, and early warning systems in the event of disasters or urban planning. 

To that end, the regulator has prepared technical guidance, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.

Employment records: The UK ICO updated its guidance aimed at employers who keep employment records. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker’s right to a private life.

The terms ‘worker’ or ‘former worker’ mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment – in particular, our detailed guidance on workers’ health information and monitoring of workers.

Insurance companies data swaps

The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered. 

Privacy policy

The Latvian DVI looks at the most common shortcomings in privacy policies of the organisations it’s investigated, and asks data controllers to take them into account: 

• Privacy policy is hard to find
• Complex and unclear text
• Not all legal bases and purposes of data processing are listed
• The purpose of data processing is not linked to the legal basis
• Failure to specify the organization’s legitimate interests 
• Unclear information about the storage period
• Failure to specify recipients of personal data 

Finally, there is also a lack of guidance on data subjects’ rights and their implementation, and complicated mechanisms are provided for the implementation of rights. 

Emotion recognition

The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act’s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. Clarity is required on the definitions of emotions, biometric information, and the boundaries of “workplace” and “educational institutions.” 

In particular, in the GDPR, the definition of ‘biometric data’ is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term ‘biometric data’ in the AI Act must be interpreted in the light of the GDPR. The distinction between emotions and physical states and between emotions and easily visible expressions also remains unclear.

In other news

Web browsing data fine: America’s FTC requires Avast to pay 16.5 million dollars, (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Refused bank loan: It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,  that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller. 

Data security

Location data: The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it easier for third parties to collect location data and resell it to data traders. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.

Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.

Self-declared GDPR compliance: The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead, it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).

Suppose the data stored in the cloud is transferred to a third country outside the EU/EEA area. It must also be checked whether this offers a level of protection equivalent to that in the EU/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.

In case you missed it

AI from non-EU countries: A number of European regulators draw attention to the risks associated with the use of AI ​​tools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed: 

• Pay attention to the transparency of the provider and appropriate documentation.
• Use a separate, secure IT environment to avoid data leaks.
• If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).
• Take into account the AI ​​competence and ban on prohibited AI practices that must be ensured from February following the AI Act. 
• Make sure that the manufacturer of the AI ​​application, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).

AI in education: The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest infographics. While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience.

In practice, they often help with: automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security and much more. 

The post Data protection digest 16 Feb – 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers appeared first on TechGDPR.

Crucial to AI Act is that organisations using high-risk AI systems must conduct a comprehensive Fundamental Rights Impact Assessment (FRIA). This assessment proactively identifies and mitigates potential harms to individuals. Notably, the FRIA shares similarities with the Data Protection Impact Assessment (DPIA) mandated under the GDPR. This underscores the intersection of data protection and fundamental rights in the context of AI systems.

What is a Fundamental Rights Impact Assessment (FRIA)?

While the EU AI Act does not expressly define the FRIA, it explains what the objective of the assessment is. The Act also states what the assessment must contain. Recital 96 of the AI Act states that “The aim of the fundamental rights impact assessment is for the deployer to identify the specific risks to the rights of individuals or groups of individuals…”. Moreso, the FRIA helps to “identify measures [to take] in the case of a materialisation of those risks”. Orgnaisations must conduct the FRIA “prior to deploying the high-risk AI system”. They are also required to update it “when ... any of the relevant factors have changed”.

In other words, a FRIA is an evaluation of the risks high risk AI systems present in relation to individuals’ rights. It is also the determination of remediation strategies to manage and mitigate the risks in case they occur.

What should a Fundamental Rights Impact Assessment contain?

According to Article 27(1) of the EU AI Act, the Fundamental Rights Impact Assessment should contain the following information:

Interestingly, Article 27(4) of the EU AI Act states that if organisations meet “any of the obligations laid down in this Article […] through the data protection impact assessment conducted pursuant to Article 35 of [the GDPR]…, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment”. Essentially, the fundamental rights impact assessment should complement the data protection impact assessment.

Intersection between Fundamental Rights Impact Assessment and Data Protection Impact Assessment

Article 35 of the GDPR states that a DPIA evaluates the impact of processing operations on the protection of personal data. This is especially where the processing operations make use of new technologies and is likely to result in a high risk to the rights and freedoms of natural persons. Based on this, it appears that the FRIA and DPIA relate to the impact, rights and protection of personal data for high risk AI systems and high risk processing operations respectively.

The table below offers a quick overview of the minimum information requirement for the FRIA and DPIA:

FRIA and DPIA in practice

The minimum requirements for FRIA and DPIA differ. Although in practice, both assessments often include additional information, making them quite similar. For example, Article 35 of the GDPR does not mandate the inclusion of data subject categories in the DPIA. However, organisations logically include such details to identify risks to individuals’ rights and freedoms. Similarly, the EU AI Act does not explicitly require the purpose and proportionality of processes in the FRIA. Yet organisations naturally include them when describing the processes and the necessity of the AI system.

What are the differences?

The major difference between the Fundamental Rights Impact Assessment and the Data Protection Impact Assessment is their focus point. The FRIA focuses on how the AI system directly impacts the rights of individuals. The DPIA focuses on how the processing operation impacts the protection of personal data and the rights of individuals.

The table below provides an overview of the major differences between the FRIA and the DPIA:

Summary

The major takeaway is that the Fundamental Rights and Data Protection Impact Assessment play a complementary role. At least, this is the intent of the EU AI Act according to Article 27(4). Therefore, organisations deploying high risk AI systems processing personal data, will have to conduct both assessments. If your organisation is a provider of high risk AI systems, there is no requirement to conduct the FRIA. However, providers must make information available to deployers of the AI system to make the conduct of the FRIA possible. This is because a substantial part of the assessment relies on the information presented by AI providers.

Given that the EU AI Act is new, organisations may struggle with identifying their role in the AI value chain. Orgnaisations may also struggle to comply with requirements based on that role. At TechGDPR, we assess your processing operations, the information provided by AI providers as well as the envisaged implementation of the AI system to help determine what requirements apply under the EU AI Act. We can help you correctly classify the AI system(s) your organization plans to manufacture or deploy, ensuring early detection of any outright prohibitions. This will prevent your organisation from wasting valuable resources on systems not allowed within the EU.

The post Difference between Fundamental Rights Impact Assessment & Data Protection Impact Assessment appeared first on TechGDPR.

Official guidance: secure multiparty computation, public procurement, risk analysis, DPIAs

The Spanish privacy regulator AEPD has published a tech-savvy blog post on Privacy by Design: Secure Multiparty Computation. It is possible to create federated data spaces, which avoid the communication and exposure of data to third parties, and at the same time provide access to the necessary information to multiple stakeholders, optimizing networks and processes, allowing, in addition, implement controlled data reuse policies. All this is independent of the additional data protection measures by design and by default that can be added, together with a governance model, for the guarantee of rights in the source data. 

One such enabling technology is Secure Multiparty Computation, (SMPC). This is a cryptographic protocol that, through additive secret sharing, allows you to segment secret data into different parts, so that, when the data is shared, the original data cannot be revealed by any of the sources. For example, if three companies wish to collaborate to carry out a study of the sector to which they belong and thus jointly benefit from the results obtained. However, legal, strategic, and technical constraints might make this collaboration impossible.

In order to help the professionals concerned identify their responsibilities in different contexts of public procurement, the French regulator CNIL clarifies, (in French), the elements to be taken into account and the legal consequences to be drawn from the qualification of “(joint) controller”, and  “subcontractor“. Administrations often entrust another body, (economic operator), with the mission of meeting needs in terms of works, supplies, or services, for example, the management of extracurricular services, water, transport, or parking. To perform these public contracts they are required to collect and use personal data which may concern staff or users of the public service: this data processing must comply with the GDPR. The designation of actors as “controller”, “subcontractor” or “joint controller” must occur as early as possible and be carried out with regard to factual elements and each contractual context. This establishes who will have to guarantee compliance with the main principles of the GDPR, in particular:

• the existence of an explicit and legitimate objective, (purpose), for each use of data;
• collection of relevant and non-excessive data;
• data security;
• a limited data retention period;
• proper consideration of people’s rights.

Dealing with risks. The Bavarian data protection commissioner explains how this works in data protection law. A new guide, (in German), helps to detect and manage risks in the processing of personal data even more easily. The paper attaches particular importance to the idea of ​​scaling: risk analyses do not always have to be complex. Depending on the occasion, different “expansion stages” are possible. This is illustrated using several case  studies. The new orientation guide and an information package, (with a set of forms that guide the implementation of risk analyses and are intended to support proper documentation), can be downloaded free of charge from here and here.

The Latvian data protection authority DVI also explains how to conduct a Data Protection Impact Assessment. A DPIA is the process by which a data controller can carry out an inventory, analysis, and assessment of the possible consequences, (in terms of severity and likelihood), of different risks, individuals’ rights, and freedoms. Carrying out a DPIA is not a one-off exercise, but a set of data processing assessments that need to be carried out on a regular basis. Additionally, organisations should not expect data processing to be constant, (even if no changes are made), as externalities also pose risks to continuous data processing. They should consider, for example, the following aspects:

• internal processes and planned activities with personal data;
• how the internal exchange of data takes place and whether the current exchange mechanisms are considered secure;
• the location of the data and access to how the data is transferred – on a computer, in folders, physically, etc.;
• employees’ knowledge of how to handle personal data in compliance with data protection requirements;
• internal documentation;
• whether data protection system rules have been developed, taking into account possible risks, (eg, unauthorized access, deletion, etc.).

The following questions will also help to assess the above aspects of processing:

• Does the protection of the organisation’s data system correspond to the risk posed by the data processed in it?
• Are the personal data processed and grouped more carefully, taking into account potential risks and high-risk?
• What devices are connected to the local network, (do the devices themselves and their connections pose a security risk)?
• What software is used in the organization’s information systems?
• Are computers equipped with security systems, passwords?
• Are employees’ access to processed personal data recorded?
• What more could be done to achieve higher security standards? 

Legal processes: no united position on the AI Act, UK data protection reform

Members of the European Parliament have submitted hundreds of amendments to the upcoming AI Act, setting the tone for future discussions, according to the Euractiv news website. Reportedly, one of the most controversial topics is the definition of artificial intelligence itself. Another hot issue is the burden of obligations, not excluding data protection issues, for AI creators, introducing different requirements for new, former, and original providers of AI technology. At the same time Green MEPs made major proposals on prohibited practices, extending this category to biometric categorisation, emotion recognition, and any automated monitoring of human behaviour. Finally, conservative lawmakers want to exclude systems designed to assess creditworthiness from the high-risk list. Read more about the opposing proposals for the AI act from the EP’s left and right political groups in the original publication.

In a pre-emptive strike ahead of the publication of the Data Protection Reform Bill in the UK, Privacy International publishes its response here.  It states that the right to privacy and data protection is linked to some of the most important political and existential questions of our time. At the core of the proposal is the suggestion that data protection is a burden on companies. It appears to be driven by the commercial interests of a few companies who may benefit from weaker rights protection, the result being the proposed loss of many important protections for people. The PI report looks at such privacy issues as:

• How can exploitation of the vulnerable be prevented? 
• How does the UK treat immigrants who bring key skills and prosperity to the country? 
• What safeguards are there against potential corruption of the democratic process by new technologies and their use by political parties and third parties?

In PI’s opinion, the UK proposal is a backward step. For example, innovation, (eg. in AI), relies on people sharing data; in order for people to share their personal information, they need to feel confident about doing so. 

Investigations and enforcement actions: public bodies and IT incidents, unauthorized access, absence of legal purpose, DPOs, insufficient testing of software updates

The French regulator CNIL  issued notice to twenty-two municipalities to appoint a data protection officer. The GDPR makes the appointment of a data protection officer mandatory in certain cases, in particular when the processing of personal data is carried out by a public authority or a public body, (Art. 37 of the GDPR). This obligation, therefore, concerns all local authorities, regardless of their size. In the case of local authorities, the delegate can be an internal agent or subcontractor shared between several municipalities. The 22 municipalities, in metropolitan France and overseas, have a period of 4 months to comply by appointing a data protection officer, under the conditions set by the GDPR, (expertise, independence, sufficient resources, etc.). If they do not comply with the formal notice, the CNIL may use its powers to pronounce sanctions – which can include fines and public reprimand.

The data protection officer, explains CNIL, plays an essential role in the compliance of data processing implemented by public authorities. They are the main point of contact for agents and citizens on all subjects relating to data protection: a) internally, they answer all questions regarding data protection and ensure that you are familiar with the GDPR “first steps”, (in the event of a computer attack, design of a new digital project, etc.), b) with regard to stakeholders, they oversee the organization of the processing of requests to exercise rights and any requests for clarification from the CNIL in the event of an audit.

Meanwhile the Italian privacy regulator ‘Garante’ fined Inail, (a financially independent public body which manages compulsory insurance against accidents at work and occupational diseases on behalf of the state), 50,000 euros. An investigation revealed that at least three IT incidents resulted in unauthorized access to the data of some workers, in particular details on health and injuries suffered. The application “Workers Virtual Desk” managed by the authority allowed some users to accidentally consult the accident and occupational disease files of other workers. In one case, however, the accident occurred following the execution of an outdated version of the “Workers Virtual Desk”, due to human error.

‘Garante’ emphasized that a body with such significant institutional skills, which processes  particularly delicate data, including vulnerable data subjects, is required to adopt, in line with the principle of accountability required by the GDPR, technical and organizational standards that ensure the confidentiality of the data processed on a permanent basis, as well as the integrity of the related systems and services. The regulator’s judgement took into account the full cooperation offered by the public administration during the investigation and the small number of people involved in the identified data breaches.

In Norway the regulator Datatilsynet notified NAV, (Norwegian Labour and Welfare Administration), of a fine of approx. 495,000 euros for making CVs available on the service arbeidplassen.no without legal purpose. In order to receive services and benefits, job seekers have had to provide a quantity of information, including a CV. NAV has also set as a condition that the CV must be made available to employers on arbeidplassen.no, a condition NAV itself discovered that they have no authority to impose.  NAV took immediate action, closing employers access to jobseekers CVs and notifying those affected. 

Denmark’s data protection authority expressed serious criticism of the University of Southern Denmark’s insufficient testing of software updates. The university uses an HR system where employees can be assigned a grade to access applications. In connection with a software update, however, the system’s rights management was reset, which meant that all employees had access to the applications. This gave 7011 employees potential access to applications from a total of 417 applicants. Out of these, only some 400 employees had a conditional need to be able to access personal information in the HR system. Furthermore, the university did not keep a log of access to the applicants material and therefore could not identify what had been accessed.

Big Tech: voice recognition systems, UK’s Labour party lost database, the end of Google Assistant

According to Wired, voice recognition systems—such as Siri and Alexa become better at understanding people through their voices. Machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data, says the publication. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them:

• Simple voice-changing hardware allows anyone to quickly change the sound of their voice. 
• More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.
• Distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system.
• Encrypted infrastructure to protect people’s voices from snooping, and
• Voice anonymisation, (eg, altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output).

Britain’s Labour party is facing several class-action suits for failing to inform members after its database, hosted by a third party, was hacked with ransomware in 2021. The third party in question, the digital agency Tangent, was responsible for handling party membership data, and was reportedly targeted by an unknown ransomware gang that held the information hostage. Tangent refused to pay the ransom, leading the hackers to corrupt the database, rendering it inaccessible: “Labour claims that its own systems have not been affected by the breach, although its membership webpage has been down since it happened and, as a result, the party doesn’t have a complete or up-to-date membership list beyond December 2021”, according to the Bylinetimes newspaper.

Google wants to end location reminder capabilities on mobile and smart devices that use Google Assistant, Gizmodo and IAPP News report. The feature reminds users to do tasks when they arrive at specific locations. In just one example an investigation by Canada’s privacy regulator showed that people who downloaded the app for a popular coffee chain had their movements tracked every few minutes, even when the app wasn’t in use. Investigators said the app collected info to infer where users lived, worked, and traveled. The tech giant points to its privacy policy to claim it only collects data based on users’ settings, and that the app will only collect data when the app is active. However, third party apps can also share private information with Google when going through Google Assistant, based on user settings, says Gizmodo.

The post Weekly digest 30 May – 6 June 2022:  secure multiparty computation, public procurement, voiceprints & privacy appeared first on TechGDPR.

Legal processes and redress: consumer data class actions, digital content and services, CCPA & CPRA

The ECJ ruled that consumer protection associations may bring representative actions against infringements of personal data protection. Such class actions may be brought independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect, the judgement in Meta Platforms Ireland states. Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data and rules on unfair commercial practices and consumer protection. Here are some of the main court findings:

• the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation;
• a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has the standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective;
• the infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.

Meanwhile, new Belgian rules on consumer guarantees and digital content and services, entering into effect in June, were analysed by the CMS Law-Now blog. Belgium has reinforced the position of consumers buying physical and digital goods by placing a higher liability on resellers and producers. The guarantee provisions for digital content and digital services apply to a traditional sale in consideration of price, and now also extend to transactions where the consumer “pays” by providing access to their personal data.

Digital content is defined as “data which are produced and supplied in digital form”, while a digital service is either “a service that allows the consumer to create, process, store or access data in digital form”, or “a service that allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service.” The seller must also provide security updates necessary to keep the goods in conformity for the period of time that the consumer can reasonably expect. This piece of EU-wide legislation has a number of data protection implications including core principles such as the requirements for data minimisation, data protection by design, and data protection by default. Read the legal text here.

JD Supra News&Insights has published an analysis on California consumer-focused privacy regulations – the existing California Consumer Privacy Act, (CCPA), and the new California Privacy Rights Act, (CPRA), which will go into effect in 2023. They are similar, but there are some key additions to the latest piece of legislation:

• Data inventories must now include B2B and employee data, (eg, the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information). 
• Consumers have the right to correct their personal information. 
• Organisations must conduct regular Privacy Impact Assessments and annual cyber risk assessments. 
• Record retention requirements are more stringent and must be disclosed, (specific information on the 11 categories of personal data and the retention periods). 
• Front-end privacy notices will need to be updated to reflect new consumer rights, etc.

Official guidance: cross-border cooperation, oral contracts’ recordings, DPIAs

The EDPB has published its statement on enforcement cooperation. The document emphasises that data protection authorities reiterate their commitment to close cross-border cooperation and agree to further enhance it in the following manner:

• identifying cross border cases of strategic importance in different Member States, (cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases related to the intersection of data protection with other legal fields);
• exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level;
• the EDPB will propose a template for data subjects’ complaints, to be used by regulators on a voluntary basis;
• the EDPB will continue to improve its IT cooperation tools, with the support of the European Commission.

Finally, the EDPB states that in the coming years, it will be crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market (Data Act, DMA, DSA, AI Act, DGA). A clear distribution of competencies among the regulators will need to be ensured, as well as efficient cooperation. 

The French regulator CNIL issued guidance on ‘The recording of telephone conversations in order to establish proof of the formation of a contract’, (in French). An organisation wishing to record telephone conversations for evidentiary purposes must, as a data controller, demonstrate that it has no other means to prove that a contract has been concluded with the data subject. Thus, it is necessary to distinguish the contracts which can be concluded orally from those for which the agreement must necessarily be materialised by a written act. In short:

• For written contracts, registration is not necessary.
• For contracts that can be concluded orally, if conversations are recorded, the principle of data minimization must, in any event, be respected.
• Recordings cannot be permanent or systematic.
• Only conversations relating to the conclusion of a contract may be recorded.
• When people agree to enter into a contract by telephone, the recordings of the telephone conversations can be processed on the basis of the legal basis of the contract (Art. 6 of the GDPR). 
• The collection of banking data needs the implementation of a device to quickly interrupt or delete the recording of the telephone conversation when the consumer pronounces this data, except for statutory requirements.
• On registration, the professional must inform the persons concerned the whereabouts of all the recordings and their data subject rights. 
• This information should be provided in two stages: by means of an oral mention, at the beginning of the conversation,  and by a reference to a website, (and a “legal notices” tab for example), or a “legal notices” button on the telephone to obtain exhaustive information.

Moldova’s data protection authority the NCPDP published its approved list of processing operations that are subject to data protection impact assessment, Data Guidance reports. The data controller must conduct a DPIA of the highest quality, such as: 

• systematic and extensive evaluation of personal aspects or scoring, including the creation of profiles and forecasts; 
• automatic decision-making, including processing that produces legal effects or which affects in a similar way to a significant extent; 
• systematic monitoring, including processing, is used to observe, monitor, or control the data subject, (data collected through networks or large-scale systematic monitoring of an area accessible to the public);
• processing of the personal data of vulnerable persons, including children;
• large-scale processing of personal data, including special categories of data of at least 5,000 individuals; data presenting high risks for at least 10,000 individuals; and any other data of at least 50,000 individuals; and 
• video surveillance in public areas, stadiums, and markets.

Investigations and enforcement actions: lawful rejection of access rights, AI-based speech signal processing, contract change without consent

The Danish regulator Datatilsynet found a municipality’s rejection of a subject access request lawful, according to Data Guidance. Specifically, it found that a municipality’s assessment to reject a former employee’s request for access to personal data was lawful and in accordance with Art. 12 (5-b) and 15 of the GDPR. Here are some facts of the case:

• the request was made after the termination of the employment contract;
• it was to access all communications in which the employee was mentioned;
• a municipality had asked the complainant to specify their request as the desired material was extensive, which the complainant refused to do;
• the information requested, which included letters and emails that had been signed or sent by the complainant, could be considered personal data; 
• the information was mainly a description of the function the complainant performed during employment and thus is not, to a great extent, information ‘about’ the complainant. 

The Hungarian data protection authority NAIH published its annual report which presented its highest-ever privacy fine for unlawful use of AI, of 670,000 euros, Technology Legal Edge reports. A bank, citing as a data controller, automatically analysed the recorded audio of customer service calls. Here are the main findings of the case:

• It used the results of the analysis to determine which customers should be called back by analysing the emotional state of the caller.
• An AI-based speech signal processing software automatically analyzes the call based on a list of keywords and the caller’s emotional state. 
• The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.
• The data controller based the processing on its legitimate interests to retain its clients and to enhance the efficiency of its internal operations.
• For years it had failed to provide to the data subjects proper notice and the right to object because it had determined that it was not able to do so. 
• The only lawful legal basis for the processing activity of emotions-based voice analysis can only be the freely given, informed consent of the data subjects.
• Though the bank had carried out a Data Protection Impact Assessment, and identified that the processing was of high risk to the data subjects, it had failed to present substantial solutions to address these risks.

Spain’s privacy regulator the AEPD fined a company 150,000 euros for lack of appropriate technical and organizational measures, (Art. 32 of the GDPR). A customer complained that their contract was changed without their consent. However, the company claimed that it had received a call from a person who claimed to live at the claimant’s address and was able to provide details necessary to pass verification, which thereby resulted in the changes to the contract. The regulator concluded  that security procedures which require data such as names, surnames, telephone numbers, and addresses might be available to third parties and used for fraudulent purposes. Finally, the AEPD noted that the contract was modified without the claimant’s consent in violation of Art. 6 of the GDPR, Data Guidance reports. 

Audits: video gaming and minors’ safety online

The UK privacy regulator the ICO has published an age-appropriate Design Code Audit Report for Fireproof Studios, (a gaming company). The scope of areas covered by this audit was determined following a risk-based analysis of Fireproof’s processing of children’s personal data. It was agreed that the audit would focus on the following areas:

• Governance, transparency, and rights  
• Diligence and Data Protection Impact Assessments 
• Minimisation and sharing, age assurance 
• Detrimental Use 
• Privacy settings and controls 
• Geolocation tracking 
• Profiling, cookies, nudge techniques  
• Connected Toys and Devices and AI Online Services

The overall opinion of the audit result is very high on all points:

• Fireproof does not process personal information in-game.
• It has limited the collection of personal data to when it is necessary to provide a customer support function to children and other users. 
• It has made deliberate design choices to not make use of dark nudge techniques, not to profile users, and to not include in-game content detrimental to children. 
• This has facilitated compliance with the Code’s standards and as a result children are afforded a high level of protection when interacting with Fireproof’s games.
• Fireproof process personal data when providing customer support. The information gathered for the purposes of providing support cannot be linked to any in-game information gathered by Fireproof, such as the length of the session.  

However, some room for improvement exists in identifying and documenting a lawful basis for processing and conditions for processing special category data, along with ensuring privacy information is updated to reflect the identified lawful basis and the rights available to children.

Big Tech: Google’s removal of PII, Amazon’s search algorithms, Microsoft’s reports on privacy and cyberwar in Ukraine

Google is extending its privacy policy, giving users for the first time the right to demand the removal of personally identifiable information, (PII), like phone numbers, secret login credentials, or e-mail addresses from search results that can be used in identity theft. Demanding PII removal from search results may take time however, as Google warns users on the removal request page, because of “…preventative measures being taken for our support specialists in light of COVID-19…”.

Amazon has refused to describe its product search system and algorithm inputs to Australian competition regulators. As part of an ongoing five-year review of big tech that last year saw Alphabet’s Google and Facebook fined, a report said Amazon and similar large marketplace platforms prioritised, in rankings and presentation, own-brand products over competitors.

Microsoft published its latest privacy report. The report summarises several trends since October 2021, including the desire of both individuals and organisations for greater control over their data; a surge in the development of comprehensive privacy laws in jurisdictions around the world; and increasing calls by governments and businesses to keep personal data resident in their jurisdictions.  MS gives its customers control over their data through the Microsoft privacy dashboard. Another new initiative by MS was Microsoft Priva, MS’s first product specifically designed to address privacy issues for large organisations.

Additionally, the latest blog post from Microsoft’s Corporate Vice President, Customer Security & Trust Tom Burt reviews the publication of the MS Digital Security Unit’s first report on the cyberwar in Ukraine. It details more than 237 operations, (some of them are ongoing and not fully traced yet), against Ukraine involving at least six pro-Russian nation-state attacks. Nearly 40 operations are classed as destructive, (eg, threatening critical infrastructure and civilian welfare), and there is a high level of correlation between these attacks and battlefield initiatives. 

Techniques have included phishing, wiper malware, use of unpatched vulnerabilities, and compromising upstream IT service providers. Attackers have often tweaked their malware from target to target to avoid detection. The report also includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community.

The post Weekly digest April 25 – May 1, 2022: class actions authorised in EU data protection cases appeared first on TechGDPR.

Official guidance: smart contracts, DPOs, AI risk management, GDPR cooperation

The Spanish data protection authority AEPD analyzed smart contracts. Smart contracts are algorithms that are stored in a blockchain and that execute automated decisions. The very nature of the smart contract, when applied to data of natural persons, falls within the scope defined by Art. 22 of the GDPR. This refers to the right of an interested party not to be subject to decisions based solely on automated means, including profiling, when those decisions have legal effects on them or significantly affect them, and that the interested party can challenge that automated decision. It also establishes three exceptions to said prohibition: explicit consent, the conclusion or execution of a contract between the interested party and a data controller, or the existence of an enabling law. In any of the cases, it is necessary to identify a person responsible for the execution of the said smart contract. The most famous use case is the one known as the DAO Fork of Ethereum. 

A new practical guide for Data Protection Officers was published by the French data protection authority CNIL, (available in English). The spirit of the GDPR is to make the DPO the “orchestra conductor” of the management of personal data in the organization which designates them. The hierarchical position of the DPO must bear witness to this, and their resources must be adapted so that they can fully accomplish their job and their role of compliance coordinator. They should not work in a vacuum but be fully integrated into the operational activities of their organization, in conjunction with the CISO and the IT department, etc. The DPO guide is divided into 4 chapters: 

• the role of the DPO; 
• designating the DPO; 
• the exercise of the DPO’s tasks; 
• CNIL’s support for the DPO. 

Each theme is illustrated by concrete cases and frequently asked questions related to the subject being dealt with.

The US NIST seeks comments on the draft AI risk management framework, (AI RMF), and offers guidance on AI bias. It is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. It aims to provide a flexible, structured, and measurable process to address AI risks throughout the AI lifecycle. Similarly, bias in AI can harm individuals. The NIST researchers thus recommend widening the scope of where we look for the source of these biases — beyond the machine learning processes and data used to train AI software to the broader societal factors that influence how technology is developed. AI can make decisions that affect whether a person is admitted into a school, authorized for a bank loan, or accepted as a rental applicant. AI systems can exhibit biases that stem from their programming and data sources, (eg, machine learning software could be trained on a dataset that underrepresents a particular gender or ethnic group). Read the full draft AI RMF and guidance on AI bias here.

The EDPB adopted a couple of new guides last week:

• on Art. 60 of the GDPR, (provides a detailed description of the GDPR cooperation between Supervisory Authorities, (SAs), and helps them to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism). 
• on dark patterns in social media platform interfaces, (gives concrete examples of dark pattern types, presents best practices for different use cases, and contains specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR), and
• the toolbox on essential data protection safeguards for enforcement cooperation between EEA and third-country SAs, (covers key topics, such as enforceable rights of data subjects, compliance with data protection principles, and judicial redress).

Legal processes: cyberattack disclosure in the US

New US cyber security incident reporting mandates have been signed into law, making it a legal requirement for operators of critical national infrastructure, (CNI), to disclose cyberattacks to the government. Namely, it will require CNI owners within the US to report substantial cyber attacks to the Cybersecurity and Infrastructure Security Agency, (CISA),  within 72 hours, and any ransomware payments made within 24 hours. It enables CISA to subpoena organizations that fail to do so, with the threat of referral to the US Department of Justice for non-compliance. CISA has not said how it will use data gleaned from breach reports but has been seeking to build its capabilities and work more closely with the private sector on a voluntary basis. The CISA lists 16 broad sectors spanning health, energy, food, and transportation as critical to the US, although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents. 

Data breaches and enforcement actions: insufficient TOMs, ransomware, unwanted marketing calls, Irish/Meta fine

The Danish data protection authority Datatilsynet criticized Kombit, (IT/project organization), for violating Art. 32 of the GDPR, following data breaches reported by 30 municipalities, Data Guidance reports. An error occurred in the platform used by the municipalities, where a user could access another user’s files, which included personal data if the latter was not logged out of their computer. The IT company had not complied with the rules on data security, namely: no sufficient testing of the platform was carried out in connection with the change of the code implemented, (development of a change to the login solution in the platform), and it applied for insufficient access right controls. Additionally, Kombit along with another company could not agree on what tests could be expected to be performed in connection with the code changes, and whether another company was acting as a sub-processor or not.

The UK Information Commissioner’s Office, (ICO), announced fines totalling approx 482,000 euros to five companies responsible for over 750,000 unwanted marketing calls targeted at older, vulnerable people. Companies, (Domestic Support Ltd, Home Sure Solutions, Seaview Brokers, UK Appliance Cover, UK Platinum Home Care Services), were calling people to sell insurance products or services for large household appliances, such as televisions, washing machines, and fridges. In the UK live marketing calls should not be made to anyone who has registered with the Telephone Preference Service unless they have told the caller that they wish to receive such calls from them. The ICO also issued these companies with enforcement notices that require them to immediately stop making these predatory calls.

The ICO also fined a law firm approx 116,784 euros for contravening Art. 5 and Art. 32 of the GDPR by failing to process personal data in a manner that ensured appropriate security of the personal data, GDPRHub reports. Tuckers Solicitors, a limited liability partnership of solicitors, was the data controller. In 2020, they became aware that their systems were hit by a ransomware attack and reported the data breach to the ICO on the same day. Here are some facts and findings from the case:  

• The attack had resulted in the encryption of numerous civil and criminal legal case bundles stored on an archive server. 
• Backups were also encrypted by the attacker.
• Although the firm’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. 
• The firm installed the patch after months of its release, during which the attacker could have exploited the vulnerability. 
• The firm moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the compromised data.
• The proper encryption could have mitigated the damage, (however it would not have prevented the ransomware attack).

The ICO held that multi-factor authentication was a low-cost measure that could have substantially supported Tuckers in preventing access to its network. The firm also should not have been processing sensitive personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk.

Ireland’s data protection authority, (DPC), imposed a 17 mln euro fine on Facebook parent Meta Platforms after an inquiry into 12 data breach notifications from 2018. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data. Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 of the GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, a consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Ireland regulates Meta and a number of other large US tech giants because their EU headquarters are in the country. The DPC, which has a number of ongoing investigations into Meta, last year fined its WhatsApp subsidiary a record 225 mln euros.

Data security: password managers

An analysis by the Guardian looks at password managers for convenience and enhanced online safety. The article argues that long and complex passwords are more secure but difficult to remember, leaving many people using weak and easy-to-guess credentials. Password manager apps can resolve this problem by creating long and complex credentials for you, and remember them the next time you log in: “Password managers keep your details secure by encrypting your logins so they can only be accessed when you enter the master password.” Yet reportedly only about one in five people in the UK use one. Some other findings by UK experts are:

• Never create a virtual book or document on your computer, which could be viewable if your device is hacked.
• Password managers should be backed by two-factor authentication, whereby you are asked for something such as a one-time code in addition to a password when you log in using a new device.
• A security key is an option – a token you can insert into your device to double-secure high-risk accounts such as email. 
• Authenticator apps are another option. These generate a unique code for you to enter into the site and are very straightforward to use.
• Apple Keychain and the Google Chrome Password Manager lack the features of “full-service” ones. 
• Physical password books aren’t a bad idea, as long as you create strong, unique logins, and the book is kept somewhere secure and doesn’t leave the house.

DPIA: Zoom case

Zoom is making changes to the privacy agreements for all education and enterprise users in Europe in collaboration with SURF, (the ICT service provider for Dutch education and research).  It has removed the privacy risks identified in the DPIA from 2021 by making changes to the software, making processor agreements, and promising future changes. These contractual and technical adjustments are described in the new recently published DPIA. They include:

• Data location solutions, (all personal data be processed in the EU by the end of the year). 
• Data Subject Access Requests: Zoom to use two self-service tools for enterprise and education account administrators. 
• Clarifying the data protection role of Zoom and its customers, (universities and government organizations).
• Clarified and minimized customer personal data retention practices. 
• Privacy by design and default.
• Updated Data Transfer Impact Assessment, and much more.

Big Tech: all-new GA, apps leaking sensitive data, Tesla’s facial and optical tracking

The all-new Google Analytics 4 will be the first data measurement tool released by the company with privacy designed “at its core”, an upgrade on the privacy features in the recent Analytics 360 tool, which will be retired, along with Universal Analytics. The company says IP addresses will no longer be stored, which could ease compliance in international markets, and the EU GDPR requirements for data transfers.

Are your apps leaking sensitive user data? A study revealed that 2113 apps had vulnerabilities in their Firebase back end because of cloud misconfigurations, IAPP News reports. Certain apps had tens of millions of downloads and included popular e-commerce, social audio platform, logo design, bookkeeping sites, and even a dating app. Lost data included user names, passwords, phone numbers, bank details, and some 50,000 chat messages. A separate study also found that 14% of Android and iOS apps using public cloud back ends had similar privacy issues due to misconfigurations.

Integral to Tesla’s autopilot and full self-driving features is the fact that software looks at your eyes while you look at the road, using facial and optical tracking to check your driving. Now a driver in Illinois has filed a proposed class action against Tesla Inc. for recording and storing biometric data without informed consent, illegal under Illinois’s Biometric Information Privacy Act, (BIPA). The suit also claims Tesla failed to make its data retention policy public, and failed to inform customers where facial recognition data was stored. Damages of 5000 dollars per BIPA violation are being sought.

The post Weekly digest March 14 – 20, 2022: smart contracts, AI bias, password managers & privacy appeared first on TechGDPR.

Legal processes: draft EU Data Act, AI liability rules

The Commission proposed new rules on who can use and access data generated in the EU across all economic sectors. The EU Data Act will “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”. In particular the Act will:

• allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers;
• consumers and businesses will be able to access the data of their device and use it for aftermarket and value-added services, (eg, farmers, airlines, construction companies will make better decisions buying higher quality products and services);
• measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts;
• statutes for public sector bodies to access and use data held by the private sector necessary in the exceptional circumstance of a public emergency;
• new rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.

In addition, the Data Act reviews certain aspects of the Database Directive which protects investments in the structured presentation of data. Notably, it clarifies that databases containing data from IoT devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used. The volume of industrial data is constantly growing and the Commission reports 80% of it is never used.

The EDPB sent a letter to the Commission on adapting liability rules to the digital age and Artificial Intelligence initiative. It considers that the revision of the legal framework should ensure consistency with and complement the EU acquis in the field of personal data protection, in particular when it comes to the security of personal data processing and the use of AI systems. While, under the GDPR, only controllers and processors would be liable, (eg, in a personal data breach case, it is essential to consider the role and potential liability of providers of AI systems developed and made available in order to secure personal data processing). However because of the nature of AI, assigning the responsibility to a party in a claim that involves an AI system might be particularly difficult, especially when the burden of proof lies with the individual since the latter could be unaware of the fact that AI is used and, in the majority of cases, would lack the necessary information to prove the liability of the AI system. For that purpose, the EDPB wishes to stress the positive effects of:

• including systematic human supervision;
• transparency for the end-user on the use and operation of the AI system and on the deployed methods and algorithms;
• limitations and liability risks on the use of AI systems due to different types of attacks;
• providers of AI systems should be responsible for providing users with mitigation tools for known and new types of attacks and for embedding security by design throughout the entire lifecycle of the AI;
• users of AI systems should be responsible for ensuring the safe operation of the system, etc.

Additionally, specific liabilities might be triggered by the ineffective application of data protection principles by AI providers and users. Lack of data accuracy or scarce attention paid to the fairness of algorithmic decisions might translate into impairments to individuals’ rights and freedoms as well as economic losses. 

Official guidance: video surveillance

The UK Information Commissioner’s Office has published a guide on the use of video surveillance. As video surveillance technology becomes more mainstream and affordable, it is now more common to see technologies such as smart doorbells and wireless cameras. Traditional CCTV also continues to evolve into more complex AI-based surveillance systems. These can process more sensitive categories of personal data. The ways in which the technology is used also continue to develop. Some of the provisions include:

• data protection by design default approach;
• performing LIA demonstrates the lawfulness of the processing, that can naturally feed into a DPIA, for any processing that is likely to result in a high risk to individuals;
• maintaining a record of the processing activities taking place; 
• determining a necessary data retention periods;
• notifying and paying a data protection fee to the ICO, unless exempt, etc.

The guidance covers UK GDPR and Data Protection Act 2018 requirements. It applies where personal data is being processed by video surveillance systems in the public and private sectors. It also outlines considerations for the use of Automatic Number Plate Recognition, Body Worn Video, Unmanned Aerial Vehicles, (also known as drones), Facial Recognition Technology and surveillance, commercial products such as smart doorbells and surveillance in vehicles, workplace monitoring, live streaming, and other commercially available surveillance systems that have the potential to process personal data.

Investigations and enforcement actions: proof of identity, satisfaction survey, cooperation with the regulator, data breach notification

The Netherlands’ data protection authority fined Belgium-based DPG Media 525,000 euros for GDPR violations. The regulator found that individuals who wanted to view the data the company held or have it removed first had to provide proof of identity. The regulator received several complaints about the way Sanoma Media Netherlands BV, (before it was acquired by DPG Media in 2020), dealt with these types of requests. In particular: 

• Subscribers received unwanted advertising from the company.
• Anyone who wanted to unsubscribe, know what personal data was kept, or wanted to have data deleted, first had to upload proof of identity. 
• When the proof of identity was sent digitally, these people were not informed by the company that they were allowed to protect their data.
• For customers who had not created an online account with DPG Media it was more difficult to access or change their data. 

DPG Media has changed its working methods, and now sends a verification email to establish the identity of a requester. DPG Media has objected to the decision.

The EDPB analyzed the recent enforcement case where the Hungarian supervisory authority fined a car importer for unlawful data processing practices related to satisfaction measurement. After the applicant had their car inspected/serviced by the respondent as a specialist car garage, the applicant provided the respondent with its email address at the request. The applicant subsequently received an unsolicited email asking him to complete a satisfaction questionnaire in relation to the above service provided and then another email asking him to complete the questionnaire again due to his lack of response. The applicant’s consent for the transfer was not requested. Throughout the investigation, the importer company could not demonstrate how the following processed data are related to the stated purposes of satisfaction measurement and complaint management: the customer’s name, email address, home address, telephone number, age, gender, chassis number, registration number, technical data of the vehicle, the name of the dealer partner used, the date of the service used and the content of the feedback.

The EDPB also looked at another fine, by the Polish regulator, for lack of cooperation. The regulator requested a company respond to the content of a complaint and to answer detailed questions regarding the case. The regulator sent four requests to the company, (the data controller), and it accepted only one of them and did not reply. Disregarding the obligations related to cooperation with the regulator constitutes a breach of great gravity and as such is subject to financial sanctions. Therefore, in this case, the supervisory authority imposed an administrative fine of approx. 4,000 euros, which will not only be effective, proportionate, and dissuasive in this individual case but will also be a signal for other entities. 

The Spanish regulator AEPD fined Worldwide Classic Cars Network 1,500 euros and imposed corrective measures for having video surveillance without just cause and lack of information posters, Data Guidance reports. The complaint was filed by an individual for the installation of two video surveillance cameras which captured images of the public. Moreover, the video surveillance cameras did not display signs in accordance with the GDPR. The AEPD ordered Worldwide Classic Cars, within 10 business days, to provide proof of the following measures: a) removing the cameras from the current location, or redirecting them to its particular area; b) placing the information sign in the video-monitored areas; and c) making the stored information referred to in the GDPR available to those affected.

The Italian regulator ‘Garante’ ordered Minelli S.p.A to notify a data breach to data subjects, Data Guidance reports. The company became aware of a data breach following a report by an employee. The data breach consisted of the temporary loss of availability of data, (bank details, health data, authentication credentials), contained in a number of servers and PCs owned by the company, and the probable loss of confidentiality of the same data as a result of a ransomware attack. The breach involved around 800 data subjects, including employees, consultants, customers, and suppliers. However, Minelli had only notified the data breach to the employee who had initially detected the incident, and failed to notify all the data subjects involved. 

DPIA: Microsoft Teams

The Dutch government released a public version of the DPIA on Microsoft Teams. The document assesses the data protection risks of the professional use of the tool in combination with OneDrive, SharePoint Online, and the Azure Active Directory. These applications are commonly used to access and store files shared via Teams. As a precondition to using Microsoft’s online services, end-users, and admins, including guest users, must be authenticated through the online cloud service Azure Active Directory. The DPIA conclusion says Microsoft has implemented many legal, technical, and organizational measures to mitigate the risks for data subjects. In reply to the initial findings of this DPIA, Microsoft has also committed to improving some shortcomings and has provided important assurances.

However, in view of the ‘Schrems II’ ruling and the technical findings described in this report, Microsoft has to make more adjustments for one high and a couple of low-level identified risks. It is uncertain how the transfer risks will be assessed by the national data protection authorities this year, (in their joint investigation into the use of cloud services by public sector organizations). For this DPIA the transfer risks have been rigorously assessed, including a separate DTIA. Download the full DPIA document here.

Big Tech: TikTok’s child privacy, Meta-EU data transfer row, AI-based privacy compliance tool

The Texas Attorney General has launched an investigation into TikTok, demanding a wealth of documentary proof that the company has not been violating child privacy and enabling unlawful conduct and human trafficking. Two Civil Investigative Demands, (CID), request TikTok explain privacy policy, procedure and review practices, and how it identifies and removes content for child safety. TikTok must also provide copies of policies, guidance, manuals, training materials and the like related to children’s use of TikTok. The company has until March 18 to reply to the CIDs.

Ireland’s data protection regulator reportedly is inching towards banning Meta’s Facebook and Instagram from transferring data to the US after Data Protection Commissioner Helen Dixon issued a draft ruling for which Meta has 28 days to make legal submissions. They will likely focus on their claim the transfer ban, a result of the Schrems privacy campaign and the 2020 ECJ decision to scrap the existing transatlantic data transfer agreement, damages its and thousands of other companies’ business. The decision could be shared with fellow EU regulators in April and if none of them lodge an objection, “the earliest time we could have a final decision could be the end of May,” Helen Dixon told Reuters. Any objection could add some months to the timeline.

Mobile app developers have a new AI-based tool to help to identify possible privacy and compliance issues within apps. Called Checks, it’s out of Google’s Area 120 incubator and is freemium to all Android and iOS developers. Via Google Play developers will be able to get their apps scanned for any potential privacy and compliance problems, and a report offering applicable solutions and resources.

The post Weekly digest February 21 – 27, 2022: the EU Data Act to facilitate use of digital economic data appeared first on TechGDPR.