The EDPB and EDPS adopted a Joint Opinion on the European Commission’s Proposal for a European Biotech Act. It aims to strengthen Europe’s biotechnology and biomanufacturing sectors, including streamlining the regulatory framework and updating the rules for clinical trials (in the form of proposed amendments to the Clinical Trials Regulation). The privacy regulators welcome the aim to establish a single legal basis for the processing of personal data by sponsors and investigators in the context of clinical studies. The opinion provides several recommendations to ensure that the proposed simplifications do not lower the level of protection for clinical trial participants:

• Clarifying the controller roles of the actors involved in funding and conducting clinical trials, jointly and severally
• Limiting data retention for various personal data collected throughout the clinical trial (except master files storage requirements)
• Further processing for other clinical trials and scientific research
• Coherence with the AI Act
• Appropriate technical and organisational measures (the use of pseudonymisation)
• Regulatory sandboxes

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Transparency enforcement action: On 18 March, the EDPB launched its Coordinated Enforcement Framework (CEF) action for 2026. Following a year-long coordinated action on the right to erasure in 2025, the CEF’s focus this year will shift to compliance with the obligations of transparency and information under the GDPR. The GDPR ensures that individuals are informed when their data is being processed (under Art. 12, 13 and 14). This right to be informed is a core element of transparency and ensures that individuals have more control over their data. Participating authorities will soon contact controllers from different sectors across Europe.

European Blockchain sandbox: The European Commission has published the results of the third edition of the ‘European Blockchain Sandbox‘, an initiative in which European data protection agencies participate along with other authorities. Following the publication of the selected projects, which cover all EU/EEA regions and represent a wide range of sectors and issues, and once the stage of confidential regulatory dialogues was completed, the report of good practices will follow, the same process as the first two editions.

Other legal updates

Data Brokers EU study: The Belgian data protection agency and the EDPB commissioned a study to gain greater insights into the ecosystem of data brokerage. In particular, several types of data brokers and providers were identified: personal data brokers, AI platforms integrating personal data, business data brokers, data pools and cleanrooms, data marketplaces, self-generated data providers, data brokers with user control, and aggregated data providers with re-identification risk.

The study shows that the data broker and provider market in Belgium is highly diverse, with varying levels of risk associated with the use of personal data. More than 40 data brokers and providers active in Belgium were identified in the study.

Big Tech compliance with the EU DMA: The gatekeepers designated in 2023, Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, have submitted reports on their updated compliance measures under the Digital Markets Act (DMA), outlining the changes they have implemented and measures they have taken during the past year. The gatekeepers also submitted to the Commission updated, independently audited reports on consumer profiling techniques. The public versions of the updated compliance reports will shortly be available here and here.

US privacy laws development: DLA Piper publishes a list of recently introduced comprehensive privacy bills, state by state (Alabama, Arizona, Iowa, Illinois and more). They are reflecting a continued trend toward expanding individual privacy rights and creating new compliance obligations on businesses that collect and process personal data, including consent requirements, data minimisation, data brokers, child data, geolocation, biometrics and other types of sensitive data.

More from supervisory authorities

Age assurance guide: The Australian Information Commissioner (OAIC) has published new guidance on age assurance technologies to assist entities in ensuring Australians’ privacy is protected when they encounter age checks online. Three months on from the commencement of the Social Media Minimum Age (SMMA) scheme, the OAIC has observed significant growth in age checks taking place in Australia to allow people access to other online services. The guidance calls on entities to: 

• establish whether age checks are needed and take a privacy-by-design approach
• undertake due diligence to ensure the security of the entity’s age assurance ecosystem
• assess risk and choose age-assurance methods that are proportionate and data minimising
• ensure clear consent requests are used for the collection of sensitive information (such as biometric templates) or for secondary use or disclosure
• be transparent in privacy notices and ensure meaningful support is available to individuals, through simple and easy to access complaints processes

IT security in the health sector: The IT security of software products in the healthcare sector has room for improvement. This is a recent conclusion reached by Germany’s Federal Office for Information Security (BSI) after testing the standard configurations of various healthcare software products. As part of the project, four exemplary practice management systems (PMS) vulnerabilities were examined using penetration tests. The results included: the lack of encryption methods for data transmission and the use of outdated and therefore insecure encryption algorithms. 

AI systems monitoring criteria

AI outputs are typically non-deterministic, meaning the AI may exhibit a range of behaviours under the same input conditions. To that end, America’s NIST publishes much needed analysis of post-deployment AI system monitoring aimed at improving their reliability. The study introduces the six monitoring categories to support a more organised discussion: 

• Functionality: Does the system continue to work as intended? 
• Operational: Does the system maintain consistent service across its infrastructure? 
• Human Factors: Is the system transparent to humans and of high quality?
• Security: Is the system secure against attacks and misuse? 
• Compliance: Does the system adhere to relevant regulations and directives? 
• Large-Scale Impacts: Does the system promote human flourishing?

Web filtering proxy

The French privacy regulator CNIL promotes cybersecurity solutions that comply with the GDPR, both in their use and in their design. To this end, it publishes a recommendation to support users and providers of filtering web proxies – a device or service used to secure internet access by filtering web content for security and compliance reasons. Web filters can help meet the data security obligation (Art. 32 of GDPR). However, they are themselves based on data processing that must also be ensured to comply with the GDPR. CNIL recommendations aim in particular to inform data controllers:

• on compliance with the principles of the GDPR in the use of a web filtering proxy, including the determination of a legal basis, the minimisation of the data collected, the retention periods and the respect of the exercise of rights by the data subjects;
• on the points of attention relating to the use of HTTPS decryption and the implementation of a list of exceptions;
• on the deployment modalities;
• on the security of the access filtering and logging solution.

In other news

Account deletion and purchase history: The Privacy Commissioner of Canada has issued its findings in an investigation into complaints against Loblaw Companies (the biggest Canadian food retailer) related to the PC Optimum Loyalty Program. Several complainants alleged that Loblaw did not delete their PC Optimum accounts after they requested it, and/or that it had not responded to inquiries about their deletion requests.

The investigation found that, while Loblaw had mechanisms in place for customers to request an account deletion or to raise privacy concerns, it took an unreasonable amount of time to address the requests, and also failed to respond to some privacy-related inquiries. The investigation also found that Loblaw retained PC Optimum members’ purchase history after their account had been deleted, and that the removal of personal identifiers such as names and email addresses was an insufficient measure to have in place.

Age assurance technology fine: The Spanish AEPD fined Yoti 950,000 euros following an investigation into its role as an intermediary in identity and age-verification processes. The fine includes 500,000 euros for processing special category biometric data without a valid exemption under Article 9 of the GDPR, 200,000 euros for obtaining consent for research and analytics through pre-ticked boxes in breach of Article 7, and 250,000 euros for retaining data, including biometric and geolocation information, for longer than necessary in violation of the storage limitation principle under Article 5(1). 

The AEPD required Yoti to demonstrate within six months that its processing of biometric data, consent mechanisms, and data retention practices comply with the GDPR, digitalpolicyalert.org reports.

More enforcement decisions

Amazon Italy ban: The Italian Data Protection Authority Garante ordered Amazon Italia Logistica to immediately stop processing the personal data of more than 1,800 employees at its Passo Corese (RI) site. The ban concerns workers’ sensitive information, which Amazon systematically collected and stored throughout their employment and retained for up to ten years after they left the company, using an internal platform linked to the attendance tracking system and accessible to numerous managers.

The information was recorded on the platform following interviews conducted when employees returned from periods of absence. It included details about medical conditions such as Crohn’s disease, herniated discs, and pacemaker implants, as well as participation in strikes and trade union activities. In some cases, notes referred to alleged misuse of leave. Personal and family matters were also documented, including references to a terminally ill parent, a sibling with brain cancer and marital separations, according to the Maltese data protection agency analysis.

Intesa Sanpaolo fine: Garante also fined Intesa Sanpaolo 17.628 million euros for unlawful personal data processing. Intesa Sanpaolo had profiled approximately 2.4 million customers identified as “predominantly digital customers” through automated processing of personal data, including age, use of digital channels, absence of investment products, and financial balances below 100,000 euros. This profiling lacked a valid legal basis. The regulator determined that informed consent under Article 6(1) of the GDPR was the only applicable legal basis, and that such consent had not been obtained, digitalpolicyalert.org sums up. 

Foreign service providers and the choice of jurisdiction

A DLA Piper analysis looks at a case in California demonstrating the expanding reach of personal jurisdiction over foreign companies operating online platforms. It relates to an appellate court’s decision to reverse a district court’s dismissal of a class action against an Estonian software company for lack of personal jurisdiction. The plaintiffs brought a class action in the Northern District of California against 3Commas Technologies, an Estonian private limited company that provides software services for cryptocurrency trading, based on an alleged data breach. 

In the above case, the foreign company collected IP addresses, billing addresses, and location data that could reveal users as California residents, contacted them, and interacted with them for cryptocurrency trades. The appeal court also decided that including specific references to California privacy rights can be construed as evidence of intentionally targeting California consumers. Finally, the choice of law and forum selection clauses in vendor contracts may be used as evidence, too.

And Finally

Data altruism: The French CNIL also publishes FAQs on Recognised Data Altruism Organizations in the EU. The Data Governance Regulation (DGA) creates an EU-recognised Data Altruism Organisation (DAO) status. These altruistic organisations voluntarily share data for general interest and non-profit purposes. In particular, Article 18 of the DGA sets out the various general conditions for registration:

• conducts altruistic data activities
• be a legal person pursuing objectives of general interest under national law
• operates on a not-for-profit basis and is legally independent of any entity operating for profit
• conducts its data altruism activities through a structure that is functionally separate from its other activities
• complies with a set of common European rules, known as the ‘compendium of rules’, in a transparent, secure and interoperable manner 

AI agents and data security: A Krebs-on Security law blog looks at AI-based assistants, autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task. In particular, their popularity is growing among developers and IT workers. These powerful new tools are rapidly shifting the security priorities for organisations, while blurring the lines between data and code, trusted co-worker and insider threat. The article explains various vulnerabilities for users, including the case where exposing a misconfigured AI agent web interface to the Internet allows external parties to read the bot’s complete configuration file, including every credential, from API keys and bot tokens to signing keys. Another experiment showed how easy it is to create a successful supply chain attack through a public repository of downloadable “skills” that allow AI agents to integrate with and control other applications.

The post Data protection digest 3-18 Mar 2026: Proposed EU Biotech Act strengthens clinical trial participants’ rights appeared first on TechGDPR.

The State Commissioner for Data Protection of Lower Saxony has ruled that the “Reject all” button is a must on the first level of the consent banner for cookie preferences when an “Accept all” option is available. Consent banners may not specifically encourage consent and discourage the rejection of cookies. Otherwise, the consents obtained in this way are invalid, which constitutes a violation of the Telecommunications Digital Services Data Protection Act and the GDPR in Germany.  The background to the proceedings was an order issued by the Commissioner, (confirmed by the Hanover Administrative Court recently), against a Lower Saxony media company on the findings that: 

• Rejecting cookies was much more complicated than accepting them
• Users were pressured to consent by constantly repeating banners
• The “optimal user experience” and “accept and close” labels were misleading
• The number of partners and third-party services involved was not apparent
• References to the right to withdraw consent and data processing in third countries outside the EU were only visible after additional scrolling on the page, etc.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR simplification

The European Commission has published its final proposal aiming to simplify and clarify the derogation from the record-keeping obligation under Art. 30 of the GDPR. The scope of the derogation in the amending regulation will be broadened to include SMCs and organisations with fewer than 750 employees.

The proposal will also clarify that SMCs are exempted from the record-keeping obligation, unless their processing is likely to result in a ‘high risk’ to data subjects, defined in Art. 35 of the GDPR, and that the processing of special categories of personal data by Art. 9(2)(b) does not, as such, trigger the obligation to maintain the records.

Meta AI training in the EU will proceed

Concerning Meta’s AI models training using social network user data, the Hamburg data protection regulator, in agreement with the German data protection authorities, has decided against being the only EU supervisory body to issue a national provisional injunction against Meta’s AI training. Given the planned evaluation of Meta’s approach by the EU supervisory authorities, and following the decision of the Cologne Higher Regional Court, (the use of data for AI training is lawful under Article 6(1)(f) of the GDPR without requiring user consent, citing Meta’s legitimate purpose), an isolated emergency procedure for Germany is not the appropriate instrument to clarify the existing assessment differences across Europe.

More legal updates

CJEU decision on Meta’s “Pay or Ok” model: At the same time, the European Court of Justice (CJEU) has ruled in the case of Meta Platforms Ireland Ltd v. European Data Protection Board (EDPB). The case concerned the Board’s opinion focused on the circumstances under which so-called “pay or consent” models – where users of large online platforms are invited to either consent to the processing of personal data for behavioural advertising or to pay for the service to avoid such processing – can be considered to meet the conditions for valid consent under the GDPR. 

The EDPB considered that in most cases, it was unlikely that large online platforms could ensure valid consent when users were given only two options: to consent to the processing of all their data for marketing purposes or to pay. The EU top court rejected Meta’s claim, holding that since the opinion was advisory, it did not have a legally binding effect on third parties and could therefore neither be annulled nor give rise to a claim for damages. 

China facial recognition: According to digitalpolicyalert.org, the Cyberspace Administration of China’s rules on the secure use of face recognition technology go into effect on 1 June. Except for research and algorithm training, the rule covers organisations that process this data in China. It proposes express consent, transparency, carrying out impact assessments, security measures in place, and purpose limitation. Additionally, it stipulates that face recognition cannot be the only verification technique when there are other options and that its application in public areas is restricted to public safety, excluding private areas.

Personal data breach handling

According to the GDPR, there is a general obligation for data controllers to report personal data breaches to a supervisory authority, unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons. At the same time, data controllers must notify data subjects if the personal data breach is likely to result in a high risk to their rights and freedoms. The obligation of data controllers to report personal data breaches entails several advantages, as reporting breaches is, among other things, a tool that contributes to the ongoing improvement of data protection.

For failing to report the incident, the authority may make use of its corrective powers. To that end, the Danish data protection authority has just updated the remaining parts of its guidance on handling personal data breaches (in Danish). 

More from supervisory authorities

Employer obligations: The IDPC of Malta published a useful set of FAQs relating to the employment sector. These FAQs seek to address common questions which employers may have about their data protection obligations under the GDPR, particularly about how to handle the personal data of their employees. The FAQs cover questions relating to biometric data processing, police conduct certificates, pre-employment medical checks, employee monitoring, management of employee email accounts, and data retention. You can read the FAQs available in English here. 

AI impact assessment standard: The International Standards Organisation has published ISO/IEC 42005 guidance for organisations conducting AI system impact assessments. These assessments focus on understanding how AI systems — and their foreseeable applications — may affect individuals, groups, or society at large. The standard supports transparency, accountability and trust in AI by helping organisations identify, evaluate and document potential impacts throughout the AI system lifecycle. 

Age assurance online: The Vermont Legislature passed the Vermont Age-Appropriate Design Code (AADC). The Vermont AADC joins several other states’ efforts in protecting kids’ privacy, autonomy, and online safety by prohibiting abusive data and design practices. The bill now awaits the Governor’s approval. According to EPIC legal analysis, significant provisions in it include:

• Requiring covered businesses to configure minors’ default privacy settings to the highest level of privacy.
• Providing minors with the ability to limit unwanted adult contact.
• Regulating how minors’ data is used to ensure that personalised feeds are not driven by surveillance data, but instead by minors’ expressed preferences.  
• Requiring companies to be transparent about how they use minors’ data.
• Requiring the Attorney General to update rules prohibiting abusive data processing or design practices that “lead to compulsive use or subvert or impair user autonomy, decision making, or choice”, etc.

Email security

Germany’s Federal Office for Information Security (BSI) issued a cybersecurity recommendation to upgrade your email security. This guide is aimed at all companies that send and receive emails within their domain. Using concrete, practical examples, such as Microsoft Exchange Online and Google Workspace with Gmail, it demonstrates how the cybersecurity of email communication with customers, other companies, or third parties can be improved. Often, states the regulator, this requires only a few steps, such as adjusting the configuration of the groupware used by the company or more careful implementation of the SPF, DKIM, and DMARC standards.

Legitimate interest

The Estonian data protection agency meanwhile answers the questions on legitimate interest: when and how to rely on it in data processing? While other legal bases for data processing such as consent, contract or contract negotiations require the person’s own will or initiative, (eg, consent to receive campaign offers, submitting a CV for a job), the legitimate interest is always the data controler’s initiative, whether for their benefit or the benefit of a third party. However, to use legitimate interest as a basis for data processing operations, a legitimate interest analysis must also be carried out, which should be in writing, verifiable and traceable, detailing how the result was reached. Three conditions must be met simultaneously:

• The controller or the third party, or third parties receiving the data, have a lawful legitimate interest in the processing.
• The processing of personal data is necessary for the exercise of a legitimate interest.
• The fundamental rights and freedoms of the data subject are to be protected.

Additionally, the public sector cannot rely on legitimate interest unless it has an activity that is not related to its main task, which arises from the law. And it cannot be relied on when processing special types of data (eg, health data).

AI and personal data

Finland’s privacy regulator published guidelines on taking data protection into account in the development and use of artificial intelligence systems (in Finnish). An organisation must choose a suitable basis for processing personal data. It is also required when personal data is used to train an artificial intelligence system. The guidance describes in more detail the applicability of the different processing legal bases. Any organisation must also assess the data protection risks of the AI ​​system even before personal data is processed. The risks must be assessed from the perspective of the people whose data is being processed. Based on the risk, the organisation must decide, for example, on the necessary security measures. Organisations are given guidance on how to comply with the data protection principles set out in the GDPR, such as data minimisation, purpose limitation and information obligation. 

IT systems’ new security measures

The Danish data protection agency is adding two new measures to its catalogue of measures with a focus on preventing security breaches through hacking.  The two new measures have the following titles: a) Security management and maintenance of software, and b) Network segmentation. The regulator notes that there is nothing revolutionary about the new measures, but many of the breach cases it receives could have been avoided by following what is described in these measures. For instance, several breaches related to IoT, where software in surveillance cameras does not seem to be handled with the same attention as other IT equipment, even though this very equipment can provide an easy access route to the internal network.

Lufthansa data breach

The Hungarian data protection agency announced a data breach involving Lufthansa Group. An unauthorised access occurred in a system operated by an external service provider that handles hotel accommodation for passengers on cancelled flights. As a result, unauthorised persons had access to data such as the passenger’s name, gender, mobile phone number, flight number, reference to travelling with a small child, and the date of the hotel reservation. Lufthansa said no payment details were affected and there was no evidence of any data being publicly disclosed. 

The incident may affect those who received hotel vouchers for cancelled flights between November 2, 2019 and January 22, 2024. The company has since taken the necessary security measures and notified data protection authorities. Passengers are advised to be cautious, especially when receiving calls and messages from unknown sources.

Aggressive real estate brokerage

The Italian regulator Garante spotlighted a new and worrying phenomenon of aggressive telemarketing that has emerged in the real estate brokerage sector. Thousands of potential sellers and buyers were contacted via phone calls and WhatsApp messages, without having given valid consent to receive promotional communications, by real estate agencies that used very detailed lists provided by a service company. The lists used constituted a real mass mapping of the territory and were “enriched” with telephone numbers (landline and mobile), and cadastral information was also obtained. Each owner residing in a specific area of ​​commercial interest for the agencies was subjected to a real filing.

Similar investigations were concluded by the French CNIL, which resulted in a fine against CALOGA and SOLOCAL MARKETING SERVICES for canvassing prospects without their consent and transmitting their data to partners without their consent. Companies acquired prospects’ data mainly from other data brokers, publishers of competition and product testing sites (so-called ‘first-time collectors’). They used this data to canvass people by e-mail, on behalf of their advertising clients. They could also transmit some of this data to their customers, so that they could carry out prospecting themselves.

In other news

Excel spreadsheet: The UK ICO reprimanded the London Borough of Hammersmith and Fulham (the local council) after it left exposed the personal information of 6,528 people for almost two years.  The personal data breach occurred when the council responded to a freedom of information request made via the WhatDoTheyKnow.com (WDTK) website in 2021. The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. The information was immediately removed. In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of children in care and unaccompanied asylum-seeking children. 

Dutch municipalities: The Dutch data protection authority AP will be visiting municipalities on a random basis in the coming months. These inspections aim to check how municipalities deal with the personal data and privacy of citizens and to guide municipalities in the right direction, where necessary. During the visits, the AP will be looking at:

• Do municipalities have a complete and up-to-date overview of everything they do with the personal data? 
• Do municipalities properly identify potential privacy risks before they use personal data for something? 
• Do municipalities have their internal privacy supervision properly arranged? 
• Do municipalities have a data protection officer who can act freely and independently?

Spanish fines statistics: The Spanish AEPD received 19,000 complaints in 2024, with AI, data spaces, and neurodata among its priority challenges. The most frequent complaints relate to video surveillance, internet services, commerce, transportation and hospitality. The areas of activity with the highest amount of fines are related to energy/water companies, financial institutions/creditors, internet services, telecommunications, and fraudulent contracting. The agency also led 22 cross-border cases as the lead authority and has cooperated as a stakeholder in 348. The year closed with almost 120,000 data protection officers reporting to the agency. 

In case you missed it 

Bank data: The Swedish data protection authority, together with SEB, Nordea, Swedbank and Handelsbanken, has looked at some of the legal conditions for increasing information sharing between banks to combat money laundering, terrorist financing and fraud. The project has, among other things, investigated whether there is a legal basis for a bank to share information about customers within the framework of another bank’s customer due diligence process and risk assessment.

The regulator concluded that legislative amendments were likely needed to enable the sharing of personal data that the banks wish to implement within the framework of the current project.

Replika AI fine: The Italian regulator Garante imposed a 5 million euro fine on a US-based company Luka Inc., which manages the chatbot Replika, and launched an independent investigation to assess whether personal data is being properly processed by the generative AI system behind the service. The chatbot features both a written and voice interface, allowing users to ‘generate a virtual companion’ that can take on the role of a confidant, therapist, romantic partner, or mentor. The authority also found that the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having declared that minors were excluded from potential users.

Corporate digital responsibility: Germany’s Federal Office for Information Security (BSI) has published a white paper on “Corporate Responsibility in Digital Consumer Protection” (in German).  A central component of the white paper is the aspect of information security in consumers’ everyday use of digital offerings. Various fields of action are highlighted, including education, awareness-raising, product safety throughout its entire life cycle, communication in the event of a crisis or incident, and ecological sustainability.  Interested parties are therefore invited to actively participate in the discussion and provide feedback.

The post Data protection digest  17 May – 1 June 2025: The ‘reject all’ button is a must; legitimate interest as the data controller’s initiative appeared first on TechGDPR.

A company that used software designed to account for times of alleged “inactivity” and grabbed frequent photos of its employees’ computer screens was fined 40,000 euros by the French data protection regulator CNIL. The staff members were also continuously videotaped, both visually and audibly. In particular, the company had placed software on some of its workers’ PCs to track their teleworking activities. To deter property theft, it also installed a constant video monitoring surveillance system, in both a workplace and a break area. Due to the company’s modest size and the software’s instant withdrawal during the audit, it was decided not to name it. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR fines clarified

The CJEU clarified the calculation of GDPR fines for undertakings. The top EU court aligned the GDPR ‘undertaking’ concept with that of the TFEU, stating that the maximum amount of the fine is to be determined based on a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive. 

AI system definition

The European Commission has published the non-binding guidelines on prohibited AI practices, as defined by the AI Act, as well as guidelines on AI system definition to facilitate the first AI Act’s rules application as of 2 February. The guidelines specifically address practices such as harmful manipulation, social scoring, emotion recognition, and real-time remote biometric identification, among others.

The guidelines on AI system definition explain the practical application of the legal concept. The definition adopts a lifecycle-based perspective encompassing two main phases: the pre-deployment or ‘building’ phase and the post-deployment or ‘use’ phase. It can comprise seven main elements, (not required to be present continuously throughout both phases): 

• a machine-based system; 
• that is designed to operate with varying levels of autonomy; 
• that may exhibit adaptiveness after deployment; 
• and that, for explicit or implicit objectives; 
• infers, from the input it receives, how to generate outputs; 
• such as predictions, content, recommendations, or decisions; 
• that can influence physical or virtual environments.

Legal updates worldwide

China data privacy updates: Cyberspace Administration released measures for the administration of compliance audits on personal data protection including cross-border data transfer regulations. It applies to all personal information processors operating within the country. Processors handling data of over 10 million individuals must conduct audits at least every two years. Processors handling data of over 1 million individuals must appoint a data protection officer. These and the number of other measures take effect on 1 May 2025. 

UK privacy law reform: The Data, (Use and Access), Bill completed its House of Lords stages and had its first and second readings in the House of Commons. Several significant amendments were made to the Bill, including the addition of clauses regarding compliance with UK copyright law by operators of web crawlers, general-purpose AI models and transparency and deepfakes, as well as an extension of the direct marketing ‘soft opt-in’ not only to commercial but to the charity sector too.

The Bill will allow automated decision-making, (with exceptions on processing with a legal or similarly significant effect), with no limitation on which lawful basis an organisation can use, subject to putting specific safeguards in place. Finally, in a debate focussed on concerns about using research provisions for AI development, Parliament chose to limit the provision by adding a public interest test rather than by imposing a blanket ban.  

Direct marketing advice generator

The UK Information Commissioner launched a free online tool to help organisations ensure their direct marketing activities comply with the Privacy and Electronic Communication Regulations (PECR), and the UK GDPR. This allows organisations to reach out and promote their products and services to both new and existing customers and can assist in making sure they’re contacting people who are happy to hear from them. The tool covers email, SMS, direct mail, social media, telemarketing, etc.

TIA

The French CNIL published the final version of its Data Transfer Impact Assessment guide, (in French). Regardless of their status and size, a very large number of data controllers and processors are concerned by the issue of data transfers outside Europe. A TIA must be carried out by the exporter subject to the GDPR, with the assistance of the importer, before transferring the data to a country outside the EEA where such transfer is based on a tool of Art. 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.). There are two exceptions to this obligation for the data exporter:

• the country of destination is covered by an adequacy decision of the European Commission; 
• the transfer is made based on one of the derogations listed in Art. 49 of the GDPR.

More from supervisory authorities

Age assurance and digital services: The best interests of the child should be a primary consideration for all parties involved in processing personal data, states the EDBP. So far, the GDPR has introduced minimum age requirements in the context of information society services (Art. 8), and the Digital Services Act references age verification as a risk mitigation measure (Art. 35). Several Member States have implemented minimum age requirements for performing legal acts, exercising certain rights or accessing certain goods and services. 

The risk-based approach is also crucial when balancing the potential interference with natural persons’ rights and freedoms against children’s safety. This would therefore require that a Data Protection Impact Assessment, (Art. 35 GDPR), be conducted before processing, taking into account the nature, scope, context and purposes of the processing. Furthermore, any occurrence of automated decision-making in the context of age assurance should also comply with the GDPR.

Customer data checklist: The personal data that telecommunications providers typically process includes name, date of birth, postal address, bank details, email address and telephone numbers. This data is of interest to attackers in itself. Mobile phone numbers or email addresses are also often used as security anchors for other services. In addition, the business model of telecommunications providers involves dealing with expensive hardware. Taking into account the state of the art and the implementation costs, an appropriate level of protection must then be guaranteed in each case. To that end, the German Federal Data Protection Commission ‘BfDI’ offers a checklist for handling customer data in sales for telecommunications companies from a data protection perspective to facilitate the analysis of risks related to personal data, (in German). 

Search engine and anonymity

QWANT is a French company that launched its search engine in 2013. The data used in the context of the sale of the search engine’s advertising space, operated via Microsoft, was presented as anonymous, (the truncated IP address or the hashed IP address for the constitution of an identifier). However, in 2019, following a complaint,  the French CNIL found out that, despite the strong precautions taken to avoid the re-identification of individuals, the dataset transmitted to Microsoft was not anonymised but only pseudonymised.

In 2020, the company was alleged to have modified its privacy policies, (in various languages  due to cross-border processing), to mention:

• the transmission of “pseudonymous” data to Microsoft; and 
• to explicitly state the legal basis and advertising purposes for data transmission.

Former employee data from personal email

The Danish Data Protection Authority has decided in a case where a company had accessed and downloaded emails from a former employee’s private email account as part of a dispute between the parties, and a police report. The company informed the regulator that it was processing these data in the legitimate interest. The regulator criticised the move.  It noted that the company’s investigation was directed at the former employee’s work computer, and that access to the personal email account was discovered by accident. 

Nonetheless, the company continued to search, even after the company had become aware that it was a personal email account.

More enforcement decisions

Transaction logs failure: According to Data Guidance, the Spanish data protection authority AEPD resolved a case in which it fined GENERALI ESPAÑA, (insurance and finance services), 4 million euros for a data breach. An attacker used insurance broker credentials to get access to the personal information of policyholders, former policyholders, and other people, (about 1.5 million), as a result of a technical glitch in the customer maintenance system update. Furthermore, the lack of transaction logs made it impossible to determine the true extent of the intrusion immediately. Names and surnames, ID numbers, phone numbers, dates and birthplaces, and IBANs were among the personal information breached.

Hidden video monitoring in neonatology:  Similarly, the Polish UODO imposed approx. 275,000 euro fines on Centrum Medyczne Ujastek in Kraków, for installing image recording devices in two rooms of the neonatology department, and for failing to apply technical and organisational measures appropriate to the risk for data processed on memory cards located in the monitoring devices. Images showed newborns and their mothers performing intimate activities, including feeding and caring for children.

The children whose images were recorded no longer required intensive care, so their health was not at risk. Neither patients nor employees were informed about the recording. At the same time, the Medical Center reported to the UODO a loss or theft of memory cards from image recording devices in the above-mentioned rooms. After investigation, it was determined that the memory cards on which the recordings were located were not encrypted, and the devices used to record images were not configured properly. Finally, the risk analysis did not include the risk that was the cause of the incident and did not specify the security measures that could prevent it.

Data security

Data scraping: The Guernsey Data Protection Authority reported about a recent suspected data scraping incident in which an online business directory appeared to be scraped by a third party using an automated tool, who then attempted to sell the data. The regulator recommends key measures for any websites with business directories, user profiles, or that store personal data in any other forms:

• Rate limiting, also known as throttling, is a technique used to limit the number of actions a user can make on a website in quick succession, safeguarding against automated bots
• CAPTCHA is a widely used tool which requires users to confirm that they are human by completing a quick and simple task.

Data breach notification: The Swiss data protection authority FDPIC published guidelines on reporting data security breaches. As a rule, the report must contain a description of the circumstances of the breach and the controller’s assessment of its implications and include in particular details of the type, time, duration and extent of the breach and its already known and anticipated effects on the data subjects. The regulator also accepts voluntary reports where the controller does not assess the breach as posing a high risk to the data subjects but wishes to inform the FDPIC for other reasons. At the same time, data security breaches that lead to serious breaches of professional and manufacturing secrecy but do not affect personal data do not fall within the scope.

Big Tech

Gig economy: What would you do if your employer suddenly fired you or reduced your pay without telling you why?, asks Privacy International. Unfortunately, this is the reality for the many millions of gig workers driving or delivering for platforms like Uber, Deliveroo and Just Eat, from hiring to firing to dynamically adjusting pay to allocating jobs. To that end, PI has produced three demands for platforms to implement: 

• Maintain a public register of the algorithms used to manage workers;
• Accompany all algorithmic decisions with an explanation of the most important reasons and parameters behind;
• Allow workers, their representatives and public interest groups to test how the algorithms work.

Shift from third-party cookies to device fingerprinting? Research by DLA Piper examines Google’s plan to remove the ban on device fingerprinting—which entails gathering and combining data about a device’s hardware and software to identify the device—for businesses that use its advertising tools, with effect from February 16. This comes after Google decided to keep third-party cookies in July 2024. See the original analyses for the implications of such a move regarding consent requirements and reduced user control.

Agentic AI: Future of Privacy Forum makes a deep dive into a new technology described as “AI agents.” Unlike automated systems and even LLMs, these systems go beyond previous technology by having autonomy over how to achieve complex tasks, such as navigating on a user’s web browser to take actions on their behalf, (from making restaurant reservations and resolving customer service issues to coding complex systems). You can read the original publication for data protection considerations of such systems, such as data collection, a lawful basis for model training, data subject rights, accuracy of output, data security and ensuring adequate explainability. 

The post Data protection digest 1-15 Feb 2025: an employer can’t track alleged ‘inactivity’ of workers via screengrabs and constant video monitoring appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Legal processes

New rules on GDPR fines: New rules, issued by the EDPB, are now in effect for calculating fines for companies that violate the GDPR. All privacy supervisors in the EU will calculate the size of fines in the same way. The size and turnover of a company will play a major role. Companies can find in the guidelines which amount is used as a starting point for calculating the fine for a particular violation and the severity level for a company of their size. 

US State legislation: More state privacy laws have joined the ranks of those in the US enacting such legislation – Montana, Florida, and Texas. California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws in 2022, with all of them slated to go into effect in 2023. Early this year, Iowa, Indiana, and Tennessee passed their own privacy legislation, that will take effect by 2025 or 2026. In many circumstances, the new legislation compels covered entities to recognize opt-out preferences for users and to include particular disclosures in the sale of sensitive personal data or biometric data.

Foreign Surveillance: The White House is putting pressure on to reauthorize an electronic surveillance law that allows the targeted monitoring of foreign individuals. The Foreign Intelligence Surveillance Act’s Section 702 is due to sunset at the end of the year. While the program is designed to acquire information on non-Americans residing outside the US, it also collects information on their conversations with US citizens. Curbing US state surveillance practices is also a cornerstone of the future EU-US Data Privacy Framework, which is now being considered by the EU Commission for adoption. 

Official guidance

Updated BCR-C: The EDPB approved the recommendations regarding Controller Binding Corporate Rules. All data controllers using BCRs must update the rules they use to comply with the new recommendations. It clarifies, among other things, what should be included in the controller’s BCR rules, and what must be presented in the BCR application. The recommendations also include an updated standard application form for the BCRs. All users of the BCRs and those applying for approval under them must bring themselves into compliance either during the application process or as part of the annual update, depending on their situation. The EDPB is currently drafting recommendations on the BCRs for personal data processors as well.

Data subject complaints: Another form issued by the EDPB makes it easier for individuals to make complaints to data protection authorities in the EU and EEA. Its use is voluntary for data protection authorities, and they can modify the model to suit their national requirements. The form can be used in cases where a private person files a complaint, or cases where someone else files a complaint, (a legal representative or an entity acting on behalf of an individual).

Age assurance tech:  The “Future of Privacy Forum” organisation publishes infographics on age assurance technology. The analysis outlines the three categories of age assurance, their risks and advantages: a) Age declaration, (age gate, parental consent/vouching); b) Age estimation, (facial characterisation and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals); c) Age verification, (government, biometrics or digital ID). another report by the organisation looks at verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in various US states.

‘Gestiona’ tool: The Spanish data protection agency has launched a new version of its Gestiona tool, aimed especially at small public or private entities,  which allows managing records of processing activities, carrying out risk management and, where appropriate, providing support for carrying out impact assessments. The tool now has a more intuitive design and incorporates the latest guidelines. The management is carried out in the user’s own browser, without data being transmitted to the regulator.. The information can be stored in a file on the user’s computer and retrieved after each session.

PETs: The UK Information Commissioner’s Office issued guidance that discusses privacy-enhancing technologies in detail. The first part of the guidance is aimed at DPOs, (data protection officers) and those with specific data protection responsibilities in larger organisations. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits, with reference tables and case studies. 

Case Law

‘Right to know’: The CJEU stated that every person has the right to know the date of and the reasons for the consultation of their personal data. In the related case, an employee of a bank, who was also their client, had requested information about the persons who had reviewed his customer information in connection with an internal audit. The bank had refused to disclose the identity of the employees who performed the review but disclosed the reasons and other details. The CJEU states that a person has the right to receive a ‘copy’ of information about the inquiries, such as log data, (eg, it may show the frequency of the review). However, the data subject does not have the right to receive information about the identity of the reviewer, under the authority of the data controller.

DPO’s conflict of interest: In a recent ruling, (not yet published in full), the German Federal Labour Court, (‘BAG’), has decided that the chair of a works council is not eligible to serve as DPO, Ius Laboris Law blog reports. In the case in question, following GDPR instructions, an employer twice dismissed the works council chairman as DPO as a precautionary measure. Before deciding that the revocation of the appointment had been justified, the court had referred the question to the CJEU. 

The CJEU ruled that the roles of works council chair and DPO could not be undertaken by the same individual without creating a conflict of interest. Because the works council decides the aims and means of processing personal data, (as required by applicable laws), the works council chair is unable to supervise data protection law compliance in a sufficiently independent manner. The court clearly left open the question of whether all members of the works council are barred from acting as DPO. However, the conflict of interest considerations may exist for them as well. 

Enforcement decisions

IAB Europe’s TCF update: Interactive Advertising Bureau Europe, (the European-level association for the digital marketing and advertising ecosystem), launched an updated Transparency & Consent Framework in response to industry demand and the Belgian data protection authority action plan. Among changes, the TCF includes revised purpose names and descriptions, new retention periods, the removal of the legitimate interest legal basis for advertising and content personalisation, the introduction of data categories used in conjunction with the purposes, and a more robust vendor compliance program. Participants will have until the end of the third quarter of 2023 to adopt it.

User profiling for direct marketing: The Swedish Privacy Protection Agency issued a sanction of approx. 1 mln euros against Bonnier News, because the group profiled its customers and web visitors without their consent. The company, as a stated legitimate interest, collects information from several different sources for targeted advertising on the web and marketing via physical mail and telephone sales. The data includes information about purchases made in various companies in the group and surfing behaviour. In some cases, this information is also combined with other personal data that is bought in from outside, such as information about the customer’s gender, the household’s car ownership and postcode, as well as statistical information based on the individual’s area of ​​residence such as stage of life, purchasing power and type of residence.

Facial recognition at stadiums: The Danish data protection authority reauthorized Brøndby football club’s use of facial recognition at stadiums for its matches. Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order so that such persons can be apprehended when they subsequently try to access the stadium again. The club must ensure it observes the duty of disclosure when collecting the personal data of individuals concerned and provide information that access control is being carried out. The storage period for such data would be for 30 days or even longer. 

Personalised ads: Criteo, which specialises in “behavioural retargeting”, was fined 40 million euros in France for failing to verify an individual’s consent and the fulfilment of data subject rights. The company collects the browsing data of Internet users thanks to its cookie which is placed on their terminals when they visit certain e-commerce websites. The company determines which advertiser and which product would be most relevant to display to a particular user. Then, it participates in real-time bidding to display it. Additionally, when a person exercises their right to withdraw consent or deletion of their data, the process implemented by the company only stops the display of personalised advertisements to the user and does not delete the identifier assigned to the person or erase navigational history. 

E-mail service provider: The Finnish data protection authority has issued a notice to an e-mail service provider, as the company had not offered the user the possibility to transfer their e-mail messages from the service as required by the GDPR. Users of the free version of the e-mail service had the option to manually export their messages one at a time. Instead, customers who paid for the use of the service were offered tools that made it possible to export messages in bulk. As a rule, the registered person must receive his personal data in a structured, commonly used and machine-readable format, and the controller must not make it difficult or prevent the transfer of data, (Art. 20 of the GDPR “Right to data portability”).

Data security

Mobile device data: In an effort to assist organisations with deployment strategies, the US National Institute of Standards and Technology released a revised guide for managing the security of mobile devices in the enterprise. The publication provides a five-step enterprise mobile device deployment life cycle:

• Identify Mobile Requirements, (Bring Your Own Device or Corporate-Owned and Personally-Enabled is selected).
• Perform Risk Assessment, (performed on a regular basis).
• Implement Enterprise Mobility Strategy, (management, policies, configurations, system testing, additional security).
• Operate and Maintain, (control settings, periodic audits).
• Dispose of and/or Reuse Devices. 

Big Tech

Draft Data Act: The Council and the Parliament reached an agreement on rules to access and use data collected in the EU across all economic sectors, where the data are generated through smart objects, machines, and devices. The Data Act will provide consumers more control over their data by strengthening portability rights, interoperability standards, and safeguards against unlawful data transfers by service providers. The Data Act takes into account current horizontal and sectorial laws including the GDPR. 

It has received criticism from a variety of sources, including by the crypto industry bodies on the wide classification of smart contracts as “computer programs.” Smart contracts might potentially be constructed to provide an access control mechanism, but this would undermine the technology’s basic functions. Concerns were expressed by software businesses about a clause requiring corporations to share data that might jeopardize trade secrets. Furthermore, some scientists are concerned that the Data Act would favor companies in its goal of expanding access rights to big data, and that publicly financed science will suffer as a result.

Metaverse: Finally, the EU Parliament issued a comprehensive analysis of the Metaverse. Commercial, industrial and military applications bring both opportunities as well as significant concerns for everyday life, health, work, and security, says the paper. The metaverse can be provided by public or private actors for single users or as a networking platform. It can mirror reality, create a simulation of an entirely new space and actors , or mix both. Forecasts indicate that we are experiencing a decade of metaverse and that it will take 6 to 8 years to achieve its full potential. However, important elements of the metaverse such as digital ethics, digital twins, blockchain, generative AI, tokenization, or digital humans will start to have significant impact much earlier, (1 to 3 years and 3 to 6 years). See the full report here.

The post Data protection digest 17 June – 2 July 2023: rules on GDPR fines, controllers’ BCRs and ‘right to know’ appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.