Understanding ISO 15118

ISO 15118 is an international standard defining the communication protocol between electric vehicles and charging stations. This protocol supports several functionalities, including:

• Plug & Charge: Seamless, automatic identification and authorization of EVs.

• Smart Charging: Optimized energy management based on grid conditions, user preferences, and pricing.

• Vehicle-to-Grid (V2G): Bidirectional energy flow, allowing EVs to supply power back to the grid.

These features necessitate the exchange of various data types, some of which may be considered personal data under GDPR.

GDPR and Its Relevance to ISO 15118

GDPR is a comprehensive data protection regulation that governs the processing of personal data within the European Union. It emphasizes the principles of data protection by design and by default, ensuring that privacy considerations are embedded in the development and deployment of data processing systems. For organizations implementing ISO 15118, it is crucial to align with GDPR requirements to avoid significant penalties and ensure user trust.

Key GDPR Considerations for ISO 15118

1. Data Minimization

GDPR mandates that only the minimum necessary personal data should be collected and processed. For ISO 15118, this means evaluating what data is essential for functionalities like Plug & Charge and smart charging. For instance, while vehicle identification data is necessary for authorization, other non-essential data should be carefully scrutinized and minimized.

2. Consent

Under GDPR, explicit consent must be obtained from users before collecting and processing their personal data. In the context of ISO 15118, this involves transparently communicating with EV owners about what data will be collected, the purpose of its collection, and how it will be used. Consent mechanisms should be clear and straightforward, allowing users to easily opt in or out.

3. Security

Ensuring the security of personal data is a cornerstone of GDPR. ISO 15118 implementations must incorporate robust security measures to protect data in transit and at rest. This includes using encryption, secure communication protocols, and regular security audits. Given the critical nature of charging infrastructure, securing this data is paramount to prevent unauthorized access and cyber threats.

4. Transparency

Transparency is essential for building trust with users. Organizations must provide clear and accessible information about their data processing activities. For ISO 15118, this could involve detailed privacy notices at charging stations or within EV interfaces, explaining how personal data is used, stored, and protected.

5. Data Access and Portability

GDPR grants individuals the right to access their personal data and request its transfer to another service provider. In the ISO 15118 ecosystem, this means enabling EV owners to view the data collected about their vehicle and facilitating its transfer if they switch charging service providers. Implementing user-friendly interfaces and backend systems to support these rights is essential.

Implementing GDPR Compliance in ISO 15118

To ensure GDPR compliance while leveraging ISO 15118, organizations should undertake the following steps:

1. Conduct Data Protection Impact Assessments (DPIAs)

DPIAs help identify and mitigate privacy risks associated with data processing activities. Conducting DPIAs for ISO 15118 implementations will highlight potential GDPR compliance issues and inform the development of appropriate safeguards.

2. Develop Privacy Policies and Procedures

Establish comprehensive privacy policies and procedures tailored to the specific data processing activities under ISO 15118. These should detail how personal data is collected, processed, stored, and shared, as well as the measures in place to protect it.

3. Train Staff and Raise Awareness

Ensuring that all employees involved in the implementation and operation of ISO 15118 systems are aware of GDPR requirements and best practices is critical. Regular training sessions and awareness programs can help maintain a high standard of data protection.

4. Implement Technical and Organizational Measures

Adopt technical measures such as encryption, access controls, and regular security updates, alongside organizational measures like data protection policies and incident response plans. These combined efforts will help safeguard personal data and ensure compliance with GDPR.

5. Engage with Users

Foster an open dialogue with EV owners about data protection practices. Providing channels for users to ask questions, provide feedback, and exercise their rights can enhance trust and demonstrate a commitment to privacy.

Conclusion

ISO 15118 represents a significant advancement in the EV landscape, offering enhanced functionality and user convenience. However, its implementation must be carefully managed to align with GDPR requirements. By focusing on data minimization, obtaining explicit consent, ensuring security, maintaining transparency, and supporting data access and portability, organizations can harness the benefits of ISO 15118 while upholding the highest standards of privacy and data protection. As the EV ecosystem continues to evolve, prioritizing GDPR compliance will be essential in fostering trust and promoting the widespread adoption of these innovative technologies.

The post Data Privacy in Electric Vehicle Charging: ISO 15118 and GDPR appeared first on TechGDPR.

The Imperative for Ethical AI

The integration of AI into business operations brings forth unprecedented opportunities for innovation and efficiency. However, it also raises significant ethical and compliance challenges, from data privacy concerns to fairness and accountability issues. As pioneers in GDPR and privacy consulting, TechGDPR understands the criticality of addressing these challenges head-on. Our new services are tailored to empower organizations to leverage AI technologies while ensuring ethical integrity and regulatory compliance.

Why is TechGDPR best placed to support with AI Ethics & Compliance?

TechGDPR’s unique blend of experience in privacy consulting and AI governance positions us as your ideal partner in this journey. Our team, trained as AI Governance Professionals by the International Association of Privacy Professionals (IAPP) and recognized as Foundational Supporters of the IAPP’s AI Governance efforts, brings unparalleled expertise to the table. This background equips us with the skills to provide comprehensive support, from regulatory compliance assessments to the development of ethical AI frameworks.

Our AI Ethics & Compliance Services

Our AI Ethics & Compliance services are designed to meet the needs of businesses at the earlier stages of AI adoption, in particular for the users (“deployers” by the definition of the -draft- EU AI Act). In particular for companies using standard Generative AI, Large Language Models like ChatGPT, Google Gemeni, MidJourney or custom trained AI models to support with business functions. Our offerings include:

• AI Compliance Strategy Development: Crafting tailored strategies to navigate the regulatory landscape of AI.
• Ethical AI Frameworks: Establishing ethical guidelines to guide the development and deployment of AI systems.
• Risk Assessment and Mitigation: Identifying potential ethical and compliance risks and developing strategies to address them.
• Training and Education: Equipping your team with the knowledge to implement and manage AI responsibly.

If you are in the process of training your own model, or even developing or deploying your own algorithm, we can help. In particular ensuring solid Privacy by Design is utmost important to ensure no fatal mistakes from the data protection and privacy point of view, but also early synchronization with regulatory requirements under the AI act are essential.

Looking Ahead: AI Ethics and Compliance for companies using AI

As we launch these services, we invite you to join us in shaping a future where AI not only advances technological boundaries but does so with integrity and compliance at its core.

For more information on how we can support your AI initiatives, visit our newly launched page on Artificial Intelligence Ethics and Compliance.

The post Introducing TechGDPR’s AI Ethics & Compliance Services appeared first on TechGDPR.

In a landscape where the intersection of Artificial Intelligence (AI) and privacy presents evolving challenges, the significance of robust governance can’t be overstated, especially concerning Large Language Models (LLMs) and generative AI technologies. In particular privacy is a significant challenge when using such AI technologies and integrate them into your business. We have supported computer vision, machine learning, suggestion engines, machine reasoning many other related AI technologies over the last years to help prepare for this day and the specific offer of AI related services. Leveraging this profound expertise in emerging technologies and privacy, TechGDPR is exceptionally equipped to navigate companies through these burgeoning challenges.

AI Governance, ethics and compliance by TechGDPR

We are thrilled to announce that TechGDPR has now become a Foundational Supporter of the AI governance program initiated by the International Association of Privacy Professionals (IAPP), aligning with 42 other esteemed organizations like IBM, Air New Zealand, Cisco, Baker McKenzie, HP, Microsoft, Skyscanner, and Vodafone. This alliance underscores our commitment to addressing the dire need for adept AI governance professionals. Our objective is to foster a culture of compliance and ethics around AI deployments, ensuring alignment with the evolving legal and policy frameworks.

As we prepare for this endeavor, our team is diligently working towards augmenting our AI Governance, Ethics and Compliance support capabilities. Through rigorous research, training, and upskilling, we aim to be fully equipped by 2024 to assist organizations in navigating AI Ethics and Compliance issues, particularly where they intersect with privacy concerns. In particular we will be launching services to support companies using AI with their essential needs such as AI use policies, vendor assessment, staff training and compliance with forthcoming AI regulations such as the EU AI Act.

TechGDPR and the International Association for Privacy Professionals (IAPP)

Being an IAPP Corporate Member, TechGDPR exemplifies a high standard of privacy expertise, with a majority of our team holding one or more IAPP certifications. We are currently advancing our proficiency by pursuing the AI Governance Professional certification. This reinforces our readiness to provide unparalleled support to organizations, ensuring the responsible and compliant utilization of AI technologies.

At TechGDPR, we are excited about the AI governance journey ahead and are steadfast in our mission to pioneer privacy-centric AI governance, contributing to a safer and more accountable digital realm, together with the IAPP and other partners that are to be announced.

The post TechGDPR’s commitment to AI Governance expertise and education appeared first on TechGDPR.

EU Companies using US vendors for their data

For companies operating within the EU, this adequacy decision eliminates the need for additional data protection measures when transferring personal data to U.S. vendors participating in the EU-U.S. Data Privacy Framework. It streamlines data transfers, allowing businesses to focus on their core operations without being burdened by complex compliance requirements.

If your company relies on U.S. vendors for services or data processing, this decision brings positive implications. The EU-US Data Privacy Framework introduces comprehensive binding safeguards to address concerns raised by the European Court of Justice. These safeguards ensure that access to EU data by U.S. intelligence services is limited to what is necessary and proportionate for national security purposes.

Moreover, the framework establishes a redress mechanism for EU individuals whose data is mishandled by U.S. companies. This includes independent dispute resolution mechanisms and an arbitration panel, providing added assurance to EU consumers and reinforcing trust in transatlantic data flows.

Serving EU Customers from the US

For U.S. vendors seeking to serve EU customers, participation in the EU-US Data Privacy Framework is crucial. By committing to comply with a detailed set of privacy obligations, U.S. companies can demonstrate their adherence to the high data protection standards required by the EU. This includes obligations such as purpose limitation, data minimization, data retention, data security, and responsible data sharing with third parties.

The framework will be administered by the U.S. Department of Commerce, ensuring proper oversight and monitoring of participating companies’ compliance. The U.S. Federal Trade Commission will enforce these obligations, safeguarding the interests of EU individuals and promoting accountability among U.S. vendors.

It is important to note that the safeguards implemented by the U.S. government to protect data privacy will also benefit companies using other data transfer mechanisms, such as standard contractual clauses and binding corporate rules. This provides flexibility and reassurance for companies engaged in transatlantic data transfers, regardless of the specific mechanism they choose.

We encourage companies to familiarize themselves with the details of the adequacy decision and the obligations set forth in the EU-US Data Privacy Framework as this will affect many data setups.

Criticism of the EU-US Data Privacy Framework

Critics argue that the new Trans-Atlantic Data Privacy Framework closely resembles its predecessors, particularly the failed “Privacy Shield” agreement. The fundamental concerns regarding U.S. surveillance laws and the unequal treatment of non-U.S. persons in terms of constitutional rights remain largely unaddressed. The framework’s reliance on the U.S. Executive Order 14086, which includes the term “proportionate” but interprets it differently than the European Court of Justice (CJEU), has raised concerns about the adequacy of protections.

Furthermore, the redress mechanism established under the new framework has been questioned. While some improvements have been made compared to the previous “Ombudsperson” mechanism, the individual’s direct interaction with the newly formed Civil Liberties Protection Officer (CLPO) and the “Court” is limited. Critics argue that this mechanism does not provide true judicial redress, as the response is already known before a case is brought, potentially undermining the effectiveness of individuals’ rights to seek redress.

It is expected that the privacy advocacy group noyb (None of Your Business) will challenge the adequacy decision in court. They contend that the new framework lacks substantial changes and does not address the necessary reforms to U.S. surveillance laws. Previous attempts, such as the “Safe Harbor” and “Privacy Shield,” have been declared invalid by the CJEU.

The potential legal challenge could result in further scrutiny of the Trans-Atlantic Data Privacy Framework. If the case reaches the CJEU, the court may suspend the framework during the review process, leading to a final decision in 2024 or 2025. This uncertainty raises concerns about the legal validity of data transfers conducted under the new framework.

The post EU-US Data Privacy Framework Adopted appeared first on TechGDPR.

One of the primary reasons why generative AI is currently not well-suited for handling personal data is that the models are trained on vast amounts of text data, including both public and private sources and the data ‘fed’ to it in the prompts. This means that any personal or sensitive information that you feed into the model will be remembered and potentially reused in future outputs, putting both the data subject and the data controller (the person using the language model) at risk. Firstly, the data is transmitted to the provider of the AI, where it may be distributed and reused and there is no control over this data, leave alone that a much required Data Processing Agreement is not in place and no sufficient guarantees required for a transfer of data to the US are warranted. Secondly, the data could resurface in an unpredictable manner, when other users prompt the AI for something similar.

Using generative AI for example to analyse CVs or personal profiles, constitutes a clear violation of GDPR, the European Union’s General Data Protection Regulation. This regulation mandates that businesses and organizations protect personal data by limiting its processing and ensuring that it is only used for specific, legitimate purposes. By feeding personal data into a generative AI model, you are essentially using it for a purpose that is outside the scope of the original legal base, which is a clear violation of GDPR.

Some data protection authorities (such as the Italian Garante Privacy) have already proceeded to ban ChatGPT in their countries for privacy concerns, with others, including the German Datenschutzkonferenz, the French CNIL, the Privacy Commissioner of Canada  and the European Data Protection Board having launched investigations into it and are expected to take similar measures on short term.

Clearly, if you wilfully feed personal data to a system like ChatGPT, there is not much doubt about you violating the GDPR in multiple ways.

Even though ChatGPT may become available in Italy again if certain requirements are met by April 30th, it’s unlikely to be a good idea to use it for personal data.

A somewhat adjacent consideration is that generative AI models are often trained using biased data, which can lead to biased outputs. If personal data is fed into the model, the biases inherent in the training data can be amplified, potentially leading to discriminatory or harmful outputs. This is particularly problematic in the context of personal data, where even unintentional discrimination or harm can have serious consequences for the data subject.

In short, using generative AI for anything involving personal data is a risky proposition that should be avoided until solid measures to protect this data are in place. There are plenty of business opportunities in this space to prioritize privacy and data protection, such as differential privacy or federated learning. These approaches are designed to protect personal data by limiting its exposure and minimizing the risk of re-identification, while still allowing for meaningful analysis and insights. TechGDPR has developed a support program for ethical and compliant use of Artificial Intelligence, which may help remediate issues.

The post Using ChatGPT with personal data? Think again! appeared first on TechGDPR.

In this article, we provide practical guidance for all organisations that export data outside of the EEA on how to reassess their transfers of personal data outside of Europe in a post-Schrems II era.

The Schrems-II ruling of the European Court of Justice on Transfers of Personal Data outside of the EU

The European Union is infamous for its diligent approach to the protection of the rights of human rights. The GDPR, the regulation ensuring the right to personal data protection, limits all transfers of personal data outside of the European Union to ensure that the data and individual rights are not abused as soon as they cross the EU border. 

The European Commission produced a list of 13 countries deemed to ensure a sufficient level of data protection, to which personal data can be transferred without limitations. That list also allowed a select group of companies based in the US to receive personal data from their EU partners. The requirement for those companies in this group is to self-declare and join the so-called EU-US Privacy Shield. Until recently, more than 5000 organisations used the scheme, among which Amazon, Facebook, and Google. 

With its judgement, the CJEU has invalidated the EU-US Privacy Shield, making further transfers of personal data to those organisations in the US, illegal. Additionally, the ruling impacted another mechanism, that of Standard Contractual Clauses (SCCs), which was used in 88% of international transfers, warning that these SCCs cannot always be used in transfers to third countries. It implied a similar fate for Binding Corporate Rules, another transfer mechanism for transfers within a corporate group.

As if this were not enough, the court left no grace period for organisations to understand their situation and come up with alternative transfer mechanisms applicable to their business model. It leaves thousands of transfers of personal data to the US and, presumably, to many other countries, unlawful. This is why a swift reaction is vital for companies in the EU.

Step-by-step guide to international data transfers after the CJEU ruling

Step 1 – Audit existing transfers 

To start with, prepare a list of all connections with companies that imply transfers of personal data outside of the European Union. Acknowledge  that storing personal data on the cloud servers in another country, using third-party applications such as CRM, HR, payment systems, collaboration tools, video-conferencing or task managers definitely implies the international transfer of data. Remember that involving contractors or software development agencies from third countries also imply international data transfers.

Next, figure out the transfer mechanisms used by these partner organisations and service providers. Most information can be parsed from public sources, e.g. company websites, but if not, we recommend contacting your service providers directly. The current mechanisms used by the companies can be an adequacy decision (Art. 45 GDPR), the (defunct) EU-US Privacy Shield, Standard Contractual Clauses (Art. 46.3.a) GDPR), Binding Corporate Rules (Art. 47 GDPR), or Derogations (Art. 49 GDPR).

Step 2 – Choose appropriate safeguards

Pay specific attention to the transfers of personal data to the US. While the situation with other third countries remains unclear, transfers of personal data in the States cannot continue as they do at the moment. Companies that have relied on the Privacy Shield must consider adopting new safeguards, and Standard Contractual Clauses cannot be used by the providers of cloud computing and telecommunication services.

If you already use or consider using Standard Contractual Clauses or Binding Corporate Rules for transfers under Art. 46, ask your partners and service providers whether they are subject to national laws that:

• require indiscriminate surveillance / data collection from them by government bodies;
• prohibit deletion of the transferred data at the end of your relationship with them;
• limit the rights of concerned individuals (data subjects), such as the right to be informed, right to access, rectify and erasure, upon the request.

The restrictions above will be difficult to overcome by the available EU privacy safeguards, which was confirmed by the CJEU judgement. This is exactly the case with the transfers to the United States: under 702 FISA (50 USC § 1881a), all “electronic communication service providers”, which are providers of remote computing services, electronic communication services, or telecommunications carriers must share the data that they store about foreigners with the U.S. national enforcement agencies. As a result, it is considered that the SCC cannot be used for transfers of data to these types of providers at all. 

For other types of partners and services providers, the SCC and BCR remain a possible option, though additional examination will be necessary.

To make matters worse is that foreign companies can be prohibited from informing you about such requirements due to their statutory provisions. The option, in this case, is to look into media-coverage of such scenarios, as well as to check their national enforcement and judicial practice on data protection.
Best practice, however, is to regard those companies who claim they cannot disclose that information to be under that statutory obligation and interpret that answer as those likely to be subject to such national requirements.

Step 3 – Consider derogations or restructure the transfers

Art. 49 of the GDPR provides derogations from the rule described above. For case-by-case transfers, you can ask for explicit consent from the data subject. However, such an option seems unrealistic for transferring the whole database as it may prove impractical to ensure collecting consent from all concerned users. 

You can also transfer personal data to third countries if it is necessary to perform the contract with your users or other data subjects. Unfortunately, it is only available to the transfers that are strictly necessary, i.e. where the execution of the contract takes place on U.S. territory (or another third country). That said, the mere convenience to transfer the data to the U.S. cannot be regarded as the “necessity”, neither can the cost of the offered solution be a determining factor alone.

Finally, as a temporary measure, the company can argue that it has legitimate interests in international transfers. This option can serve as a temporary relief for those companies that need time for re-architecting their processing activities following the CJEU judgement. The transfer based on the legitimate interests should not be repetitive. It must concern only a limited number of data subjects, and must not be overridden by the interests or rights and freedoms of the data subject. Two conditions come when relying on  this derogation: the need to inform your supervisory authority and data subjects about the transfers. Thus, legitimate interests might be used as a temporary measure while searching for a more reliable transfer mechanism.

There are many situations where none of the above options can be used by the EU company. For example, it is fairly difficult to come up with a solution for transferring personal data to cloud hosting providers in the U.S. or EU subsidiaries of those companies. In such cases, a strong decision is needed: that of restructuring your data processing and stop transfers of personal data outside of the EU. In such a case, only local EU service providers will be used, particularly those not under legal or contractual obligation to transfer data back to the US -or merely allow access to other entities.

Conclusion: what to do after the Schrems-II ruling

Until new guidance from the EU regulators is issued, in particular the EDPB and the EU Commission, the situation with international transfers remains rather vague, to say the least. In accordance with its announcement in the assessment of the last 2 years of the GDPR, the European Commission is also working on new transfer mechanisms. The new safeguards should allow transferring personal data outside of the EAA more easily. This is a much awaited work considering the fact that current SCCs date back prior to the GDPR, thus not being fully in line with the GDPR provisions

In the meantime, the companies are left with few options:

1. To amend their processing infrastructure and limit transfers of personal data outside of the EU; or
2. To take a risk and try to come up with protective measures to complement these unstable mechanisms, in an attempt to consolidate the current mechanisms. However, until the European Data Protection Board drafts guidance on such measures, choosing them ought to be carefully examined by data protection professionals.

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

If your business relies on international transfers of personal data, the TechGDPR team provides practical and actionable assessments for organisations to find a solution for each case. Feel free to reach out if you need further help.

The post International Transfers of Personal Data after the Schrems II ruling appeared first on TechGDPR.

This can either be an internal position, or can be assigned based on a service contract. Any assignment of a DPO should be free of conflict of interest, and should report to the highest body in the organisation. While a DPO could also have another position in the company, this means that it can not be combined with many other roles, such as CTO, CEO, CMO or anyone in a department with an interest that is not aligned with data protection. The DPO must have the freedom and independence to independently report breaches to the authorities.

DPO as a Service/External DPO

Unless you represent a large organisation, it is usually much easier and more cost efficient to assign an external DPO with a service contract to monitor your compliance for you.

TechGDPR offers DPO services based on a monthly contract, where a certain amount of service hours are included every month. A DPO from TechGDPR is not only experienced and skilled, he or she also has the technical know-how to talk with you on a technical level, and is your trusted advisor for any privacy and data protection related matters. It’s not just about compliance, it’s also about doing the right thing for your data subjects and your organisation, and TechGDPR helps you with that.

The key tasks of a DPO under the GDPR, include the following activities:

• Informing and advising the data controller or the data processor and the employees who carry out processing of their obligations.
• Monitoring compliance with the GDPR, with other provisions and with the data protection policies of the controller or processor.
• Assigning responsibilities, raising awareness, and training of staff involved in processing operations.
• Performing or leading GDPR related audits.
• Performing or providing advice about data protection impact assessments.
• Cooperating with the supervisory authority.
• Acting as the contact point for the supervisory authority on issues relating to processing.
• Be responsible for prior consultations.
• Having due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Beyond the tasks specified in the GDPR, a TechGDPR Data Protection Officer will help you with many other things as well: handling subject access requests, change advisory and keeping you up to data about technology-related GDPR matters.

The post How to appoint a data protection officer? appeared first on TechGDPR.