Throughout 2025, 32 supervisory authorities across the EU/EEA launched coordinated investigations into controllers’ compliance with the right to erasure under the GDPR. Now, the EDPB has published a report of the findings. As the right to deletion is not absolute, some controllers face difficulties in assessing and applying the conditions for exercising this right, including in conducting the balancing tests between the right to erasure and other rights and freedoms. Many regulators raised concerns regarding controllers not having:

• internal procedure or practice in place to handle erasure requests, or having an incomplete or irregularly reviewed procedure,
• specific procedures and measures to handle erasure requests in the context of back-ups,
• staff training,  
• information provided to data subjects,
• legal certainty on the exceptions to deny erasure requests, and 
• data retention periods, etc.

Multiple regulators found that controllers relying on anonymisation for deletion have varying degrees of success in correctly implementing it. In some cases, they only apply basic pseudonymisation or partial masking, although such a process would not fulfil the requirements of the GDPR regarding deletion.

Stay up to date! Sign up to receive our fortnightly digest via email.

Interestingly, the majority of the polled controllers (out of 764) had not received a single request for erasure in the last two years. While controllers were often chosen due to being in certain particular situations (processing sensitive data, processing a very large amount of data, etc.), about 70% of controllers still received fewer than 10 requests per year. Also, it appears that certain profiles are less likely to exercise their rights (eg, applicants in public services, citizens toward public services, contractors, or job applicants/employees) while others seem less hesitant to do so (eg, potential customers).

Main developments 

Digital omnibus and GDPR simplification: The EDPB and EDPS issued a long-awaited statement on simplification of the digital legislative framework in the EU. Among many things, they advised against the proposed changes to the definition of personal data. The changes go far beyond a targeted modification of the GDPR, a ‘technical amendment’ or a mere codification of CJEU jurisprudence.

Defining what is no longer personal data directly affects and narrows the scope of application of EU data protection legislation and should not be addressed in an implementing act, say the regulators. The full opinion in the context of GDPR, AI Act, and ePrivacy Directive can be read here.

UK data reform: Meanwhile, in the UK, on 5 February, the main provisions of the Data Use and Access Act 2025  came into force, amending the UK GDPR and Data Protection Act 2018. These include: new ‘recognised legitimate interests’ legal basis for data controllers, cookie consent exemptions, data reuse permissions, the use of automated decision making, more relaxed transfers of personal data internationally, and sometimes limiting data subject access requests, etc. 

Age-appropriate code design

On February 5, South Carolina signed Age-Appropriate Code Design into law, after it was previously adopted by California, Maryland, Nebraska, and Vermont. According to JD Supra analysis, covered online services must exercise “reasonable care” in the use of a minor’s personal data and the design and operation of the covered online service. This includes features that:

•  Decrease minors’ time and activity on the service to prevent compulsive usage, severe psychological harm, and privacy intrusions. 
• Opt minors out of “personalisation recommendation systems” by default, and 
• Set personal data settings to the highest level of protection by default.
• Collect, use, share, or retain the minimum amount of a minor’s personal data “necessary” to provide the specific elements of the covered online service, etc.

More from supervisory authorities

DPO role: Under EU law, all EU institutions, bodies, offices and agencies (EUIs) are required to appoint a data protection officer (DPO). To strengthen the effectiveness and independence of this function, the EDPS has adopted two key documents clarifying the role and protection of DPOs within EUIs: 

• Supervisory Guidance on the role of DPOs in EUIs, and
• Rules on the application of the requirement of prior consent by the EDPS for the dismissal of DPOs 

They provide practical and up-to-date guidance on the designation of DPOs, their institutional positioning, the guarantees of independence attached to the function, and the responsibilities entrusted to them. 

Cybersecurity exercise: The ENISA offers a methodology to an end-to-end theoretical framework for planning, running and evaluating cybersecurity exercises. It ensures the right profiles and stakeholders are involved at the right time, and provides theoretical material based on lessons identified, industry best practices and cybersecurity expertise. Download the guide and the support toolkit templates here. 

Games age limitation: The French government, on 4 February, adopted a decree on the experimentation of games with monetisable digital objects. It requires, among other controls,  the refusal of the opening of a player account for any minor, or before verification of the identity and the age of the applicant. It requires the enterprise offering a game to document the arrangements used for verification, to carry out regular checks, and to be able to demonstrate the effectiveness and compliance of those arrangements to the National Gaming Authority. 

How to deal with data protection complaints

The updated UK ICO guidance reminds organisations what they need to do to meet the new requirements for people to open a data protection complaints process, as set out in the new Data Use and Access Act, although these requirements are not in force until 19 June 2026. At a glance, the law says organisations must:

• Give people a way of making data protection complaints;
• Acknowledge receipt of complaints within 30 days of receiving them;
• Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed;
• Without undue delay, tell people the outcome of their complaints.

Read practical advice on each of these points in the original publication.

In other news

СNIL sanctions statistics: Cookies, employee surveillance and data security were the main subjects of the penalties imposed by the French data protection authority CNIL, in 2025, the cumulative amount of which totalled 486,839,500 euros. Also, insufficient security of personal data, lack of cooperation with the CNIL and non-respect for the rights of individuals were the three main reasons for sanctions under the recently introduced simplified procedures. Numerous formal notices have targeted websites that allowed the deposit of cookies and other trackers without respecting the consent of individuals, either by not allowing them to refuse the deposit in a simple way, or by not taking into account the withdrawal of users’ consent.

In addition, the regulator often sanctioned the non-compliance with the obligations of the subcontractors concerning the data entrusted to them, in particular: 

• implementing appropriate technical and organisational measures to ensure an adequate level of security;
• only processing data on the instructions of the data controller;
• deleting the data at the end of their contractual relationship with the data controller.

OpenClaw AI: The Dutch data protection authority AP warns against the use of OpenClaw, an AI agent tool that has become popular since last year. The platform provides users with an AI assistant to install, which can perform tasks autonomously. For that, the user has to give full access to their computer and programs, including email, files and online services. The platform can also be vulnerable to hidden commands in websites, emails and chat messages. That can lead to taking over accounts, reading personal data and stealing access codes.

More enforcement decisions

Amazon Italy investigation: On 9 February, the Italian data protection authority Garante and the National Labour Inspectorate announced an investigation into Amazon regarding the processing of workers’ personal data and the use of video surveillance systems. The investigation will examine the company’s logistics hubs, with a particular focus on the distribution centres in Passo Corese and Castel San Giovanni, to determine the extent to which monitoring practices comply with the legal requirements stipulated within the Workers’ Statute, digitalpolicyalert.org reports. 

Dutch municipalities fined: The Dutch data protection AP authority fined 10 municipalities 250,000 euros for processing sensitive information without consent, according to DataGuidance. Violations included processing data on religious beliefs, family relationships, political views, and criminal or terrorism-related information. The municipalities processed this sensitive information (from an external research bureau, amid national counter-radicalisation efforts) without valid consent.

Swiss cookie redress case: Digitec Galaxus informed the Swiss privacy regulator FDPIC that it had implemented its formal recommendation that customers be given the option to object to the processing of their personal data for marketing purposes. Following criticism over excessive data processing, users can now disable personalisation with one click (one-click opt-out), whereby the corresponding cookies are automatically disabled. To that end, the registration form now explicitly mentions personalisation and the right to object, and the privacy policy has been updated accordingly.

And Finally

Data brokers warning in the US: The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024. It prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which includes North Korea, China, Russia, and Iran, or any entity controlled by those countries. 

The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behaviour information, etc.

The post Data protection digest 3-17 Feb 2026: When using anonymisation for deletion, controllers have differing degrees of success – EDPB appeared first on TechGDPR.

Legal processes and redress: US signals intelligence redress mechanism, Google search results removal, California consumer privacy rights, Australia Privacy Act review

The US Office of the Director of National Intelligence, (ODNI), published a directive for implementing the signals intelligence redress mechanism created under the proposed EU-US Data Privacy Framework. It is necessary for the implementation of the US adequacy decision which received a green light from the European Commission just before the end of 2022. The directive governs the handling of redress complaints regarding certain signals intelligence activities and outlines the process by which qualifying complaints may be transmitted by an appropriate public authority in a qualifying state. Additionally, the directive outlines the role of the ODNI Civil Liberties Protection Officer with a given complaint: 

• investigate, review, and, as necessary, order appropriate remediation for a covered violation regarding qualifying complaints; 
• communicate the conclusion of such investigation to the complainant through the appropriate public authority; and
• provide the necessary support to the US Data Protection Review Court.

In Sweden, the Supreme administrative court rejected the appeal in a case between Google and the Swedish privacy regulator IMY. This means that the judgment gains legal force and that Google must pay a 4.5 million euro fine. In 2020, the IMY charged Google for violating the right to have search results removed. When Google delisted search results the site owner was notified of the webpage and data subject concerned via Search Console, previously Webmaster Tools. But informing the site owner meant that the personal data was used beyond its original purpose, and the information notice was misleading users and restraining them from exercising their right to request removal. 

California consumer privacy rights expanded on 1 January, (but will be enforced in July).  In 2020, California voters approved Proposition 24, known as CPRA, amending some of the older CCPA’s consumer protections and therefore expanding business’ obligations. For example, previously employees, job applicants, owners, directors, officers, and contractors were excluded from the definition of “consumer,” and they had limited data subject access rights. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information. The new law establishes annual privacy risk assessments and cybersecurity audits. Civil lawsuits will also be allowed against companies that fail to take appropriate measures, with potential damages between 100 and 750 dollars per consumer, per incident. 

Australian Attorney-General Mark Dreyfus confirmed that the Privacy Act Review has been completed and a final report received by his department. The announcement came shortly after a wave of spectacular data breaches in the Australian corporate sector. The new privacy regime could include a broader definition of personal data, expanded information obligations for organisations, opt-in consent for users, the right to erasure, and increased penalties for serious or repeated data breaches. 

Official guidance: special categories of data, global cookie review, data brokerage, age-appropriate design tests

The Latvia data protection agency DVI issued a reminder of the rules for the legal processing of special categories of personal data. For special categories of personal data, in order to ensure their legal processing, in addition to complying with the general data protection conditions, it is necessary to observe that by default they are prohibited from processing unless there are exceptional permissions or justifications:

• a person’s consent, (eg, to receive commercial notices about price discounts for specific goods or services in a pharmacy);
• social protection rights, (eg, when terminating the employment of a unionised employee, the employer must contact the trade union); 
• vital interests of a person, (eg, in cases where a person is unconscious and it is necessary to find out his blood group, allergies, etc.);
• non-profit activity for political, philosophical, religious, or trade union-related purposes, (the personal data is not disclosed outside the said organisation without the consent of the individual);
• data deliberately made public, (eg, the person has expressed on social networks that they are vegetarian);
• essential public interests, (eg, information about political party donors must be made public);
• preventive or occupational medicine, ( eg, assessment of the employee’s work capacity, health or social care, or treatment);
• public health, (eg, to limit the spread of COVID-19);
• archiving in the public interest, for scientific, historical or statistical purposes.

The French privacy regulator CNIL published guidelines on the commercial use of customer files – data brokerage. Data controllers need to pay attention to the types of data that can be transferred, (only data relating to active customers can be shared), and on obtaining consent from data subjects for the intended transfer, (eg, via an electronic form). The purchaser also must inform the data subjects of the transfer and the source of the data, (the name of the company that sold the customer files,) and obtain the data subjects’ consent if it wishes to use their data for electronic commercial prospecting.

Bird&Bird offers the latest Global Cookie Review – the legal and regulatory landscape relating to the expanding use of cookies and similar technologies, country by country. Such regulations often follow a path set by the EU GDPR and ePrivacy Directive. The report also contains Asia Pacific, Latin American, and South African overviews, where similar regulations are often lacking or can be even divergent on transparency and consent requirements. 

The UK Information Commissioner’s Office has published design tests to support designers of products or services that are likely to be accessed by children or young people. Each test provides a report detailing areas of good practice as well as ways to improve conformity with the Age-Appropriate Design Code. This includes “best interests of the child” standards like age authentication, safe default settings, parental controls, enforcement, and data protection impact assessments.

Investigations and enforcement actions: credit rating by mistake, “dormant” risk assessment, “defaulting” customers error, employees’ email metadata, mass grocery purchases monitoring, and workers’ fingerprinting

The Norwegian data protection authority has notified Recover of its decision to fine the company 20,000 euros. The matter concerns a credit rating performed without a legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the above company. A credit rating is established after compiling personal data from many different sources including a person’s overall financial situation, any payment remarks, debt-to-income ratio, and whether the person has any mortgages/liens.

The Norwegian regulator also has given Statistics Norway notice of a decision that involves a ban on their planned collection of data on the Norwegian population’s grocery purchases. Through the collection of bank data and bank transaction data, the organisation planned to obtain information on what the population buys, and then link that to socio-economic data such as household type, income, and education level. The regulator believes that a legal basis, (societal benefit of consumption and diet statistics), is not clear and predictable enough for this planned processing of personal data. Even if the purpose is to produce anonymous statistics, intrusion into the individual’s privacy will occur. 

Italian regulator Garante fined Areti 1 million euros: thousands of users were mistakenly classified as “defaulting” customers and unable to switch to other suppliers. The misalignment of the company’s internal systems led to incorrect data migration to the integrated information database consulted by suppliers before signing a new contract. As a result, more than 47,000 Areti customers wanting to change energy supplier were denied an account activation and any potential savings deriving from market advantages, because they were incorrectly red-flagged. 

Additionally, Garante issued a fine to Lazio Regio of 100,000 euros for unlawful monitoring of employees’ email metadata. An internal audit was launched by the region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy. Metadata was collected in advance and stored for 180 days: date, time, sender, recipient, subject, and size of email. This allowed the region to obtain information relating to employees’ private lives, such as their opinions or contacts. 

No workplace fingerprinting without specific requirements is the ruling from Garante, which fined a sports club 20,000 euros. The authority intervened following a report from a trade union, which complained about the introduction of the biometric system by the company, despite the union’s request to adopt less invasive means of authentication. The company had carried out, for almost four years, the fingerprinting of 132 employees, violating the principles of minimisation and proportionality. It also provided workers with very little information on the characteristics of biometric treatments. 

The Romanian data protection authority completed an investigation at leading retailer Kaufland and issued a fine of 3000 euros. A video recording containing images of a complainant in the parking lot of one of the stores by the commercial chain appeared on the web page of a local newspaper. It turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

The EDPB published a summary on risk assessment and acting in accordance with established procedures. A controller, (in Poland), was notified of a personal data breach that occurred as a result of a break-in at an employee’s apartment and the theft of a laptop. The confidentiality of the personal data was at risk because the stolen computer was only password protected. The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, but it was only after the data breach occurred that the controller complied with the results of its own risk assessment by encrypting laptop hard drives.

Data security:  zero trust architecture, IoT onboarding, and lifecycle management

The US NIST’s National Cybersecurity Center of Excellence has published a draft practice guide on implementing a zero trust architecture and is seeking the public’s comments on its contents. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device on-premises and in the cloud. Comments from industry participants are welcomed by or before 6 February. 

In parallel, the NIST is also seeking comments on draft guidance on Trusted IoT Onboarding and Lifecycle Management. Scalable mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. In combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, this could improve the security of networks and IoT devices from unauthorised connections.

Big Tech: face recognition practices by PimEyes, Epic games’ COPPA violations, TikTok apps age rating

The Baden-Württemberg data protection authority announced proceedings against PimEyes, (Face recognition and reverse image search), Data Guidance reports. Recent media reports stated that PimEyes scans the face for individual characteristics on the internet and stores biometric data without proper legal basis, an identified data sharing model, or valid opt-out options. A data subject should be able to agree to the processing of personal data relating to them in an informed and unambiguous manner. In the case of automated retrieval of images on the Internet, these requirements cannot be met. Equally, private company PimEyes cannot undertake police investigative work in the public interest or interfere with the rights of data subjects. Read the original statement here. 

US Video Game Maker Epic will pay a more than half-billion dollar refund over allegations of children’s privacy law, (COPPA), violations, and tricking users into making unwanted charges for in-game items, (eg, costumes and dance moves). Epic’s Fortnite game has more than 400 million users worldwide. The company will be required to adopt strong privacy default settings for children and teens, (parental notice and consent requirements), ensuring that voice and text communications are turned off by default. This is the Federal Trade Commission’s largest refund award in a gaming case and the largest administrative order in its history. 

Finally, Virginia Attorney General joined 14 other state attorneys general to call on Apple and Google to take immediate action and correct their application store age ratings for TikTok. The change will help parents protect their children from being force-fed harmful content online. The current ratings of “T” for “Teen” in the Google Play App store and “12+” in Apple’s App Store falsely represent the objectionable content found and served to children on TikTok. While TikTok does have a “restricted mode” available, it is also aware that many of its users are under 13 and have lied about their age to create a profile.

The post Data protection & privacy digest 16 Dec – 2 Jan 2023: US signals intelligence redress mechanism, “dormant” privacy risk assessment, data brokerage appeared first on TechGDPR.

Legal processes: EU-US privacy framework, DMA, CCPA/CPRA, right to be forgotten

The Baden-Württemberg data protection commissioner warns that Joe Biden’s executive order with regard to the EU-US privacy framework is an important step, but it creates legal ambiguity. It addresses the requirements of the CJEU’s “Schrems II” judgment by adapting, among other things, the extensive access to EU residents data in the context of US national security and the complaints and appeals procedure. Nonetheless, it represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament, and is not legally enforceable, especially for EU citizens. In addition, it is not clear how the executive order relates to other existing US regulations such as the Cloud Act. Other ambiguities are as follows:

• The legal concept of proportionality differs in the EU, so that it remains unclear when, from the US’s point of view, access for national security remains permissible.
• Significant requirements are placed on the filing of a complaint by EU data subjects, so that it is still possible to filter out “undesirable” complaints.
• The newly created Data Protection Review Court, (an appeal body for complainants), will be set up by order of the Minister of Justice, which may contradict its judicial independence.
• The CJEU not only demanded legal remedies against state spying, but also the end of surveillance without cause, (the system change demanded by the court does not exist at present).

The European Commission will now have to decide whether there is equivalent protection of personal data in the US. The draft decision is expected in spring 2023. More legal research on the topic is promised by the NOYB privacy foundation, whose founder Max Schrems started the legal battle in 2013. 

Where various controllers rely on the single consent of a data subject, it is sufficient that the data subject contacts any one of them, states the CJEU’s recent ruling. The controller of personal data must, by means of appropriate technical and organisational measures, inform the other controllers that have provided the data or have received such data of the withdrawal of the consent of the data subject. Equally, the controller is required to take reasonable steps to inform third parties such as internet search engine providers of a request for erasure. The case related to Telenet, a Belgium telephone service operator, which passes on the contact details of its subscribers, (with their consent), to providers of directories, including Proximus. One of Telenet’s subscribers asked not to be included in directories published by Proximus and third parties; nonetheless, their contact details appeared online.  

The EU Digital Markets Act, (DMA), entered into force on 1 November. The new regulation will put an end to unfair practices by companies that act as gatekeepers in the online platform economy. In many cases the rules intercept and reinforce fundamental privacy and data protection concepts, such as:

• Provide business users with access to the data generated by their activities on the gatekeeper’s platform.
• Ban on tracking end users outside of the gatekeepers’ core platform for the purpose of targeted advertising, without effective consent having been granted.
• The interoperability obligation to ensure that the levels of service integrity, security and encryption offered by the gatekeeper will not be reduced, (eg, text messages/audio/video calls between individual or group users). End users will equally have the choice to use or refuse such an option, where their provider has decided to interoperate with a gatekeeper.

The DMA will also facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers. After the entry into application on 2 May 2023, potential gatekeepers will have to notify their core platform services to the Commission within 2 months if they meet the quantitative thresholds.

The California privacy regulator released modified proposed regulations for compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. It also seeks public comments on the improved text until 21 November. The adaptations relate to:

• the notice of collections, (on how to disclose third parties that the business allows to collect personal information from the consumer),
• right to limit the use/disclosure of sensitive personal information, (without the purpose of inferring characteristics about a consumer),
• limits to responding to consumer requests due to “disproportionate effort”,
• requests to correct personal information,
• data minimisation, (business’s collection, use, retention or sharing of personal information must be reasonably necessary and proportionate to achieve the relevant purposes).

Official guidance: anonymisation for SMEs, data breach reporting, direct marketing, employment practices, DP icons, dark commercial patterns

The Spanish data protection agency AEPD has published a basic anonymisation guide, (in Spanish), for data controllers, data processors and data protection specialists. It is especially aimed at serving SMEs and startups when they have to deal with the anonymisation of small data sets. The document explains the difference between the concepts of anonymisation, de-identification, and re-identification. The guide is complemented by a free tool, (downloadable via this link), for organisations to transform simple data sets by applying anonymisation techniques.

The AEPD has also launched a tool which aims to help data controllers decide whether to report a personal data breach to the supervisory authority, following Art. 33 of the GDPR, (available in English). This tool can also be used by data protection officers, data processors, or consultants to obtain adequate information with which to advise controllers. Once finished, the data provided during the process are deleted, and the AEPD does not have access.

The UK privacy regulator ICO updated its guidance on direct marketing using electronic mail. The Privacy and Electronic Communications Regulations 2003, (PECR), takes its definition of direct marketing from the UK Data Protection Act 2018 and covers the sending of electronic mail for direct marketing purposes to particular individuals. The guide does create a few exceptions for: a) some types of online advertising, (eg, advertisements placed on websites not using cookies or similar technologies), b) direct marketing using social media, (eg, advertising messages shown on news feeds), and c) mail sent for administrative or customer service purposes, (if they do not contain any promotional content). Read the full guidance here.

The ICO also released a draft guidance on employment practices: information about workers’ health, (sickness and injuries, disability, drug tests, health monitoring, etc). It is some of the most sensitive personal information you might process about your workers. Data protection law applies whenever you process information about your workers’ health. Notably, the term ‘worker’ relates to all employment relationships, whether this includes employees, contractors, volunteers, or gig and platform workers. 

The Baden-Württemberg data protection authority in Germany released free-of-charge data protection icons, aimed at making privacy notices by data controllers clearer and easier to understand. For example, data subjects can see at a glance on which legal grounds data processing is based. The icons can be downloaded here.

The OECD has published a paper on dark commercial patterns. These practices are commonly found in online user interfaces including cookie consent notices. Many consumer and data protection authorities have taken enforcement actions and consumer organisations have filed complaints about their use, states the OECD. However, enforcement cases to date predominantly relate to a limited set of dark patterns commonly recognised by regulators. This indicates possible gaps in the law, available evidence, or enforcement capacity.

Investigations and enforcement actions: learning records, bank cards’ contactless data, HTTP protocol, employee login information, adult domains

The ICO has issued a reprimand to the Department for Education (DfE), following the prolonged misuse of the personal data of up to 28 million children. An investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18. At the time of the breach, 12,600 organisations had access to the learning records service database, including schools, colleges, higher education institutions, and other education providers. This allowed organisations to verify a number of functions including the academic qualifications of potential students or check eligiblity for funding. Trustopia had access to the database for two years and had carried out searches on 22,000 learners for age verification purposes. Trustopia has never provided any government-funded educational training.

The US FTC is taking action against the online alcohol marketplace Drizly, (an Uber subsidiary), and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.

The FTC is also taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.  Notably multiple Chegg employees fell for a phishing attack, and a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 mln customers).The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

Spain’s AEPD fined Burwebs S.L and Techpump Solutions, (owners of various internet domains with adult content), 75,000 euros and 525,000 euros respectively for multiple violations of the GDPR, Data Guidance reports. In the case of Burwebs, the AEPD found:

• All personal data of registered users is stored indefinitely.
• No provision regarding the consent of holders of parental authority or guardianship on profiles of minors registered as users.
• The process for opening an account on the domains does not employ additional data or procedures to confirm the applicant’s identification in addition to the supporting papers initially used.
• Privacy policy does not inform users of the possibility of revoking consent at any time before the initial provision of consent, and fails to inform users of the period for which their personal data will be retained.
• The total absence of “privacy by design”.
• Records of processing activities does not list all the procedures, (eg, retention of unregistered user data).
• In addition to cookie walls that block access to websites and require users to approve relevant cookies, its applicable webpages lack information on the usage of cookies. 

In the case of Techpump Solutions, the AEPD found identical data processing violations to the above case, plus:

• Transfers of personal data to companies within the same group occurring, despite the privacy policies claiming that such a process will not occur. 
• Indefinite storage of the personal data of those who used the relevant webpages, until website users request the withdrawal of consent. 
• No clear or affirmative consent mechanism exists to acquire user personal data.  
• The majority of the company resides outside of Spain, and the information in its privacy policy is in English, a foreign language for the target audience. 
• Frequent collection of personal information, including IP addresses, without explaining the circumstances to users.

Both companies were given one month to apply all the corrective measures.

The Greek data protection authority has fined four banks, (Eurobank, National bank,  Alfa Bank, and Piraeus), 20,000 euros each for the retention on the chip of customers’ Mastercards information on their last 10 transactions. The data can be read “contactless”. The banks, without informing clients, issued replacement cards with the feature. 

A 15,000 euro fine by the Italian privacy regulator Garante was issued against a company for not having adequately protected customer data. The access to the company’s website dedicated to “online services” took place via the “http” network protocol, not encrypted and not secure. Various data was passed through this channel, including authentication credentials, names, social security numbers, e-mail addresses, telephone numbers, and billing data. The company violated important principles of “privacy by design”, and “integrity and confidentiality” of the data processing. 

Data security: crucial TOMs, digital footprint, cybersecurity and privacy annual report by NIST

America’s NIST has published its latest Cybersecurity and Privacy Annual Report. It is organised into eight key areas: cryptographic standards and validation, cybersecurity measurement, education and workforce, identity and access management, privacy engineering, risk management, trustworthy networks, and trustworthy platforms. The NIST conducted research and demonstrated practical applications in several key priority areas, including post quantum cryptography, cybersecurity in supply chains, zero trust, and control systems cybersecurity. The NIST also initiated research in some new areas, including exploring the cybersecurity of genomics data.

The UK ICO warned that organisations are leaving themselves open to cyber attacks by ignoring crucial technical and organisational measures like updating software and training staff, (Art. 32 of the GDPR). The warning comes with a 4.4 million pound fine to Interserve Group. An employee forwarded a phishing email, which was not quarantined by the system, to another employee who opened it and downloaded its content –  data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The Latvian DVI explains a digital footprint and how to protect it. A user can leave it either actively or passively, but once shared, the digital footprint is relatively permanent. It can determine a person’s digital reputation, which is now as important as a person’s offline reputation. Cybercriminals can also use your digital footprint for purposes such as phishing or creating a fake identity. In one of the examples, the active digital footprint is formed when a credit card of a specific service provider is used, while the passive digital footprint is formed by analysing the flow of money in the account and the purposes for which one spends one’s financial resources. Thus:

• Remember to carefully familiarise yourself with the privacy policies of the websites where you intend to consume the offered goods or services. Additionally, 
• Every time you sign in to a third-party website using, for example, your Facebook credentials, you give that company permission to obtain your user data — potentially putting your personal information at risk. 
• Perform regular searches for your name and related personal information in search engines.
• Enforce the privacy settings of your online accounts, and minimise the amount of personal data shared, (eg, location). 
• Regularly update software. 

Big Tech: TikTok employees’ access to data, Medibank’s refusal to pay ransom, Amazon’s Alexa recording

TikTok informed its EU users that their data can be accessed by employees outside the continent, including in China – to ensure their experience of the platform is “consistent, enjoyable and safe”. The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently, The Guardian reports.

Medibank, Australia’s biggest health insurer, said no ransom payment will be made to the criminal responsible for a recent data theft, (around 9.7 million current and former customers). The company believes there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. Plus, paying a ransom could encourage the hacker to extort customers directly, hurting more people.  Australian companies have been hit by a string of cyber attacks in recent weeks prompting the government to think about significant increases in penalties for repeated or serious privacy breaches, with amendments to privacy laws. 

Finally, Amazon must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices, Bloomberg Law reports. Plaintiffs allege that Amazon sold its Alexa-enabled devices to consumers using unfair and deceptive advertising, and illegally record conversations. The plaintiffs need discovery concerning Amazon’s intent in marketing Alexa devices, complaints received by the company, and how Alexa-enabled devices function. Amazon estimated it would have to produce 4.4 million documents in response to the plaintiffs’ requests.

The post Data protection & privacy digest 25 Oct – 8 Nov 2022: EU-US privacy framework ambiguity, data breach reporting, right to be forgotten appeared first on TechGDPR.

In my opinion, however, this needs to be seen with more nuance, and as lawyers like to say, it all depends on the specific circumstances; blockchain is not always strictly immutable, the right to be forgotten is not absolute, and the definition of personal data is still not 100% clear. If you look past the headlines and dive into the details, you will see this situation is not that black and white.

1. Blockchain is not always strictly immutable

Already in the very first paper on blockchain, “Bitcoin: A Peer-to-Peer Electronic Cash System” by Satoshi Nakamoto, there was the notion of pruning: “Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.” Meaning even in the first-generation protocol of Bitcoin, there is a technical method to delete certain data from the chain. So far, this has not been implemented, but there is a methodology to achieve this without breaking the system. Obviously in this particular way, a node operator could still choose to maintain all data that ever comes across, so in practice this may not with with Bitcoin unless additional safeguards to guarantee this are being put in place.

With later-generation protocols, such as with EOSIO, there is more sophisticated governance in place. By designating certain block producers who could, based on a constitution, agree to remove certain data, or mutually agree to block access to certain data for the outside. Even though this may limit transparency and centralizes some of the decision making, this may still be a feasible solution for certain use cases. For example Europechain aims at setting up networks with only EU/EEA block producers that are all under a Data Protection Agreement (DPA), specifically to offer a GDPR compliant way in which blockchain can be used while keeping most of the advantages of using blockchain in place.

Immutability can for certain purposes be very valuable, but for Personal Data it may not be ideal.

2. The right to be forgotten is not absolute

The right to be forgotten if often cited as the holy grail of protection your personal data, but it can not always be applied. According to Article 17, it can for example be used under the following circumstances:

• Personal data is no longer needed for the purpose, for example, if it was processed for the provision of a contract (Article 6.1(b)), but the contract has been cancelled or has expired.
• It was processed under consent (Article 6.1(a)), and the consent has been withdrawn.
• It has been processed under legitimate interest, but the legitimate interest has been challenged and no overriding interests prevail.
• The processing was unlawful in the first place.

The right to be forgotten does for example not apply if the processing is (still) necessary for the performance of a contract, for scientific or historical reasons in the public interest, to comply with a legal obligation, or if the legitimate interest continues to overrule the interest of the data subject.

If a controller has made personal data public, and publishing on a public blockchain should be seen as making public, they are required to inform others who are processing the data that is should be deleted. It’s an interesting question how that should work in a distributed environment with public actors, but this is not impossible.

3. The definition of personal data is still not 100% clear

In blockchain environments clearly readably personal data should not be used. In particular within public permissionless blockchains there is no good reason to do so. Most projects resort to storing hashes of information or transactions on-chain to prove certain things off-chain. Depending on the circumstances, such hashes could be considered pseudonymous or anonymous. Pseudonymous data is still in-scope of the GDPR, and should therefor adhere to it, anonymous data is out of scope. What exactly is to be considered pseudonymised following a specific approach, and therefor in scope of the GDPR, was previously (before the GDPR) explained in Opinion 2014/05 of the Working Party 29 (WP216). However, this has not been formally adopted by the EDPB. This makes it a lot harder to establish if, for example hashed information is pseudonymous or anonymous from the perspective of the GDPR.

Is the right to be forgotten in blockchain really a problem?

Well yes. Very often, there are certainly potential problems with storing pseudonimysed personal data in a blockchain, however one should be looking at the particular circumstances: which source-data is pseudonimised, encrypted or hashed, where is it stored, and can it be related to other on-chain events, what happens if you delete the source-data, and how strong is the entropy?

To find solutions for this challenge, it is important to consider both the technical (immutability) and the legal (how absolute is the right to erasure?) aspects, and the overall situation. It will stand or fall with the small details, and because the GDPR is a new regulation and blockchain a new technology, it will always be a risky undertaking to deploy this ‘in the wild’.

The only way in which this challenge can be approached, is through Privacy by Design: ensuring all privacy controls are implemented right from the start, and making sure products, protocols and their apps and UX are designed in a privacy friendly way. Launching an immutable system with privacy weaknesses that are not fully thought through, and documented, is quite clearly a violation against Article 25 of the GDPR on Data Protection by Design and by Default.

The post GDPR’s Right to be Forgotten in Blockchain: it’s not black and white. appeared first on TechGDPR.