The usual assumption of most US businesses is, “the GDPR is an EU regulation, hence it does not impact my organisation.” This belief results most often in unnecessary risk. The US equivalent of this misconception would be a company registered in Texas thinking its services don’t fall under the scope of the CCPA. 

The GDPR has extraterritorial effect, that is, it has effect on and more often than not, does affect organisations which are outside the European Union.

Note that since Brexit, the UK has maintained GDPR provisions but further adapted them to its body of laws, this is known as the UK GDPR which adds an additional but small level of complexity for transfers of data outside the UK. For the sake of simplicity, the term GDPR used in this article will also apply to the UK.

What is the GDPR and why it has global reach

The GDPR is the code name for the UK and the EU’s General Data Protection Regulation. It shields the personal data of individuals who are within the European Union, provides rights to the data owners (i.e. individuals) and lays out obligations for the organisations handling that data. It has a general territorial scope such that it may apply to organisations outside of the EU if certain conditions are fulfilled.

A US company may be controlled by the GDPR if it is:

1. Providing goods or services to data subjects in the European Union (EEA and UK)

This trigger is independent of payment or contractual terms. A business will be deemed to be targeting or envisaging an EU audience if it engages in any of the following activity:

• Sending physical goods or providing access to digital services into a member state of the EU/EEA/UK;
• Taking payments in a European currency such as Euros;
• Running campaigns that market to email recipients in the EU/EEA/UK; and
• Providing a website or service in a language that is widely spoken across the EU/EEA/UK.

2. Tracking the behavior of users in the European Union

This trigger is extremely applicable to digital-first companies today. If your business is tracking or profiling users in the European Union, the GDPR will most likely apply. This includes practices like:

• Tracking European Union website and app users with analytics tools;
• Placing cookies or other tracking tags on the devices of users in the European Union which triggers additional requirements from the ePrivacy Directive and other local laws; and
• Running targeted advertisement campaigns against users within the European Union on the basis of their online behavior.

Article 3 of the GDPR expressly sets out these conditions. These are detailed in additional guidance by the European Data Protection Board (Guidelines 05/2021). Registration of an organization outside of the EU does not necessarily remove a business from scope.

What constitutes personal data under the GDPR?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. This definition is deliberately broad. This is to encompass a wider range of data than the concept of “personally identifiable information” (PII) used in other jurisdictions. It is critical for any organisation to understand what information falls under this comprehensive definition to determine its compliance obligations.

Personal data includes, but is not limited to:

• Direct identifiers: A person’s name, email address, physical address, or telephone number.
• Online identifiers: An individual’s Internet Protocol (IP) address, browser cookies, and device identifiers (IP/MAC address, IMEIs, …).
• Pseudonyms like user IDs, vehicle numbers (VINs), randomly chosen usernames, hashes…
• Metadata in context like timestamps, 
• Special categories of data: Biometric data, such as fingerprints or facial recognition information. To learn more about sensitive data under the GDPR, that is addressed in Art.9 of the GDPR and our blog article detailing the differences between PII and personal data. 
• Other information: Video or photo recordings, and an individual’s location data.
• IoT data associated with a device purchaser, owner, user, maintenance person, etc…

If your organization collects any of this information from individuals in the European Union, it is processing personal data and must assess its compliance obligations under the GDPR.

What if my business doesn’t comply?

Non-compliance with the GDPR will result in massive financial and reputational losses. Supervisory authorities can impose fines of up to twenty million euros or four percent of the annual global turnover of an organization. This is decided by whichever is the greater. The GDPR has a highly structured framework of administrative fines, which can be applied in two tiers:

• Tier 1: Up to €10 million, or 2% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.
• Tier 2: Up to €20 million, or 4% of the company’s total annual turnover worldwide in the preceding financial year. This is decided by whichever is the greater.

Enforcement is also a legitimate concern for U.S. companies. For example, Clearview AI, a U.S.-based firm, was the subject of enforcement action and fines by multiple EU data protection authorities for processing EU individuals’ personal data lacking a sufficient legal basis. 

Along with fines, organizations can anticipate loss of customer trust, damage to their reputation, and legal restrictions on their data processing activities. Enforcement action against household names demonstrates that regulators are willing to act against organizations outside the European Union when the GDPR applies. 

A simple checklist for your U.S. company

To allow you to consider at a glance whether the GDPR applies to your business, ask yourself the following questions:

• Does your company’s website, app, or service deliver goods or services to individuals in the European Union?
• Do you use instruments that monitor the online behavior of individuals in the European Union?
• Does your company process the personal data of any of your staff members working in the European Union?
• Do you implement any vendor tool to carry any of that data processing for you?

If you answered yes to any of these queries, then it is highly likely your company is subject to the GDPR.

Real-life examples of when the GDPR applies

• An online store in the United States accepting payment in euros and shipping goods to customers in the European Union;
• A company processing payroll for a remote employee working in the European Union;
• A marketing company running targeted campaigns aimed at audiences within the European Union.

Conversely, a strictly internal website with no European customer targeting and only incidental EU visits generally will not be subject to the GDPR.

Special Case: United States companies with EU-Based employees

The processing of employees’ personal data in the European Union triggers GDPR obligations. Some examples are maintaining personal records, processing sensitive information, and monitoring work performance. Paying an employee in the European Union without additional data processing might not necessarily trigger full GDPR compliance requirements. That being the case HR processes need to be carefully reviewed. Please check out our blog article on how the GDPR and effects HR data for non EU-companies for further information. 

Your next steps toward compliance

If your business is subject to the GDPR, it’s essential to be forward-leaning with regards to compliance.

• Carry out a data mapping exercise: This will lead to Records of Processing Activities, the details of which are outlined in Art. 30 of the GDPR. Record all personal data your organization gathers and processes, the reason for the data, and where it is stored;
• Determining a lawful basis for all your data processing activities: This provides a documented and valid legal rationale for collecting and using personal data. This could be e.g., user consent, contractual necessity with the person, or legitimate interest of your organization, EU legal obligation;
• Drafting accessible  privacy notices: Provides an intelligible and accessible privacy notice describing data collection, purposes, storage, and data sharing practices;
• Respecting the rights of data subjects: Enable individuals to exercise their rights under the GDPR. These rights include access, rectification, erasure, restriction, and objection;
• Appointing a Data Protection Officer (DPO): Appoint a DPO where required. This could be due to processing vast volumes of sensitive personal data or conduct systematic monitoring of individuals;
• Consider an EU Representative: If your business is established outside of the European Union, you may need to have a representative within one of the member states under Article 27; and/or
• Seek expert advice: The GDPR is complex. For complete compliance, it would be ideal to obtain a professional GDPR compliance audit.

Conclusion

Whether the GDPR affects an American business or not is not a matter of a business’s physical presence, but if it has a connection with individuals in the European Union. If your business offers goods or services to EU residents or monitors their activities, then it is very likely the GDPR will affect you. The penalty for failure to comply can be extremely high, both financially and with regard to one’s reputation.

It is suggested that all U.S. businesses conduct an internal examination of data processing operations. If unsure, securing a professional GDPR compliance assessment can guarantee a clear and secure path forward.

The post Does the GDPR apply to my US company? appeared first on TechGDPR.

The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:

• Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
• Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
• Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes. 

Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals.  “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF. 

If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available. 

Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here. 

HIPAA Notice

In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.

You can also read the latest epic.org report on the health data privacy crisis in the US here. 

More from supervisory authorities

M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive. 

Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.

AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.

Digital identities ecosystem

Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:

• ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
• the World Wide Web Consortium’s Verifiable Credentials formats.

See their comparison in the original publication. 

In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems. 

Cookie policy

The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.

The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information. 

Shopping cart reminder e-mail

According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support. 

Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.

In other news

Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time. 

GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent.  The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:

• obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
• create a way for all US consumers to request a copy of their data and seek its deletion;
• give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
• provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.

Chromebook case

The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.

Microsoft 365 Education

The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school.  The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.

More enforcement decisions

Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures. 

Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal,  he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered. 

France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data. 

And finally

Change your password:  According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA). 

Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.

The post Data protection digest 19 Jan – 2 Feb 2026: New PETs guide, Digital identities ecosystem & employees’ surveillance fine appeared first on TechGDPR.

The question is evident: how do businesses employ global AI systems and continue to comply with the GDPR cross-border data transfer principles? It is essential to understand the link between AI and personal data and its impact through the legal landscape governing cross-border transfers.

Understanding the AI and the GDPR Landscape

Artificial intelligence systems will typically need to use humongous amounts of data, of which may include personal data. This data is typically obtained from various jurisdictions and processed using cloud platforms, data centers, and development teams in various countries. The worldwide infrastructure complicates the fulfillment of the GDPR since it inhibits the transfer of personal data beyond the European Economic Area (EEA) and United Kingdom.

The GDPR is grounded in fundamental principles of lawfulness, fairness, transparency, limitation of purpose, and data minimization. It also requires accuracy, limitation of storage, integrity, confidentiality, and accountability. These principles should be adhered to by any AI system that involves personal data even when data is transported.

Cross-border data transfers happen when personal data is moved from the EEA to a third country. These are addressed by Chapter V of the GDPR, which dictates the legal frameworks organisations must obey. Since most AI systems are international data processing, virtually all of them are confronted with this regulatory challenge.

Focal Compliance Challenges in Cross-Border AI Projects

There are a few challenges that make it hard to regulate cross-border data in AI:

• Terabytes of information: AI systems read text, images, video, audio, and behavior data in volumes that older compliance procedures find difficult to keep up with. It’s no small challenge to collect, categorize, and safeguard these datasets across borders.
• Pseudonymization risks: So-called anonymized data can in fact facilitate re-identification, particularly when combined with additional datasets. It is important to understand the difference between pseudonymized and anonymized data. 
• Lack of transparency: Most AI systems, especially deep learning-based systems, are “black boxes.” This uninterpretability may hinder the ability of organizations to show compliance with the GDPR, especially purpose limitation and data minimization.
• Shifting rules: Regular updated guidance from national authorities and the European Data Protection Board (EDPB) on AI, transfers abroad, and the way the two interoperate. Just requirements mount with the arrival of legislation such as the EU AI Act.
• Third-party risk: Third-party data suppliers, cloud vendors, and outsourcing data processors are all more likely to be in the AI supply chain. Unless they are properly managed, they bring inherent third-party risk through non-compliance, data loss, or unauthorized transfers.

Legal Frameworks for GDPR-Compliant Cross-Border Transfers

The GDPR provides a range of legal frameworks for cross-border transfers of personal data beyond the EEA, depending on conditions and limitations.

• Adequacy decisions are among them. The European Commission will be in a position to determine that a non-EEA nation ensures “adequate” protection for personal data, and data can flow freely. These decisions have been granted to Japan and Switzerland, and the same has been granted to the United States under the new EU–U.S. Data Privacy Framework. Adequacy decisions are not absolute, however, and can be invalidated, as was the invalidation of Privacy Shield.
• For organizations in countries not issuing an adequacy decision, Standard Contractual Clauses (SCCs) are the most used. Contractual clauses maintain international data transferred from being reduced below EU levels. Organizations must perform Transfer Impact Assessments and introduce additional safeguards since the Schrems II judgment, in order to lawfully use SCCs.

• Binding Corporate Rules (BCRs) is a further possibility for multinationals. They are internal codes of conduct that have to be approved by a data protection authority and are legally enforceable against the corporate group. It is a scalable solution to implement for intragroup data transfers, but it may be time-consuming and costly to obtain the approval.
• The GDPR also has limited derogations for certain situations, including where the individual provides unambiguous consent or where a transfer must be conducted in order for a contract to be formed. Exceptions are few and not to be generalized or bulked.

Practical Steps to Remain Compliant

To effectively administer cross-border data transfers, follow these best practices:

• Map data flows: Determine where personal data comes from, is processed, and travels.
• Perform Data Protection Impact Assessments (DPIAs): DPIAs for riskier AI projects ensure assurance of risk identification in the areas of discrimination, bias, and data protection and transfer risk assessment.
• Improve data governance: Establish policies and roles that ensure accountability to operating, technical, and legal teams.This ensures consistency and accountability when dealing with personal data.
• Enforce security controls: There must also be organizational and technical controls. These include secure development of AI models, access controls, pseudonymization, and encryption. Security audits and penetration tests done on a regular basis can combat threats that can be used in performing cross-border transfers.
• Manage third parties: Secure good data processing terms and ensure all suppliers comply with the GDPR. Any AI supplier or cloud provider dealing with your personal data on your behalf must be subject to rigorous due diligence. This includes negotiating good DPAs and ensuring vendors apply GDPR-level controls.
• Train your staff: Make sure staff is educated about their part to play with regard to AI and international processing of data. A specific incident response plan also needs to be created to handle any AI system-related breaches.

Readiness and Regulation

Regulatory requirements are changing. The EU AI Act and industry-specific guidelines from the EDPB and others will keep transforming what looks like compliance with AI. Leading-edge businesses are already constructing governance structures in accordance with the GDPR and these new rules. Technologies such as data flow mapping automation, real-time risk management, and Transfer Impact Assessments run on a regular basis become typical. Legal, technical, and compliance staff need to interact so that AI ingenuity is converged into regulatory requirements.

Conclusion

Cross-border transmissions of AI data under the GDPR is not impossible, but difficult. With good understanding of the regulatory frameworks, operating on high-risk subjects, and adopting good mitigations, organizations can deploy effective AI technologies in immaculate compliance.

Creating AI responsibly involves creating it legally. Now is the time to audit your cross-border data transfer processes, enhance your governance structure, and embed compliance in all areas of your AI work.

The post GDPR Compliance for AI: Managing Cross-Border Data Transfers appeared first on TechGDPR.

In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.  It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU – B2B, B2C, and B2G. The guide elaborates among other things on:

• the definitions of data users, data holders and third parties, as well as 
• cloud and service interoperability requirements, 
• fairness of data-sharing contracts, and 
• enforcement and dispute resolution frameworks. 

The GDPR is fully applicable to all personal data processing activities under the Data Act.  In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.

Stay up to date! Sign on to receive our fortnightly digest via email.

US data transfers

The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these rules will sooner or later be challenged in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, there will most likely not be a transition period. It is important to be aware of this when purchasing US services. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. 

DORA implementation updates

On 18 February, the European Supervisors, (ESAs) —EBA, EIOPA, and ESMA – published a roadmap to designate critical ICT third-party service providers (CTPPs), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.

By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).  

Legal updates worldwide

China data audits: With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper’s legal analysis. The measures provide the conditions and rules for both self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.  

US privacy enforcement: In the past two months, New York state has amended several rules on data breach notification. The amended law requires New York residents to be notified of a data breach, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state’s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the template of the notice sent to affected persons must also be provided. 

Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor, (under 16 years of age), and to limit a minor’s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.

Automated decision CJEU ruling

The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a data subject is entitled to an explanation as to how a decision was taken in respect of him or her, and the explanation provided must enable the data subject to understand and challenge the automated decision. 

The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer’s credit standing carried out by Dun & Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.

Algorithmic discrimination and the GDPR

The European Parliament’s recent research meanwhile states, that one of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the act allows ‘special categories of personal data’ to be processed, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through legislative reform or further guidance, states the report. 

More from supervisory authorities

DPIA guidance: The Swedish Data Protection Authority IMY has published guidance on impact assessments for activities that process personal data, (in Swedish). The practical guide is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some legal interpretation support, as well as detailed templates for an assessment.

Urban data platforms: As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on optimized traffic control, and early warning systems in the event of disasters or urban planning. 

To that end, the regulator has prepared technical guidance, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.

Employment records: The UK ICO updated its guidance aimed at employers who keep employment records. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker’s right to a private life.

The terms ‘worker’ or ‘former worker’ mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment – in particular, our detailed guidance on workers’ health information and monitoring of workers.

Insurance companies data swaps

The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered. 

Privacy policy

The Latvian DVI looks at the most common shortcomings in privacy policies of the organisations it’s investigated, and asks data controllers to take them into account: 

• Privacy policy is hard to find
• Complex and unclear text
• Not all legal bases and purposes of data processing are listed
• The purpose of data processing is not linked to the legal basis
• Failure to specify the organization’s legitimate interests 
• Unclear information about the storage period
• Failure to specify recipients of personal data 

Finally, there is also a lack of guidance on data subjects’ rights and their implementation, and complicated mechanisms are provided for the implementation of rights. 

Emotion recognition

The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act’s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. Clarity is required on the definitions of emotions, biometric information, and the boundaries of “workplace” and “educational institutions.” 

In particular, in the GDPR, the definition of ‘biometric data’ is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term ‘biometric data’ in the AI Act must be interpreted in the light of the GDPR. The distinction between emotions and physical states and between emotions and easily visible expressions also remains unclear.

In other news

Web browsing data fine: America’s FTC requires Avast to pay 16.5 million dollars, (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Refused bank loan: It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,  that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller. 

Data security

Location data: The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it easier for third parties to collect location data and resell it to data traders. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.

Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.

Self-declared GDPR compliance: The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead, it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).

Suppose the data stored in the cloud is transferred to a third country outside the EU/EEA area. It must also be checked whether this offers a level of protection equivalent to that in the EU/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.

In case you missed it

AI from non-EU countries: A number of European regulators draw attention to the risks associated with the use of AI ​​tools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed: 

• Pay attention to the transparency of the provider and appropriate documentation.
• Use a separate, secure IT environment to avoid data leaks.
• If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).
• Take into account the AI ​​competence and ban on prohibited AI practices that must be ensured from February following the AI Act. 
• Make sure that the manufacturer of the AI ​​application, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).

AI in education: The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest infographics. While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience.

In practice, they often help with: automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security and much more. 

The post Data protection digest 16 Feb – 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers appeared first on TechGDPR.

Technical permissions in mobile app are very useful for privacy, explains the French regulator CNIL. They allow users to block access to certain data technically. However, these permissions are not designed to validate users’ consent, within the meaning of the GDPR.  Even when consent is required, a simple request for permission does not always allow for free, specific, informed and unambiguous consent. There may also be exemptions from consent, such as for the functioning of a navigation mobile app, when the data is required for the service. However, the OS supplier requires authorization to access this information. An ideal permissions system in conjunction with a consent management system should allow one to choose without any confusion:

• the degree of processing of the data provided according to the purpose pursued (eg, more or less precise location);
• the material scope of the authorisation, (eg, access to the selected photos rather than the overall media gallery);
• The duration of the authorization is given, (eg, one-time activation of the permission or for a predetermined period). 

Stay up to date! Sign on to receive our fortnightly digest via email.

Non-material damages for US data transfers

The CJEU orders the European Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website due to the transfer of personal data to the US without appropriate safeguards. In 2021 and 2022, a German citizen complained that the Commission violated his right to personal data protection when he used the Commission’s EU Login authentication service and chose to sign in with his Facebook account.

His data, including his IP address and information about his browser and terminal, were transferred to recipients in the US, (Meta, Amazon Web Services and CloudFront). According to the JD Supra law blog, while the sum is small, it is the first time an EU court has acknowledged that people can be awarded damages for illicit data transfers without demonstrating significant loss, paving the way for future claims, including class actions. 

More legal updates

“Maximum two complaints per month”: The NOYB privacy advocacy group explains another case, where the CJEU slammed the Austrian data protection authority for discontinuing proceedings against companies. In one example, the authority set the number of complaints that data subjects can file at a maximum of two per month. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the regulator. NOYB also looked at the EU-wide problem with data protection authorities’ inactivity – statistically many cases wait well up to several years for a decision, (instead of the established 6 months). 

Canada updates: According to an IAPP analysis, the proposed federal privacy law reforms and AI regulation contained in Bill C-27 are in serious jeopardy. Prime Minister Justin Trudeau’s recent resignation has paralysed Parliamentary business. As the country awaits a national election, C-27’s approval in the Senate is delayed. The proposals include enacting the Digital Charter Implementation Act, the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. 

India updates: The government has released a draft of the Digital Personal Data Protection Rules, (legal text available in English), under the Digital Personal Data Protection Act, (2023), and is currently seeking public feedback and comments, cms-lawnow.com law blog reports. Key rules include: consent obligations, including for children’s data, security safeguards, data breach notification, retention periods, information obligation, data transfers abroad, impact assessments and audits, and the exercise of data subject rights. 

Electronic patient records

On January 15 the “electronic patient record”, (ePA), will start with a pilot phase in Hamburg, Franconia and North Rhine-Westphalia parts of Germany. After the successful completion of the introductory phase, the nationwide rollout is planned for February 15 at the earliest. The use of ePA, was already possible voluntarily. However, from January 15, the Digital Act, (DigiG), stipulates that health insurance companies will create an ePA for all patients who have not explicitly objected to this.

Insured persons should therefore now check whether they want to use it or whether they object to its use completely or partially with an opt-out. The objection can be made at any time, and the health insurance companies must subsequently delete files that have already been created. The ePA brings with it advantages – it facilitates the exchange of medical documents, avoids duplicate examinations and makes it easier for patients to control which data they release to whom. However, there is currently also criticism, particularly regarding data security, (IT experts uncovered security flaws in the ePA at the Chaos Communication Congress at the end of 2024). 

Work agreements and data processing

DLA Piper’s legal blog looks at a CJEU case, where an employer, (in Germany), had initially concluded a temporary agreement with the works council on the use of the software ‘Workday’. It provided, inter alia, that specifically identified employee data could be transferred to a server of the parent company in the US. An employee brought a legal action for access to this information, for the deletion of data concerning him, and for compensation. On this occasion, the CJEU ruled that if employers and works councils agree on more specific rules in a work agreement regarding the processing of employees’ data, these must take into account general data protection principles, including the lawfulness of processing. Furthermore, such a work arrangement is open to judicial scrutiny. Thus, businesses should investigate if other legal bases are applicable.

More official guidance

UK online safety: On 16 December, Ofcom brought into effect new UK online safety regulations. Now digital platforms, especially bigger and riskier ones, (social media firms, search engines, messaging, gaming, dating apps, and file-sharing sites), have three months to complete illegal harm risk assessments and apply necessary safety measures, (from the list of more than 40 safeguards). Among many things, this will include, reporting and complaints duties, better moderation, easier reporting, built-in safety tests, and protecting children. The Act also enables Ofcom to make a provider use, (or in some cases develop), a specific technology to tackle child abuse or illicit content on their sites and apps. 

AI and consumer harm: America’s FTC gathered the latest casework on what companies need to consider when developing, maintaining, using, and deploying an AI-based product. This includes:

• taking necessary steps before and after deploying a product, (by testing, assessing, documenting, and inquiring); 
• preventative measures to detect, deter, and halt impersonation, fraud, abuse and non-consensual imagery;
• avoiding deceptive claims about AI tools that result in people losing money or put users at risk of harm; and, 
• ensuring privacy and security by default, (eg, abiding by legal obligations and not misleading users of a product about the usage of their data for algorithm improvement).  

Video surveillance on a large scale

Depending on the scope and purpose, video surveillance can be divided into three scales: narrow, medium, and wide-scale video surveillance, explains the Latvian regulator. Large-scale video surveillance means that the processing is carried out over a significant area and presents high risks for the processing of personal data at regional, national or transnational levels. The larger the area monitored and the more people visiting it, the higher the risk of data misuse.

If an organisation conducts video surveillance of several separate areas, their total area should be taken into account to determine whether video surveillance is taking place on a large scale. When conducting video surveillance in publicly accessible, but less populated or visited areas, the thresholds for the size of the area and the duration of data retention may be higher to qualify as large-scale. However, if video surveillance involves the processing of biometric data for the unique identification of a person, then it is considered to be the processing of special categories of data.  

Privacy of the art market

An analysis in The Art Newspaper notices that access to historic sales records is becoming more restricted due to increased confidentiality periods at auction houses.

In the EU and the UK, privacy rights are protected through contract, common law and data protection regulations. Thus, the identity of buyers and sellers is protected in several ways, which the auction houses are now restricted from disclosing without the client’s consent. Moreover, the degree to which such data privacy measures can be used to restrict access is still unclear, as the GDPR does not prescribe how long confidentiality clauses can last. 

More enforcement decisions

Genetic and health data breach: The Estonian data protection inspectorate imposed an 85,000 euro fine in connection with an incident that occurred at the end of 2023, in which the Asper Biogene OÜ system was attacked and approximately 100,000 files with people’s data, including genetic and health data, were obtained. However, the decision can still be appealed by the company. Asper Biogene OÜ is primarily engaged in testing for hereditary diseases, developing genetic tests and providing healthcare services, thereby processing health data extensively. 

Frontex case: The EDPS issued a warning to Frontex for a breach of data protection rules. The breach involved Frontex systematically sharing the personal data of suspects in transnational criminal cases with Europol without assessing whether the sharing was necessary. Such sharing can have serious consequences for individuals, who could be wrongly linked to criminal activities in Europe. Frontex stopped the transfer of personal data to Europol shortly after the inquiry and now assesses all information individually before sharing it with the agency. 

Facial recognition: The FTC meanwhile finalised an order against IntelliVision Technologies due to false claims that its AI-powered facial recognition software was free of gender or racial bias. The FTC alleged that IntelliVision lacked evidence that its software had one of the highest accuracy rates on the market and performed with zero gender or racial bias.

The complaint also alleged that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, nor did it have adequate support for its claims that its anti-spoofing technology ensures the system can’t be fooled by a photo or video image.

Data security

DORA is enforceable now: The Digital Operational Resilience Act, (DORA), is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. It covers areas of compliance such as:

• ICT risk management, 
• ICT third-party risk management, 
• Digital operational resilience testing, 
• ICT-related incidents, 
• Information sharing on cyber threats, and 
• Oversight of critical third-party providers.

For resources on implementing and delegated acts, policies and guides click here.

Security updates: Privacy International meanwhile reminds us that the CrowdStrike incident, (malformed update), earlier this year had major implications for governments and businesses across the world. Among many things, it emphasises the importance of security updates, including auto-updates, which are incredibly important to keep our devices running properly and safely. What is needed is for auto-updates to be properly tested before being implemented. Moreover, too often we see companies bundling together security and feature updates, meaning that users cannot install one without the other. That’s a problem, especially if a weaker system for testing feature updates pollutes the process for security updates, or if users are prevented from having the latest security updates installed because they don’t want the features or their device does not support the feature updates.  

Big Tech

US vulnerabilities: The outgoing President Joe Biden has just signed an executive order to address US vulnerabilities following cyber attacks, (by China, Russia, Iran and ransomware criminals), that cost the country billions, the Guardian reports. Among its most notable elements is a mandate for government agencies to install end-to-end encryption for email and video communications, as well as new standards for AI-powered cyber defence systems and quantum computing protections.

The order also requires federal agencies to only purchase internet-connected devices with a “cyber trust mark” from 2027, essentially leveraging government procurement authority to encourage manufacturers to tighten security standards for items like as baby monitors and home security systems.

The post Data protection digest 1-15 Jan 2025: mobile app permissions should work in conjunction with consent requirements – CNIL appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Swiss-US data transfers

The new Data Privacy Framework now allows for the secure exchange of personal data between Switzerland and certified US companies without any additional guarantees. The Swiss Federal Council on 14 August added the US to the list of countries with an adequate level of data protection. The relevant changes will apply from 15 September. The companies under Swiss-US data transfers framework will only be permitted to process the data for the purposes for which they were collected. Disclosure to third parties such as non-certified companies is not permitted. In the event of access by US public authorities to personal data transferred from Switzerland, various safeguards are provided, including access to a redress mechanism.

Collective actions under the GDPR

DLA Piper’s legal analysis looks at the CJEU’s recent decision, (C-757/22), where the violation of a controller’s information obligations under Art. 12 and 13 of the GDPR, can be subject to a representative action under Art. 80 of the GDPR. The case relates to Meta’s processing activities, claiming that the information provided to users by games in the App Center was unfair, particularly the failure to obtain valid consent from users. Instead, they were informed that by using certain games, the third-party provider would collect their data and have permission to publish this data and accept the general conditions and the relevant data protection policies.

More legal updates

California AI legislation: The progress of the California bill that would create the first-ever national safety regulations for the biggest AI systems is examined in an article published in The Guardian. According to the proposal, businesses would have to test their models and make their safety procedures available to the public. The law focuses on systems whose training costs exceed 100 million dollars in data. As of right now, no AI model has reached that point. The governor of California has until the end of September to determine whether to sign it into law.

BCR compliance guide: To support groups holding BCRs in verifying their implementation, the French CNIL provides them with a tool and describes the steps for its deployment, (available in English). BCRs refer to an intra-group data protection policy. They allow related entities to transfer personal data outside the EU, as provided by the GDPR. Separate monitoring tools were developed for local entities and group DPOs and should be adapted to the particularities of the organisation. 

Privacy notice tool

The UK Information Commissioner has replaced its privacy notice template with a generator tool to help you create a bespoke privacy notice in just a few simple steps. This brand-new tool has been designed for sole traders and start-ups, small and medium-sized businesses and charities. Also, by generating an additional privacy notice for your staff and volunteers, you could include this on your staff intranet, in your recruitment welcome packs or in your policies library.

E-shop applications

The Czech authorities have issued a warning about e-shop applications that require non-standard permissions on the user’s device and may collect excessive amounts of user data. Some of these are completely legitimate, but some are inappropriate from the point of view of the purpose of the application, (eg, access to location, contacts, videos or other files). Thus, app users should always carefully review the privacy policy and terms of use. 

Additionally, extremely low prices in some e-shops can be attractive, but they carry a risk that the provider receives profit in another way, (eg, by an excessive collection of personal data to pass on to third parties for a fee). If you still want to use the e-shop application, which may be associated with the above-mentioned risks, for example for a one-time purchase, then uninstall it from your device.

Guest access

The Data Protection Commissioner in Rhineland-Palatinate also launched an information campaign on online shops. It has become common practice to create a customer account for orders that last well beyond the individual purchase. Creating such a customer account can bring benefits to the customer. For example, further orders can be made without having to re-enter all the data, previous orders can be viewed, order and delivery status can be easily checked and favourite items can be saved.

However, customers do not always want such a long-term business relationship, so they should be able to freely decide whether or not they want to store their data in the online shop. 

Contract as a legal basis

The Latvian data protection authority reminds us that one of the legal bases for the processing of personal data is the performance of a contract. However, to be able to correctly apply this basis, it is important to understand in which cases data processing is really necessary for this purpose. The application of this basis must be evaluated not only from the controller’s perspective but it must also be taken into account whether a person as a data subject, when entering into a contract, could have foreseen that their data would be processed within the framework of the contract:

• the data must be processed to fulfil the obligations specified in the contract, (eg, an online store needs a customer’s address to be able to deliver the product with the help of a courier);

• the data must be processed to fulfil obligations to the organisation, (eg,  a person orders a new TV in an electrical goods store, and the store processes the customer’s payment data to receive payment);

• the contract has not been concluded, but the person has asked to perform an action, as a result of which the contract could be concluded, (eg, a person wants to buy travel insurance, but before buying it, they want to find out how much the policy will cost with a particular insurer, so they first submit their data to the insurer).

Finally, compliance with warranty provisions may also be a part of the performance of the contract, therefore it may require the storage of certain data even after the sale of the goods, and such processing will be justified by the performance of the contract.

AI analysis of phone conversations

The Danish regulator investigated an insurance company’s, (IDA Forsikring), use of artificial intelligence for the analysis of recorded telephone conversations. It stated that incoming telephone calls were recorded, after which the audio files from the recordings were sent for analysis by a data processor, which converted the files into text using self-developed speech recognition, partly to make the sound files searchable. The purpose of the analysis of the conversations is to improve IDA Forsikring’s member service, ensure quality and give the employees insight into their conversations to strengthen the service to the members. 

The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules.

More enforcement decisions

Mass claim dismissed: A Dutch court has rejected allegations of collective damage claims in a data security case. The claims were made against several government agencies for inadequate protection of personal information, according to a cms-lawnow.com blog. There were significant security vulnerabilities in the IT systems that local health services employed during the COVID-19 pandemic. For months, some 35,000 employees had access to millions of people’s sensitive personal data. It was discovered that 1,250 people’s data had been taken. Based on European case law, the court deduced that non-material damages may only be granted to those who have suffered injury as a consequence of the GDPR violation. The concern about a potential breach in the future, since the possibility that personal data was illegally gained by third parties, is insufficient.

Delayed data access request: The Belgian regulator sanctioned a telecom operator  100,000 euros for a 14 month-late reply to a right-to-access request. The complainant and the defendant went through a mediation process after a contractual issue. The accused party has acknowledged their error. Still, the complainant was not satisfied. Then they made use of their access rights. Among other things, they were interested in learning the names of the workers who had processed their data and why they had done so. They submitted their request, making it clear that they wanted it forwarded to the DPO. Nevertheless, even though two staff worked on the request, it was neither approved nor forwarded to the DPO. The regulator found this a valid legal basis under the GDPR, however, the current process for obtaining consent from the person calling in does not meet the data protection rules. 

Data security

Biometrics and 2FA: Biometric procedures such as fingerprint and facial recognition are popular with consumers because they allow quick and easy access to online services as part of 2FA. But how secure is this authentication option in practice? The Federal Office for Information Security in Germany offers a white paper for developers and operators on biometric procedures in two-factor authentication, (in German), where the knowledge factor, (PIN or password,) is replaced by biometrics. 

Data protection-compliant redaction of documents: PDF and Office files can be fully readable despite blacking out with shapes or coloured bars, reiterates the Saxon data protection authority. To do this, users often only have to mark the supposedly blacked-out content from the file and copy it into a text editor, and everything is readable again. Moreover, with the help of artificial intelligence, blurred content can certainly be reconstructed. It is therefore important that data is not only visually but also technically removed or edited, (before any redactions, it is recommended to make a backup copy of the original file).

Also, because Office metadata may contain a history of changes, and other information on the person, their location, etc, the redacted Office document in its original file format, (docx), should not be shared. Instead, save or export the file as a PDF document, or if an editable version is necessary, copy all the already anonymised text into a new document and then share the new document. Similarly, an edited image must be saved in a file format in which the original layer cannot be restored. The JPG format, for example, is ideal for this. 

Big Data

Uber case explained: Uber was fined 290 million euros by the Dutch regulator for failing to implement adequate measures when transferring drivers’ data, including certain sensitive categories, to the US. The company discontinued using the “Privacy Shield” in 2021 when it was shown to be invalid. Uber later said that it complies with the new EU-US Data Privacy Framework implemented only in 2023; nevertheless, there remain at least two years where driver data may not have been protected.

During this period of legal uncertainty, Uber was sending data to its San Francisco headquarters without the drivers’ express consent or the usage of the EU Model Standard Contractual Clauses (SCCs). 

Clearview AI fine: The Dutch data protection authority has imposed a fine of 30.5 million euros and orders subject to a penalty for non-compliance of up to more than 5 million euros on Clearview AI. Clearview is an American company that offers facial recognition services. Among other things, Clearview has built an illegal database with billions of photos of faces, including of Dutch people. The Dutch regulator warns that using the services of Clearview is also prohibited.

Meta Pixel: The Swedish Data Protection Authority IMY decided on hefty fines against Apoteket and Apohem AB. This was after the companies used the Meta pixel on their websites and transferred privacy-sensitive personal data to Meta, (the tool is dedicated to improving the company’s marketing on Facebook and Instagram). Moreover, the companies did not have the routines required to discover the deficiencies themselves. The transfer of personal data had been going on for a long time and was only stopped after the companies were made aware of the incident by third parties. 

The post Data protection digest 18 Aug – 2 Sep 2024: Swiss-US data transfers, BCR guide, Clearview AI fine appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs and personal data

The Hamburg Data Protection Commissioner discusses whether Large Language Models store personal data. It distinguishes between an LLM as an AI model, (eg, GPT-4), and as a component of an AI system, (eg, ChatGPT). The mere storage of an LLM does not constitute processing. Thus, data subject rights cannot relate to the model itself. Claims for information, deletion or correction can rather relate to the input and output of an AI system of the responsible provider or operator. 

To the extent that personal data is processed in an LLM-supported AI system, the processing operations must comply with the requirements of the GDPR. This applies in particular to the output of such a system. Similarly, any training that may violate data protection regulations does not affect the legality of using such a model in an AI system. See the full discussion paper here.

The most recent clarifications by the French CNIL on the deployment of Generative AI systems and the official EU AI Compliance Checker might be useful for your organisation. The latter also recommends that you obtain expert legal advice before using AI solutions.

Privacy notice

The UK Information Commissioner encourages people to check how an app plans to use their personal information before they sign up. It is far too easy to just click “agree” when installing a new app. But signing up often involves handing over large amounts of your sensitive personal information, especially with apps that support our health. An organisation that values your privacy will make its privacy notice easy to understand and set out how it will use your personal information, with whom it will be shared, what are the security measures, and whether your data will be deleted when you stop using it. 

CCTV

The operation of CCTV in gym facilities, on the one hand, should aim to ensure the protection of the facilities in question while on the other hand, it should respect the right of customers and employees to protect their privacy, reiterates the Cyprus data protection authority. CCTV can be permitted at a gym entrance/exit, parking space, reception, (only the cashier), and general perimeter of the gym property. 

It is not allowed in the areas where persons exercise, kitchens, restrooms/ changing rooms, and offices. Audio recording is not allowed under any circumstances. Video material must be accessible only from a device which is located within the premises of the gym and to which only the director and/or an authorised person has access. Access to said material, from a personal device and on an ongoing basis, is not permitted. 

More official guidance

EU-US DPF: The EDPB has published the EU-US Data Privacy Framework FAQ for European individuals and businesses: how to benefit from it, how to lodge a complaint and how this complaint should be handled by the EU and US authorities. It also includes what to do before transferring personal data to a DPF-certified company in the US, (data controllers or processors), and self-certification of US subsidiaries of EU/EEA businesses.

DPIA: Industry professionals and interested parties are invited by the Latvian data protection authority DVI to share their thoughts and provide real-world examples of the Data Protection Impact Assessment. It is a procedure by which, through risk inventory, analysis, and evaluation of prospective outcomes, (identifying severity and likelihood), the organisation can identify potential dangers to natural persons that may occur from planned data processing. The DPIA also includes the identification of measures to prevent possible risks. The draft guidance can be read here, (in Latvian).

AI projects sandbox: The Danish data protection authority has selected two AI projects for examination in its sandbox project. One wants to develop an AI insurance assistant for structuring and summarising accident claims, (to determine the degree of injury more quickly than today). The other one is a public-private innovation to develop a solution that will ease the documentation burden for employees in health and care. 

Social media monitoring

According to Privacy International, social media monitoring, or SOCMINT, is becoming more common and standardised but is still mostly uncontrolled and inconsistent. One of the most vivid examples is fraud investigations by the UK Department for Work and Pensions. Alongside covert surveillance tactics, the department’s staff guide has an entire section on “Open Source Instructions” on the use of publicly available information.

However, such invisible monitoring goes against or beyond individuals’ reasonable expectations and their possibility to anticipate intrusive examination. 

GDPR in practice

The Fundamental Rights Agency recently published the report “GDPR in practice – the experience of data protection authorities”. All the improvement areas directly or indirectly target the availability of human, financial and technical resources. In particular,  underfunded and understaffed authorities are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them – such as promoting awareness and providing advice, undertaking their own investigations and external cooperation. 

SDM 3.0

The German Data Protection Conference published the updated Standard Data Protection Model – a method for data protection advice and testing based on uniform objectives, Data Guidance reports. In particular, the model transfers the legal requirements into technical and organisational measures required by the GDPR, which are detailed in the catalogue of reference measures. The SDM is aimed at both the supervisory authorities and those responsible for processing personal data. 

EHDS

In the next couple of years, patients, healthcare providers, and authorised researchers within the EU will start using the European Health Data Space, for which a DLA Piper legal blog provides the standards on the electronic health record system. Interoperability and the logging component are two essential components of the software that make up this records system. Further requirements for conformity can be read in the original analysis.  

More legal updates

Dark patterns: The Canadian Privacy Commissioner with other counterparts conducted a review of over 1000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements. This includes complex and confusing language, interface Interference, nagging, obstruction, and forced action, (tricking users into disclosing more personal information to access a service than is necessary). When two or more deceptive design patterns are used together, they can become more effective.  

HBNR: Starting in July, the amendments to the US Health Breach Notification Rule went into effect. These now underscore health apps and similar technologies not covered by Health Insurance Portability and Accountability. HBNR requires vendors of personal health records and related entities to notify individuals, the Federal Trade Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify such vendors and related entities. 

Rhode Island became the nineteenth US state overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms. 

Enforcement decisions

Smart cameras in Turin: The Italian regulator Garante sent a request for information to the Municipality of Turin on a new video surveillance system that, reportedly, would also use AI. It would allow municipal police to understand in real-time whether it is necessary to intervene in an emergency or for safety reasons. The Municipality was given 15 days to clarify the advanced features of the camera, and also send a copy of the technical documentation, and the purposes and legal basis of the processing of personal data.

Personal details on the intranet: The Finnish regulator ruled that a company, (a bus operator), did not have the right to publish 300 employees’ personal phone numbers on the intranet. The company argued it is important for drivers to communicate with each other while working. On their work phones they can only call predefined numbers, and sending text messages is blocked. The regulator argued that using a work number between drivers should be a prior communication method. In addition, employees’ data may only be processed by persons whose job duties demand it, such as supervisors or HR. 

Local government data: The UK Information Commissioner issued the London Borough of Hackney council with a reprimand following a cyberattack in 2020 that led to hackers gaining access to and encrypting 440,000 files. The data included residents’ racial or ethnic origin, religious beliefs, sexual orientation, health, economic data, criminal offences, and other data including basic personal identifiers such as addresses. Hackers also deleted 10% of the council’s backup. The systems were disrupted for many months with, in some instances, services not being back to normal until 2022. 

Drugstore visitors’ tracking

The Dutch data protection authority, (AP), has imposed a fine of 600,000 euros on the parent company behind drugstore Kruidvat. The company, (AS Watson BV), tracked millions of visitors of Kruidvat.nl, without their knowledge or permission, and was able to create personal profiles noting which pages they visited, which products they added to their shopping cart and bought, and which recommendations they clicked on.  In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. Visitors who wanted to refuse them had to go through several steps. 

More data on the use of third-party tracking technologies in the health and care sector can be read here. 

Background checks: The province of British Columbia and the Privacy Commissioner of Canada have joined forces to investigate Certn Inc., a business that provides landlords with tenant screening services. They will look at whether Certn complies with the requirements of both the federal Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act of British Columbia, (where the company is based). In particular, it will look at whether the data it gathers, uses, and discloses for tenant screening is sufficiently accurate, complete, and up to date. 

Data security

Differential privacy: The latest US NIST cybersecurity insights discuss protecting trained models in Privacy-Preserving Federated Learning. The techniques must be combined with an approach for output privacy, which limits how much can be learned about individuals in the training data after the model has been trained. 

Differential privacy is the most robust known type of output privacy. To protect against privacy threats, techniques for differentially private machine learning incorporate random ‘noise’ into the model during training. The training data cannot be later recovered from the model because the random noise prevents the machine from remembering details from the training set.

Global IT outage: A Reuters analysis briefly explains the latest cyber outage when CrowdStrike’s software update caused Microsoft Windows to crash. Companies such as CrowdStrike employ cloud-based solutions for virus scanning, early warning systems for possible cyberattacks, and barriers against hackers accessing company networks without authorisation. This time, a conflict appeared between CrowdStrike code and the Windows operating system’s code, which is why certain PCs crashed even after they were rebooted. 

Big Data

Chromebooks: The Danish data protection authority has assessed that 52 municipalities are now complying with its order from January to stop passing on the personal data of school children for unauthorised purposes to Google. There have been adaptations to the contract that ensure that personal data will only be processed following the instructions of the municipalities. The Danish regulator has also asked for the EDPB’s opinion on a final assessment of the data processing chain in the municipalities’ use of Google’s products, (including for maintenance of infrastructure from the supplier’s side).

Oracle reaches 115 mln privacy settlement in the US. The digital files of hundreds of millions of people reportedly containing where they browsed online, where they did their banking, bought gas, dined out, shopped and used their credit cards were allegedly sold by Oracle directly to marketers. The company also agreed in future not to gather user-generated information from URLs of previously visited websites, or text that users enter in online forms other than on Oracle’s websites. 

The post Data protection digest 5-19 Jul 2024: LLMs and personal data, social media monitoring, differential privacy appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

EU-US redress mechanism

The EDPB has completed its much-anticipated Information Note and a Complaint Form for EU/EEA individuals about alleged violations of US law concerning personal data collected by US national security authorities. It applies regardless of the transfer tool used to transfer the complainants’ data to the US, (Data Privacy Framework, standard or ad hoc contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, derogations). However, this redress mechanism only applies to data transmitted after 10 July 2023. 

In short, after receiving and verifying the complaint, the data protection authority, (DPA), will transmit it, in an encrypted format, to the EDPB Secretariat. The latter will then transmit it to the US authorities for a binding decision, taken by the Office of the Director of National Intelligence’s Civil Liberties Protection Officer, (CLPO). Complainants can appeal the CLPO’s decision before the Data Protection Review Court within 60 days after receiving the notification by the DPA. There is also a possibility to complain about commercially related violations to EU DPAs. 

In July 2023, the European Commission decided that the US ensures an adequate level of protection for personal data transferred from the EU to organisations in America that are included in the ‘Data Privacy Framework List’, without the need to rely on Art. 46 GDPR transfer tools, (standard data protection clauses, binding corporate rules). The US Government in the meantime aims to introduce safeguards against bulk and targeted collection of intelligence signals, (eg, FISA Section 702), that apply to all data transferred to the US, regardless of the transfer tool used by the EU exporters.

More legal updates

FISA Section 702 reauthorised: In parallel, a new US bill just signed into law extends a key US surveillance program for another two years. Legislators claim the surveillance tool first authorised in 2008 is crucial in disrupting terrorist attacks, cyber intrusions, and foreign espionage. It permits the government to collect without a warrant the communications of non-Americans outside the country. Amendments to protect Americans’ communications when they are in contact with those targeted foreigners, by getting a prior warrant from a judge, failed the final passage. 

UK adequacy threatened: The Parliament Justice Committee, (LIBE), has criticised the overall direction of the data policies of the UK Government. Its current governmental actions are eliminating constraints arising from European or international law and limiting the impact of European court jurisdiction and interpretations on UK law. Concerns exist about UK intelligence agencies, especially their bulk collection of communication data, which is not in line with the EU Charter of Fundamental Rights. Thus, the UK could become a transit country for data that cannot be sent from the EU/EEA to “inadequate” third countries.

UK data protection reform moves on: The new Data Protection and Digital Information Bill went through the final examination of the committee stage. After the final reading, followed by the consideration of amendments stage in Parliament, (which can be a lengthy process), it will be presented for Royal Assent to become law. The new law promises to solve the complexity of the current regulatory regime, reduce compliance costs, and remove barriers to responsible innovation so that firms, public sector organisations and consumers can take “full advantage of the benefits” of data. 

Data Scraping

Data scraping by private actors is almost always illegal, explains the Dutch data protection authority AP. Scraping is the automatic collection and storage of information from the Internet. In several cases, it is already not allowed anyway, including: a) scraping the internet to create profiles of people and resell them; b) scraping information from protected social media accounts or private forums; c) scraping data from public social media profiles for insurance matters, etc. 

A widespread misunderstanding is that scraping is allowed because everything on the internet is already available to everyone. This does not imply consent by the individual. Scraping for the legitimate interest of private businesses or individuals should not be used if the sole purpose is making money. However, scraping can be justified when a company gets information from media outlets on its activities.

More official guidance

Targeted advertising: A CJEU Advocate General’s opinion in the Schrems/Meta case, (C-446/21), similarly states that processing data for personalised advertising purposes cannot be justified just by meeting “the manifestly made public” condition for special category data. It rather elevates the particular protection granted to the special categories of data under Art. 9 of the GDPR, which means that it still must be evaluated as “ordinary” personal data, treated lawfully, clearly, and proportionately, and respecting the purpose limitation principle.

BCRs maturity test: The French data protection authority CNIL published a self-assessment tool to test the level of maturity of organisations’ Binding Corporate Rules for restricted data transfers. The companies concerned are private businesses of multinational types, established in several countries of the EU and abroad.  The set of resources covers all stages of a project, from its preparation to the approval procedure. The test is to be completed by the data protection officer or any other person in charge of the BCR project.

Health Breach Notification: The US Federal Trade Commission finalised changes to the Health Breach Notification Rule. It underscores its application to health apps and similar technologies not covered by HIPAA, and obliges them to notify individuals, the Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to those vendors of related entities to notify them following the discovery of a breach.

Safe biometric technology use

The Dutch data protection authority AP answers some frequently asked legal questions about facial recognition. The document is intended for privacy professionals and organisations that want to use facial recognition. Facial recognition is in principle prohibited. One of the exceptions is when facial recognition is necessary for authentication or security purposes (eg, the security of a nuclear power plant, or military production needs). However, this applies only once the data protection impact assessment ,(DPIA), has been carried out, demonstrating that it is necessary and that there is an important public interest. 

The AP also defines under which conditions there can be ‘personal or household use’ when applying facial recognition. For example, unlocking a phone with facial recognition, if the biometric data is stored on the phone itself, and the user decides what happens to that data. It must be up to the user to decide – whether to unlock the phone using a PIN code or face recognition. 

European Health Data Space

MEPs approved the creation of the European Health Data Space, improving citizens’ access to their health data and boosting secure sharing in the public interest. Universal Electronic health records, (EHR), will include patient summaries, electronic prescriptions, medical imagery and laboratory results. They will be available for health professionals across the EU, (with the patient’s consent), and for trusted entities such as clinical researchers, statisticians and policy-makers, (in an anonymised or pseudonymised format). Once officially published after the Council’s approval, it will be applied two years later, with some temporary exceptions for specific categories of data. 

Sim cards illicit activation fine

A company in Italy that manages two phone shops will have to pay 150 thousand euros for having illicitly activated SIMs, subscriptions and charges for the purchase of cell phones and GPS trackers using the personal data of hundreds of users without their knowledge. The company had activated 1300 telephone cards using data and identity documents extrapolated from the systems of the telephone operator whose products it sold to unduly saved in-store. For instance, a complainant was charged on her credit card relating to the activation of a new contract in the name of her deceased husband.

The company had also activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents, along with selling mobile phones which had not been requested by customers nor delivered to them. The company had evaded the controls of the telephone operator and the related provisions regarding the processing of user data, thus acting as an independent data controller.

More enforcement decisions

Cookie collection without notice: The Croatian data protection regulator issued administrative fines of 15,000 and 20,000 euros on managers of gambling and betting activities due to the illegal processing of personal data through cookies, and without allowing the users to give or withdraw their informed and voluntary consent. In particular, the processing managers did not separate the cookie banner or enable respondents to consent to different purposes, (marketing, analytics/statistics). 

The processor also did not adequately inform the users about the legal basis, groups/types of cookies, the function/purpose of each cookie, and the cookie storage period. In addition, the data controller was fined for processing the respondents’ data at the very moment of loading the website, (since the respondents were not informed about the processing). 

Prohibited employment practices: The French CNIL notified a company to minimise candidates’ data collection. The company required applicants to provide their place of birth, nationality, marital status, (spouse’s name and surname, date and place of birth, their profession, the number of children and their age), as well as all salaries received in previous companies. This information was not necessary for assessing the candidate’s ability to perform the job. An aggregate level of detail reflecting the candidate’s nationality, (French, EU and non-EU categories), would suffice. The candidate could, however, on their initiative, provide any useful information, including to justify their salary claims.

Ring case

In the US, following a settlement with Ring, the Federal Trade Commission is returning more than 5.6 million dollars to customers. The company allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos. Ring also deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent. 

Data security

Ransom attack: The EDPB provided a summary of a recent Greek regulator fine where a company, (Hellenic Post Services ELTA SA), failed to implement technical and organisational measures resulting in unauthorised access by third parties. The first incident involved a breach of data which was encrypted to demand a ransom, the result of a malicious attack by third parties while the second incident involved the leakage of personal data, which was subsequently published on the Dark Web. 

Cybersecurity tool: The UK National Cybersecurity Centre issued the latest version of the Cyber Assessment Framework reflecting the increased threat to critical national infrastructure. The guide is for all organisations responsible for securing any critical network and information systems, covering remote access, privileged operations, user access levels and multi-factor authentication, (B2a and B2c principles). Other organisations may find this tool useful too.  

Strong password rule: In the UK makers of phones, TVs, and other internet-connected smart devices are now legally required to meet minimum security standards, states the Department for Science, Innovation and Technology. Manufacturers are banned from having weak default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up. 

Big Tech 

Data brokerage: A new data broker restriction was signed into law on 24 April in the US, JDSupra law blog reports. ‘Protecting Americans’ Data from Foreign Adversaries Act of 2024’ prohibits data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. This includes data on finances, genetics, health, biometrics, communication contents, exact geolocation, and data about minors. Any organisation that provides data to another organisation that isn’t serving as a service provider in exchange for a significant fee is known as a “data broker.” 

US TikTok/China row: ByteDance prefers TikTok be shut down rather than sold if the Chinese owner exhausts its legal options in fighting legislation to ban the platform from US app stores, according to Reuters. The US recently passed legislation allowing for the suspension of the popular service due to widespread concerns that China may access Americans’ data or use the app for spying. TikTok’s major assets include its algorithms, source codes, user data, and product operations and management. However, Chinese rules preserve TikTok’s intellectual property, making it difficult for US buyers to obtain source codes and similar data acquisition.

“Cookie pledge” fails: As Google delays the demise of third-party cookies, a European Commission campaign to get Big Tech companies to voluntarily commit to a “cookie pledge” has reportedly failed. The draft pledging principles ensure that users receive concrete information on how their data is processed, and the consequences of accepting different types of cookies; consent should not be asked again for a year once it has been refused. Some companies lost interest in the proposal since they depend on data harvesting for income, while others were worried that it would not comply with existing laws. 

The post Data protection digest 18 Apr – 02 May 2024: EU-US redress mechanism and European Health Data Space taking shape appeared first on TechGDPR.

Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

Official guidance

DPOs duties: The Swedish data protection agency published the results of a coordinated investigation, initiated by the EDPB, on the role and position of data protection officers. It investigated 50 organisations in the public and private sectors. Here are some of the statistics: 

• Several data protection officers have other tasks/roles in addition to the role of data protection officer, which in certain situations can potentially mean a conflict of interest.
• There are differences in how many hours data protection officers spend on skills development around data protection issues.
• There is a wide variation in the number of resources and methodological support needed to complete DPO’s duties.
• The organisations to some extent have different ideas about what should be included in the data protection officer’s mission.

Interestingly, most, but not all, organisations believe that the DPO should participate in the handling of personal data incidents whereas only two-thirds of the organisations believe that the DPO should be consulted in the planning of new personal data processing. 

Sandbox invite for innovative tech: Organisations have until the end of this year to submit expressions of interest in entering the UK Information Commissioner Office’s Regulatory Sandbox in 2024. If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s team wants to hear from you. Expressions of interest will be assessed based on whether the product or service being developed is innovative and could provide a demonstrable benefit to the public, whether you’re a start-up, SME or larger organisation, from the private, public or voluntary sectors. 

Server colocation: The Danish data protection authority has considered whether an IT company that provides (server) colocation should be considered a data processor for the organization for which the service is provided. The assessment is negative, in particular, if the supplier of colocation does not have access to the personal data that is processed on the servers. The provision of colocation primarily concerns the provision of a service other than the processing of personal data, in particular physical facilities as well as internet and power supply. However, this is only a starting point. Several circumstances can lead to the colocation company being considered a data processor to a certain extent: 

• the company provides additional services beyond physical facilities,
• the company can and may be tasked with moving, restarting or otherwise handling the servers where the information is processed,
• the company can and may have the task of replacing hard drives, and memory, (firewall, backup services, etc).

AI code of conduct: The Canadian government published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Generative systems can be adapted by organisations for various uses – such as corporate knowledge management applications or customer service tools. Firms developing and managing the operations of these systems both have important and complementary roles. 

Signatories of this code would develop and apply standards, and share information and best practices with other members of the AI ecosystem, prioritising human rights, accessibility and environmental sustainability. See the measures to be undertaken under the Code of Conduct in the original publication. 

Encryption evaluation tool: The Spanish data protection agency launched the ValidaCripto tool to evaluate encryption systems. Encryption is a procedure by which information is transformed into a seemingly unintelligible set of data, helping to protect the information from a possible personal data breach. The tool runs in the browser, without recording or transmitting any data to the Agency, and allows information to be stored locally and reports to be generated. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorising the most critical elements, reviewing the suggested controls and generating follow-up documentation. 

Workplace monitoring: The UK Commissioner’s Office has published guidance to ensure lawful monitoring in the workplace. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including: 

• Making workers aware of the nature, extent and reasons for monitoring.
• Having a clearly defined purpose and using the least intrusive means to achieve it.
• Having a lawful basis for processing workers’ data – such as consent or legal obligation.
• Only keeping the information which is relevant to its purpose.
• Carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers.
• Making the personal information collected through monitoring available to workers if they make a subject access request.

Legal processes

EU-US DPF tried in court: The EU General Court rejected the request for interim suspension of the EU-US data Privacy Framework but has yet to examine the substance of the case. The request was introduced by a French member of parliament, who is also a member of the French data protection authority CNIL, requesting that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for US security purposes. He also observed that the wording of the DPF ruling, which is currently only available in English, should be translated into the EU’s official languages. 

Delete Act: California’s Governor signed the Delete Act into law. It revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data. According to the Guardian analysis, Californians already have the right to request that their data be destroyed under current state privacy regulations, but doing so requires filing a request with each corporation.  The revised measure emphasizes that all data brokers must register with the privacy protection agency, and mandates it to create a simple and cheap means for Californians to request that all data brokers in the state remove their data through a single page, regardless of how that information was obtained. 

Consumer profiling: The EDPB-EDPS published a joint contribution to the public consultation on the draft template relating to the description of consumer profiling techniques. Under the new Digital Markets Act, designated gatekeepers now shall submit to the European Commission independently audited descriptions of any techniques for profiling consumers that they apply to or across their core platform services. The regulators wonder whether the Commission should expect to receive detailed audited descriptions of profiling techniques for each of the core platform services of the gatekeeper. 

The regulators are also concerned that the template alone would not provide sufficient safeguards against low-quality or otherwise unreliable audits on behalf of gatekeepers. The EDPB and the EDPS underline that any approval or statement from the European Commission on how a gatekeeper processes personal data for consumer profiling or how it informs consumers about profiling techniques does not automatically mean that the gatekeeper is complying with the GDPR, which is for supervisory authorities to verify.

Health research in France: The CNIL has adopted two new reference methodologies to allow public and private bodies, (in addition to healthcare institutions and their federations, as well as healthcare manufacturers), except insurers, to process data from the main database of the National Health Data System. The data controller should indicated in their protocol:

• the components of the main database concerned by the access request;
• the target population;
• the targeting period;
• the data or categories of data required;
• the historical depth of the data;
• the requested access period. 

As there are many ways to access these data, any controlled environment that meets the conditions set in new methodologies may host the data as part of the research projects concerned.

Enforcement decisions

Case studies book: The Irish data protection authority published detailed case studies, (based on 126 real cases), illustrating how data protection law is applied, how non-compliance is identified and how corrective measures have been imposed, from the past five years. It concentrates on such topics as access request complaints, the accuracy of personal data, cross-border cases, data breach notifications, unauthorised disclosure, direct marketing, objection to processing, the right to be forgotten, and much more. 

“My AI” fine: the UK Information Commissioner has issued a preliminary enforcement notice against Snap and its generative AI chatbot “My AI”. The investigation provisionally found Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. Snap launched the ‘My AI’ feature for UK Snapchat+ subscribers in February, with a rollout to its wider Snapchat user base in the UK in April. The chatbot feature, powered by OpenAI’s GPT technology, marked the first example of generative AI embedded into a major messaging platform in the UK. As of May Snapchat had 21 million monthly active users in the UK.

Employee geolocation data: The Italian data protection authority fined Shardana Working 20,000 euros following a complaint by three individuals employed by the company. The company is responsible for reading gas, electricity and water meters. The three workers, to verify the correctness of their pay slips, had asked the company to provide the information used to process mileage reimbursements and the monthly hourly salary, as well as the procedure for establishing the compensation due.

In particular, they had asked to know the data collected through the company smartphone on which a geolocation system had been installed which allowed workers to identify the route to take to reach the meters. The regulator found that Shardana Working had not adequately informed the employees of the data processed through the GPS installed on their smartphones. Even if the company deemed that it could not fully respond to the employees’ requests, it should have at least indicated the specific reasons why it could not comply with the access requests. 

Dismissal based on geotracking: A similar instance occurred recently in France, according to the Ius Laboris legal blog. The highest civil court in France has intervened in an employee discharge based on geolocation data from his work car.  An employee of an equipment rental firm was fired for making unnecessary trips. The geolocation process had been declared to the French Data Protection Agency CNIL to locate employee vehicles and ensure the safety of goods and people on site. The employee had been informed of this. The Supreme Court, on the other hand, held that the trial judge should have evaluated whether the company’s geolocation system was also intended, as stated to the regulator, to monitor the employee’s professional activities and working hours, and if the employee had been told about such a purpose. 

Electronic ticketing: The Greek data protection authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization, (OASA), examining the protection of personal data processed in the framework of the automatic fee collection system, a system also referred to by the term “electronic ticket”. A total fine of 50,000 euros and a compliance order referred to the determination of the data retention times for the various processing purposes, (of 20 years), the anonymity of travel card holders and their movements, (eg, of employment categories), and a review of the personal data impact assessment and other documentation, (not available at the time of the audit). 

Big Data

Biometric surveillance: According to The Guardian, dozens of cross-party MPs and privacy campaigners in the UK have joined a campaign calling for an “immediate stop” to the use of live face recognition monitoring by police and commercial companies. Live face recognition has lately been used by British police at large-scale public events such as King Charles’ coronation. The announcement follows the policing minister’s announcement of government intentions to make UK passport images searchable by police: to link data from the police national database, the Passport Office, and other national databases to allow officers to identify a match with the “click of a button.” 

Google user data:  Google will give users in the EU better choice as to how Google processes their data according to commitments undertaken by the company. This is the result of proceedings conducted by the Bundeskartellamt, (German Federal Cartel Office), based on the new instrument under competition law, which allows intervention when competition is threatened by large digital companies. Commitments concern situations where the company would like to combine personal data from one Google service with personal data from other Google or non-Google sources or cross-use these data in Google services that are provided separately. 

Such an obligation already results from the new Digital Markets Act.  Relevant core platform services listed in the Commission’s designation decision are thus not covered by the commitments, (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). However, Google’s commitments provided to the Cartel Office do concern data processing across services involving more than 25 other services (including Gmail, Google News, Assistant, Contacts and Google TV).

The post Data protection digest 2 – 17 October 2023: DPOs duties and methodology should be clarified – latest study appeared first on TechGDPR.