The Israeli data protection authority published a technical guide to Privacy Enhancing Technologies, available in English. PETs are a diverse family of methods, processes, and digital tools that are appropriate for different stages in the information life cycle:

• Data collection and preparation for use: Obfuscating personal data and reducing its level of detail by removing identifiers, altering data values, or masking exact figures.
• Data use and processing: Reducing exposure of personal data during processing, and in some cases, enabling data use without the need for viewing it during processing.
• Control over data use: Defining rules and permissions for access to personal data and displaying data relating to the identity of the person accessing the data, the type of data, and the time of access. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Main developments 

Brazil adequacy decision: On 28 January, the European Commission recognised that Brazil ensures an adequate level of protection for personal data under the EU GDPR. The enforced decision confirms that Brazil provides comparable levels of data protection, allowing the free transfer of personal data between the two jurisdictions without additional authorisations or safeguards. The Commission also recognises the independence of the Brazilian Data Protection Authority (ANPD), and the safeguards governing public authorities’ access to personal data for law enforcement and national security purposes. 

Data Privacy Framework: The EDPB has published a new version of the EU-US Data Privacy Framework FAQ for European individuals.  “European individuals” means any natural person, regardless of their nationality, whose personal data has been transferred to a US company under this framework. It applies to any type of personal data processed for commercial or health purposes, and human resources data collected in the context of employment, as long as the recipient company in the US is self-certified under the DPF. 

If you believe that a company in the US has violated its obligations or your rights under the EU-U.S. Data Privacy Framework, several redress avenues are available. 

Digital omnibus: The EDPB and EDPS also adopted a joint opinion on simplification of the implementation of harmonised rules on AI. Among other things, the EDPB and the EDPS recommend maintaining the standard of strict necessity currently applying for the processing of special categories of personal data for bias detection and correction in relation to high-risk AI systems. They also support the creation of EU-level AI regulatory sandboxes to promote innovation and help SMEs, as well as AI literacy obligations for systems providers and deployers. The full opinion can be read here. 

HIPAA Notice

In the US, if your company provides health benefits or qualifies as a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), it is important to update your Notice of Privacy Practices (NPP) by 16 February to remain compliant. The notice must include new and more restrictive requirements related to protected health information (PHI) in particular, on the disclosure of patients’ substance use disorder records. The following steps may include assessing related policies, training, materials, and business associate agreements (BAAs) for consistency.

You can also read the latest epic.org report on the health data privacy crisis in the US here. 

More from supervisory authorities

M&A: Before a planned company sale, large amounts of data are often processed as part of a due diligence review. This can include personal data, particularly of employees, customers, and suppliers. The Liechtenstein Data Protection Authority has compiled information (in German) regarding which data protection regulations must be observed. This information does not replace an individual assessment and is not exhaustive. 

Camera surveillance in public transport: The Dutch data protection authority states that permanent camera surveillance at employees’ designated workstations is not permitted. Cameras may only be used when strictly necessary, for example, for safety during incidents, and not for systematic monitoring or evaluation of employees. For the data controller, this includes technical adjustments to cameras, adapting internal protocols, and providing clear instructions to employees.

AI tools safe usage: The Spanish AEPD has published the main principles of safe, responsible, and conscious use of AI. Among the recommendations, the privacy regulator advises against sharing personal data with AI – full name, address, telephone number, ID/NIE, images of people, or sensitive or delicate information – medical, financial or contractual details, geolocation. In the workplace, the agency emphasises the importance of following the information and security policies of each organisation and, in particular, of not including information that reveals confidential data of the entity, its staff or clients.

Digital identities ecosystem

Verifiable Digital Credentials (VDCs) can represent a wide range of data, from a driver’s license to a diploma to proof of age, explains America’s NIST. However, their interoperability requires a common set of standards and protocols for issuing, using, and verifying VDCs. As VDCs gain traction for both in-person and online identity verification, two key standards are helping to define this space:

• ISO/IEC 18013-5, which underpins mobile driver’s licenses and related mobile documents, and
• the World Wide Web Consortium’s Verifiable Credentials formats.

See their comparison in the original publication. 

In parallel, the German Federal Office for Information Security (BSI) has issued the updated Technical Guideline for Biometric Authentication Systems (in German), which can be used for significantly more use cases of facial and fingerprint recognition through smartphones or access control systems. 

Cookie policy

The Latvian data protection authority reminds us of the essentials of a cookie policy, which provides the user with clear information about how their data is processed when using cookies. A document published on any website must explain in a user-friendly way: a) what cookies the website uses; b) for what purpose they are used; c) who their recipients are.

The multi-layered approach ensures that the most important information about the use of cookies on the website is provided in a concentrated manner (in the cookie pop-up notification or banner), including an indication of where more detailed information can be found (cookie policy). Cookie policies are often confused with privacy policies (by briefly including information about cookies among what is described in the privacy policy). However, to ensure transparency, information should be provided to users separately – in two documents or at least in clearly separated “blocks” of information. 

Shopping cart reminder e-mail

According to the Saxony data protection commissioner, retailers often send a reminder email pointing out an incomplete purchase process. Despite regular complaints received about such communication, there are no data protection concerns regarding a one-time shopping cart status update via email. The automatically generated messages must be distinguished from unsolicited advertising and are considered technical support. 

Given the customer’s expectations and the recipient’s perspective, it is at least realistic to expect a technically triggered status update during the contract negotiation phase, in accordance with Art. 6 of the GDPR. At the same time, the data processing known as reminder emails is subject to information requirements and must be appropriately indicated in the notices pursuant to Art. 13 of the GDPR.

In other news

Excel file disclosure: The Romanian regulator ANSPDCP imposed fines totalling 15,000 euros against Continental Automotive Products SRL for breaches of the GDPR principles of data minimisation, accountability, and the security of processing. The investigation followed the controller submitting a personal data breach notification concerning the repeated internal distribution of an Excel file containing a consolidated list of employees, including medical data from medical certificates relating to numerous employees and former employees over a period of time. 

GM driver data ban: America’s Federal Trade Commission finalised an order against General Motors and its OnStar subsidiary after the automaker secretly collected and sold detailed driving data from millions of vehicles without consumer consent.  The final order approved by the Commission imposes a five-year ban on GM disclosing consumers’ geolocation and driver behaviour data to consumer reporting agencies. And for the entire 20-year life of the order, GM will be required to:

• obtain affirmative express consent from consumers before collecting, using, or sharing connected vehicle data, with some exceptions, such as for providing location data to emergency first responders;
• create a way for all US consumers to request a copy of their data and seek its deletion;
• give consumers the ability to disable the collection of precise geolocation data from their vehicles if their vehicle has the necessary technology; and
• provide a way for consumers to opt out of the collection of geolocation and driver behaviour data, with some limited exceptions.

Chromebook case

The Danish data protection authority decided in the Chromebook case regarding 51 municipalities’ use of Google’s products for teaching in primary schools. The regulator issues serious criticism and warns the municipalities about their setup of the programs in question and about the use of sub-processors outside the EU. In addition, it states that as a data controller, municipalities cannot legally use products that contain unclear processing constructs. Finally, they must have access to the necessary resources to ensure lawful processing of personal data, including in situations where the contractual basis for the product changes.

Microsoft 365 Education

The Austrian data protection authority upheld a complaint filed by a pupil, represented by the European Centre for Digital Rights (NOYB), against Microsoft regarding the use of tracking cookies in Microsoft 365 Education. The decision relates to the installation and use of non-essential cookies on the device of a minor using Microsoft 365 Education at an Austrian school.  The authority also found that no valid consent had been obtained, digitalpolicyalert.org reports.

More enforcement decisions

Employees’ geolocation: The Italian regulator Garante fined a company in the agricultural seed selection and production sector 120,000 euros for unlawfully processing the personal data of five employees. As part of a multinational group, at the direction of its Swiss parent company, it installed a device on its company vehicles that unlawfully collected data on employees’ business and private travel (time, mileage, fuel consumption, and driving style) for the purpose of assigning a monthly score. The collected data was retained for 13 months and used to evaluate employee driving behaviour and to implement any corrective measures. 

Access to a fired worker’s email: Garante also ruled that the content of emails, contact information, and any attachments fall within the definition of correspondence and are therefore protected by the right to confidentiality. In the related case, the regulator fined a company 40,000 euros for violating the confidentiality of a CEO’s email account after his employment ended. After receiving a disciplinary letter that resulted in dismissal,  he asked the company to disable the email account, forward any messages received in the meantime to his personal email address, and activate an automatic reply. However, this request remained unanswered. 

France Travail: The French CNIL, meanwhile, fined France Travail 5 million euros for failing to ensure the security of the data of job seekers. In 2024, attackers managed to break into the agency’s information system. They used social engineering techniques to usurp the accounts of CAP EMPLOI advisors, responsible for people with disabilities. The attackers accessed the data of all registered people, or those who have been registered over the past 20 years. However, the attackers did not gain access to the complete files of job seekers, which may include health data. 

And finally

Change your password:  According to the German BSI, a blanket password change is no longer an effective security measure. Frequent password changes often lead consumers to use weak, easily predictable passwords. Password managers help to keep track of passwords. However, even a complex password does not offer 100% protection. Instead, BSI recommends activating two-factor authentication (2FA). 

Australia child accounts ban: According to the Guardian, Snapchat banned or disabled the accounts of around 415,000 Australian users who were detected as being under the age of 16. This was done to comply with the new under-16s social media prohibition. In December, Snapchat was one of ten platforms that needed to restrict people (4,7 million accounts) under the age of 16 from using its services. However, other allegations have surfaced after the prohibition went into place, with some claiming that Snapchat’s facial age verification was easily overcome by teens.

The post Data protection digest 19 Jan – 2 Feb 2026: New PETs guide, Digital identities ecosystem & employees’ surveillance fine appeared first on TechGDPR.

Consumer loan checks can reveal people’s lifestyles. The Dutch Data Protection Authority AP concluded this after reviewing a bill concerning consumer loans. It believes that lenders can assess a person’s ability to meet payment obligations with less information about them. It’s unlikely that all the information in a bank statement, including sender, recipient, or description, is always necessary. 

The bill introduces stricter rules for a consumer loan under 200 euros, (services like “buy now, pay later,” credit cards, and bank overdrafts). For these relatively small loans, the ability to pay the bill on time will also be checked, and whether there is a risk of default. People who use such loans will also be registered with the Credit Registration Office. The AP emphasises that the new rules need to be further developed for better data control and minimisation. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU Digital Omnibus package latest

The privacy advocacy group NOYB warns that the so-called Digital Omnibus, which is being prepared by the European Commission, brings fast-track deregulation, including ‘massive’ reform of the GDPR and e-Privacy legislations. Following the draft proposal, the Commission envisages changes to core elements like the definition of personal data, consent requirements, and data subjects’ rights, as well as lesser protections for special categories of data under the GDPR. In parallel, AI companies could also benefit from easier access to European personal data through the implementation of the ‘legitimate interests’ legal basis for processing.  

ETIAS and data protection

As the clock ticks down to the launch of a new EU large-scale border management system, the European Travel Information and Authorisation System (ETIAS) in autumn 2026, momentum is building to prepare it for entry into operation and ensure its compliance with data protection laws. The EDPS follows the implementation of ETIAS at close quarters. To help mitigate the risks, legislators have established an ETIAS Fundamental Rights Guidance Board. 

Composed of representatives of the EDPS, EDPB, EU Fundamental Rights Agency, Frontex Fundamental Rights Office and Frontex Consultative Forum, the EFRGB is mandated to issue guidance on the fundamental rights impacts of processing ETIAS applications. A critical concern for individuals required to apply for an ETIAS is ensuring access to an effective judicial remedy. For instance, refusal of a travel authorisation could result from a data processing error.

Brazil draft adequacy decision

The EDPB also adopted an opinion regarding the European Commission draft implementing decision on Brazil’s adequacy. The General Data Protection Law in Brazil, LGPD, together with Presidential decrees and binding regulations issued by Brazil’s Data Protection Authority, ANPD, establish requirements, including in relation to the principles, data subject rights, transfers, oversight and redress, closely aligned with the GDPR and case law of the CJEU. At the same time, the EDPB invites the Commission to clarify further how certain exemptions and specific limitations of data subject rights in the LGPD correspond to the adequate level of data protection regarding:

• national security purposes relating to the collection and sharing of data between the public entities within the Brazilian intelligence systems
• personal data processing for criminal law enforcement purposes
• rights of information and access to the data 
• accountability principle and the requirements for the data protection impact assessment

More legal updates

NIS2 implementation in Germany: On 13 November, the law implementing the European Network and Information Systems (NIS) 2 Directive, passed in the German Bundestag. The directive increases the cybersecurity requirements for certain companies and the federal administration. The Federal Office for Information Security (BSI) occupies a key position in both areas. It will become the supervisory authority for the companies affected by the directive; in addition, in the role of Chief Information Security Officer (CISO), it will be the central body for the cybersecurity of the federal administration. 

Affected companies must register with the BSI, report significant security incidents, and implement technical and organisational risk management measures. It includes an amendment to the BSI Act, which previously covered approximately 4,500 entities in the economic area: operators of critical infrastructure, providers of digital services, and companies of particular public interest. With the entry into force of the NIS2, this scope is expanded to include the categories of “important institutions” and “particularly important institutions,” meaning that the BSI will supervise approximately 29,500 institutions in the future. 

NIS upgrade in the UK: In parallel, on 12 November, the Cyber Security and Resilience Bill was introduced to the UK Parliament. The Bill will update the NIS Regulation from 2018 by expanding the regulatory scope to include a broader range of essential and digital service providers, including online marketplaces, cloud computing services, and search engines, as well as managed service providers (eg, data centres will be designated as essential services). It also places the Secretary of State in charge of maintaining consistency in implementation across sectors.

AI solutions legal basis

At the request of the Danish Agency for Higher Education and Science, the Danish Data Protection Agency has assessed whether the agency has the authority to develop and operate an AI solution that will function as support in the assessment of applications for disability allowance. The Danish Data Protection Authority assessed that the processing of personal data that takes place during the development and operation of an AI solution can, as a rule, be carried out based on what is necessary for reasons of substantial public interest – GDPR Art. 9(2)(g).

However, it requires a so-called supplementary national legal basis. In relation to the duty of information towards citizens whose historical cases are included in the training dataset, the Danish Agency for Higher Education and Science has, among other things, pointed out: 

• There is a large number of citizens (approx. 3,000).
• It would be resource-intensive to inform citizens individually.
• The processing of personal data is limited.
• The purpose of the processing is to improve case processing time.
• The treatment is not assessed to have direct consequences for citizens.

GDPR ready-to-use templates

The EDPB invites experts to participate in a public consultation aimed at proposing practical templates to help organisations comply with their obligations under the GDPR. The EDPB identified the need to develop standardised tools that could serve as guidance for both controllers and processors. The public consultation aims to find out which types of templates would be most beneficial in practice, for instance:  

• privacy notice,
• records of processing activities,
• data protection impact assessment,
• notification of a personal data breach.

It is possible to participate in the public consultation from November 5 to December 3, 2025. Experts, organisations, and individuals can submit their suggestions through this page.

More from supervisory authorities

Australia child privacy updates: From 10 December, platforms like Facebook, Instagram, Snapchat, TikTok, YouTube, X, Threads, Reddit and Kick must take reasonable steps to prevent under-16s from holding accounts on their services. Failure to do so will expose these platforms to fines of up to 49.5 million dollars. These services currently meet the criteria for under 16 restrictions as specified in the Social Media Minimum Age legislation, in particular the key requirement that their “sole or significant purpose is to enable online social interaction”.

Health data warehouses (EDS): The CNIL’s Digital Innovation Laboratory (LINC) has published a map of health data warehouses in France. An EDS, explains the CNIL, is a database built up over a long period of time and intended to be reused mainly for steering (management, control and administration of the activity) and research, studies and evaluations in the field of health. They can be set up by both public (such as a public healthcare institution) and private entities (such as a data broker or a startup), provided that they comply with the applicable legal framework.

AI risk assessment: The EDPS has published a new guidance document to help data controllers carry out data protection risk assessments when developing, acquiring and deploying AI systems. Although the new guidelines are aimed at EU institutions, organisations in both the public and private sectors that use or plan to adopt AI systems can use them as a valuable starting point. It focuses on the risk of non-compliance regarding: fairness, accuracy, data minimisation, security and certain data subjects’ rights. The list of risks and countermeasures is not exhaustive, but merely reflects some of the most pressing issues that controllers must address when procuring, developing and deploying AI systems. 

In other news

Cyber attack mitigation tools: The Dutch AP has issued recommendations for a strong data processing agreement in the event of a cyber attack. Organisations that collaborate with service providers must enter into a data processing agreement regarding the sharing and use of personal data. This agreement outlines agreements, for example, regarding security and the roles and responsibilities in the event of incidents such as data breaches. To that end, to limit the damage from cyber attacks, organisations can:

• Make agreements as concrete as possible
• Maintain control over the entire supply chain
• Give more priority to drafting and maintaining data processing agreements

Therefore, the regulator sums up, negotiate agreements carefully and promptly. And review agreements and appendices regularly to ensure they remain relevant in practice. Employee awareness and knowledge of the GDPR play a crucial role in this.

Misleading cookie banners: The AP also reports that three-quarters of websites modified misleading cookie banners after an investigation was launched on more than 200 websites in the Netherlands starting in April. The AP is now taking enforcement action against organisations that haven’t updated their cookie banners. The easiest way to respect this is to not use tracking software. In that case, a cookie banner isn’t necessary. Where organisations do use tracking software, they must adhere strictly to the rules and inform visitors honestly and clearly.

Biometric processing

In New Zealand, the Privacy Commissioner has issued a Biometric Processing Privacy Code that creates specific privacy rules for agencies (businesses and organisations) using biometric technologies to collect and process biometric information. The Code, which is now law made under the Privacy Act, will help make sure agencies implementing biometric technologies are doing it safely and in a way that is proportionate. Guidance has also been developed to support the Code. 

Direct marketing and free-of-charge services

On 13 November, the CJEU released its ruling in Inteligo Media SA v ANSPDCP (Romanian data protection regulator) (C-654/23), where a media website provided information about new legislation in Romania, Bird&Bird law blog reports.  Six articles per month could be viewed completely free of charge. Users might also subscribe for free to an additional two articles and a daily newsletter. They could also pay for unlimited access and a fuller newsletter. ANSPDCP claimed that Inteligo could only process subscriber registration details and deliver the free newsletter if it had approval, which it did not. 

Inteligo argued it was covered by the soft opt-in exception. The ePrivacy Directive does demand that organisations obtain consent before sending direct marketing emails, but there is an exception: where the organisation acquires the subscriber’s information after selling a product or service, and the direct marketing is for that organisation’s similar product or service. The top EU court concluded that the free subscription did constitute a sale: a sale requires payment in exchange for goods or services, as well as remuneration. However, the reimbursement might be indirect, when a particular customer does not have to pay, but it is rather covered by the premium version of the subscription. 

Continue reading the original analysis here. 

Telecommunications multimillion fine

Following ex officio proceedings, the Croatian data protection agency imposed an administrative fine on a telecommunications operator, in its capacity as controller, for the total amount of 4.5 million euros for violations of the GDPR. The infringements concerned the transfer of personal data to third countries without a valid transfer instrument and without transparent information to data subjects, the processing of copies of employees’ identity cards and certificates of no criminal proceedings without a legal basis, as well as the failure to carry out appropriate prior checks of a processor.

Customer service fine

The EDPB sums up a recent enforcement case in Italy, when a customer, who was the victim of fraud, contacted their bank to obtain recordings of calls made to customer service, which would be useful in contesting a transfer of approximately 10,000 euros and reconstructing what had happened. Having received no satisfactory response, they complained to the privacy regulator Garante. Only after the authority had opened proceedings did the bank provide the recordings, but by then the 30-day deadline set by the GDPR had already passed. Garante imposed an administrative fine of 100,000 euros, taking into account the bank’s turnover, its cooperation during the investigation and the absence of previous infringements.

 In case you missed it

Children’s data lifecycle: Privacy International states that in England’s schools, children are tracked from birth through a vast, opaque network of digital systems that turn education into a lifelong exercise in data collection and surveillance. Children’s data in education starts from the day they are born until they are 25 years old:

• during pre-school, with personal data submitted by legal guardians during the school admissions process 
• every child is assigned a unique pupil record and a unique pupil number that stays with them forever
• the student’s educational setting gets added to the record, which includes its religious character and location, etc.

The next layer of data added to those records is created by school staff – absence and attendance records, assessments, etc. Separately, children’s data can be generated and collected by the EdTech tools used by staff. Some schools use a broad range of tools, such as behaviour tracking apps, which can take the form of scores but also of more complex profiles and predictions in relation to a child. Further personal data is collected and added to the National Pupil Database (NPD), and is kept indefinitely. 

Keep reading the original analysis here.

Agentic AI explained: The JD Supra law blog outlines the rise of “agentic AI”. Unlike traditional AI systems, which are designed to perform specific, narrowly defined tasks (generating text or images or analysing inputs) and rely on human input and oversight, agentic AI systems can complete far more complex, multi-step tasks autonomously and make context-dependent decisions. The emergence of these systems could transform a wide range of industries and business functions, including: a) consumer-facing systems, b) customer support, c) internal operations, and d) sales and marketing.

The post Data protection digest 3-17 Nov 2025: Consumer loan checks can reveal people’s lifestyle data  appeared first on TechGDPR.

The Danish EU Presidency is promoting GDPR reform to increase competitiveness by introducing SME-friendly amendments, such as restricting data rights in low-risk situations, rationalising DPIAs, and requiring prior mediation procedures before lodging complaints, the eutechloop.com article states. These are in line with the precedent established by the Commission’s simplification plan in May this year, which gives small and mid-cap companies, those with less than 750 employees, targeted relief from GDPR reporting requirements on keeping records of processing activities (GDPR Art. 30).

In addition, the proposal introduces a definition of SME and SMC in Art. 4 of the GDPR and extends the scope of the GDPR’s Art. 40 and 42 to the SMCs, which refer to codes of conduct and certification. 

According to an insideprivacy.com article, the following Danish proposals may make it easier for European organisations to process personal data as they:  

• Define a minimum threshold for when data subject rights apply (Art. 12-20 GDPR). 
• Clarify when DPIAs are required and consider exemptions or simplifications for SMEs (Art. 35 GDPR). 
• Make the data subject’s right to complain to the supervisory authority conditional upon certain criteria (eg, prior engagement with the data controller) (Art. 77 GDPR).  
• Exempt data controllers from having to notify certain data breaches to the supervisory authority, such as “uncomplicated and clearly defined” breaches (Art. 33 GDPR), etc.

At the moment, the EU is reevaluating its digital policies. This is partly motivated by Mario Draghi’s report on the bloc’s lapsed productivity and technology use, but also is fueled by the ongoing political pressure from Washington to ease digital regulations to unlock trade. 

Provisions of data reform in the UK are already in place

On the 20th of August, a set of provisions of the new Data Use and Access Act 2025 entered into force, establishing provisions on ‘overriding’ and data breach notification, plus reporting and progress requirements in relation to the use of copyright works in the development of AI systems. The Bill applies to all data controllers, processors, and electronic communications service providers handling personal data.

It introduces new sections to the UK Data Protection Act 2018 to prevent relevant enactments passed after the Bill’s commencement from overriding main data protection legislation requirements (eg, it establishes that data subject rights cannot be overridden unless an express contrary provision is made). The Bill also mandates personal data breach notifications to the Information Commissioner within 72 hours of becoming aware of the breach, digitalpolicyalert.org sums up.

In parallel, the Information Commissioner’s Office is consulting on draft changes to how we handle data protection complaints. The Data Use and Access Act places new requirements on organisations to have a complaints process specifically for data protection-related issues,  such as providing an electronic complaints form. They also must acknowledge your complaint within 30 days and respond to it ‘without undue delay’.  

Stay up to date! Sign up to receive our fortnightly digest via email.

Another consultation aims to address the new lawful basis of “recognised legitimate interests”. It will provide a presumption of legitimacy to processing activities for certain pre-approved public interest purposes, including activities such as crime prevention, public security, safeguarding, emergency response, and sharing personal data to help other organisations perform their public tasks.

Cybersecurity of digital products in Switzerland

The Swiss Federal Council, meanwhile, decided to strengthen the cyber resilience of digital products. Despite the importance of preventing or quickly addressing such vulnerabilities, Switzerland currently lacks clear cyber resilience requirements. This new legislation will set out cybersecurity requirements for the development and commercialisation of products with digital components, establish rules for market surveillance of these products, and lay the groundwork for banning the import and sale of insecure devices.

The new legislation will take into account the international context, including the EU’s Cyber Resilience Act, which came into force on 11 December 2024, with a draft corresponding bill to be submitted for consultation by Autumn 2026. 

Documentation requirements under DORA

What documentation requirements do companies have to fulfil under DORA? The German Federal Financial Supervisory Authority (BaFin) has published an overview with graphic attachments to help companies navigate these requirements. Companies have had to apply the European Digital Operational Resilience Act’s regulation since 17 January 2025. DORA aims to make the European financial market more secure against cyber risks and incidents affecting information and communication technology (ICT). 

More guidance on the DORA application can be found here. 

Software updates and patch releases

Most software needs updating after its initial release to address bugs, newly identified vulnerabilities, and revisions to features and functionality. But software patches and other changes can introduce new cybersecurity and privacy risks and can impair operations if not managed effectively. To support successful, secure software updates and patches, the US National Institute of Standards and Technology, (NIST), has finalised modifications to its catalogue of security and privacy safeguards to assist both the developers who create patches and the organisations that receive and implement them in their own systems.

More from supervisory authorities

Public cloud and data protection: ISO/IEC 27018 has provided guidance for protecting personally identifiable information (PII) in public cloud services, specifically when the cloud service provider acts as a PII processor. As cloud computing becomes the default mode of service delivery, organisations must ensure that personal data stored and processed in the cloud is properly safeguarded. ISO/IEC 27018 helps cloud providers meet legal, contractual, and ethical obligations regarding PII. It supports compliance across jurisdictions, enhances customer trust, and provides a clear structure for data protection in the cloud.

IT security label: Manufacturers of smart security solutions can now apply for the IT security label from the German Federal Office for Information Security (BSI). The connected home is part of everyday life for many people. This includes smart security technology, such as app-controlled alarm systems, smart motion sensors, mechatronic security devices (smart locks), and networked smoke detectors. In addition to the physical protection of their own four walls, consumers should also consider the cybersecurity of their digital security solutions. With the IT security label, the IT security features of smart security technology are transparent for buyers, and help manufacturers highlight their products on the market. 

Protecting child data online

To improve children’s online safety, the European Commission has adopted guidelines for the protection of minors under Art. 28 of the Digital Services Act (DSA). This requires platforms accessible to minors to implement appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors, including: 

• Age verification and default settings.
• Interface design that does not encourage prolonged use of the platform by adolescents. 
• Limits on the processing of behavioural data and prioritising explicit signals from minors regarding desired content.
• Clear rules regarding harmful content and behaviour, the establishment of coordinated moderation policies, and allowing for the possibility of human review in cases of harmful content.

At the same time, parental controls are best used as a complement to other measures, as they are often not equally effective due to different family situations.

Is it permissible to offer a discount for consenting to receive commercial communications?

The Latvian data protection authority states that a small additional benefit (for example, a symbolic discount that the customer can choose to use or not) may be permissible if it does not affect access to the service itself. That is to say, consent is not included as a non-negotiable part of the conditions for using the service in its essence, for example, purchasing in an online store. 

It is important to ensure that the benefits offered, which are associated with consent to the processing of personal data, do not create a feeling of pressure on customers. Namely, the intended amount of benefits should be small enough not to create the feeling in the customer that, by not providing consent to the processing of their data, they will receive a significantly less advantageous offer, thus affecting the person’s right to freely decide on the processing of their data.

The section intended for entering contact information for receiving news must clearly state the purpose of data processing – sending commercial communications, and must also contain a function (most often a tickable box) in which the person clearly expresses his/her wish to receive such communications. Information on the withdrawal of consent and its consequences must also be made easily accessible. In this section, the advantage that the vendor, for example, gives to customers who have shown interest in receiving news should be indicated only as additional information. 

GDPR (non) compliance trends

Some advancements in GDPR compliance are detailed in the Icelandic data protection authority’s 2024 report. It is good to note that the biggest Icelandic insurance firms, which make automated decisions on applications and requests for offers for health and life insurance, largely comply with the data privacy laws. The agency has placed a greater emphasis on protecting children’s privacy. Businesses started to monitor closely how kids behave when playing computer games online. Additionally, a business that handles Icelandic genetic analysis is facing legal challenges, and the public sector was sanctioned for improper handling of minors’ data in education.

In parallel, the Maltese data protection regulator, in its annual report, revealed that the majority of complaints received were about CCTV-related cases, while other major areas of compliance included data subject access requests and their shortcomings (increasingly in cross-border situations), unsolicited direct marketing and disclosure to third parties, data security and information obligation by data controllers, cookie banners and, finally, AI use. 

Cancelling membership “not easy”

According to the US FTC’s recent case against the operators of LA Fitness, “not easy” is an understatement for consumers seeking to cancel their LA Fitness memberships or related services. For in-person cancellations, LA Fitness designated only one employee (even though multiple employees can initiate memberships). This has effectively restricted cancellations to whenever that person is available at the gym, often during hours when consumers are typically at work. 

The FTC alleges that consumers who try to cancel via mail faced similar challenges. LA Fitness has instructed consumers to print and mail a hard-to-find cancellation form. Although consumers have been able to cancel by mail without the form, LA Fitness doesn’t disclose which details must be included in the cancellation notice. The company also instructs consumers to send cancellation requests via registered or certified mail. Finally, LA Fitness reinforced these unlawful practices by training staff to reject such emails or phone calls. 

In other news

YouTube settlement: Google and YouTube have agreed to pay $30 million to settle a long-running class action alleging they unlawfully collected data from children under 13 to serve targeted ads without parental consent. The Google class action settlement, filed in a California federal court, proposes a fund to compensate an estimated 35-45 million children who watched YouTube videos between July 2013 and April 2020. 

“Pay or Ok” illegal: According to the Noyb privacy advocacy organisation, the Austrian Federal Administrative Court upheld a previous ruling by the country’s data protection authorities that the Austrian daily DerStandard had breached the GDPR by launching “Pay or Okay.” Users must be allowed to object to or give selected permission for each processing purpose, according to rulings from the court. DerStandard was the first news website in Austria to implement a “pay or okay” policy. Customers were forced to consent or pay for a monthly subscription, rather than having a free choice to accept or reject the online tracking of hundreds of third parties.

Non-cooperation with the authority: The Swiss FDPIC has filed a criminal complaint against Add Conti GmbH for failure to cooperate in an investigation. Following several complaints from affected individuals, the FDPIC opened an investigation on 4 June. The FDPIC requested the company answer a list of questions within 30 days. The FDPIC expressly reminded Add Conti GmbH of its obligation to cooperate in the proceedings and of the fact that deliberate refusal to cooperate is punishable by a fine of up to CHF 250,000. Although the letter was delivered, the FDPIC received no response. 

Add Conti was collecting personal data of persons residing in Germany without their knowledge and making it available to German companies for advertising purposes. In addition, the company was not responding to requests for information and deletion.

Major cyberattack on Swedish municipalities

On 23 August, a cyberattack on Miljödata disrupted services in around 200 municipalities, several major private businesses and universities and colleges, with concerns over stolen sensitive data, news outlets report. The Swedish data protection regulator confirmed that it has already received around 200 reports of cyber incidents. Managers and HR use the affected systems to handle medical certificates, rehabilitation matters, and the reporting and management of work-related injuries. The attacker has encrypted personal data, preventing businesses from accessing it, but the reporting parties are unaware of how the data has been otherwise affected. In many cases, this concerns information about employees, such as health and union membership.

‘Personalisation’ in AI systems

The Future of Privacy Forum explains the subject of ‘Personalisation’, which refers to features of AI systems that adapt to an individual user’s preferences, behaviour, history, or context. Personalisation techniques can include long-term memory knowledge bases, short-term conversation history, user and system prompts, settings, and fine-tuning the model after training.

For example, an AI instructor may be able to track a student’s progress on certain subjects, recall their learning interests and level, and modify explanations as necessary. According to some scholars, an AI system must have a complete understanding of its user, including their present emotional state, to be useful in even more sensitive or private situations, such as mental health.

A user’s personal information, including prejudices and stereotypes, may be reflected in some of the data they provide to the chatbot or what the algorithm deduces from their interactions. Last but not least, an AI system (such as the newest AI agents by Google, Meta, Anthropic, Microsoft, OpenAI ) that has received or observed user data may be more likely to share that information with third parties in an effort to complete a task without the user’s consent.

In case you missed it

Face photo morphs: America’s NIST issues guidelines to help organisations detect face photo morphs and deter identity fraud. Face morphing software, which combines photos of different people into a single image, is being used to commit identity fraud. Thus, morph detection software, which has grown more effective in recent years, can help flag questionable photos.  However, the most effective defence against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place.  

Single-image detection, in the best cases, can detect morphs as often as 100% of the time (at a false detection rate of 1%) if the detector has been trained on examples from the software that generated the morph.  However, accuracy can degrade to well below 40% on morphs generated with software unfamiliar to the detector. Differential detectors are more consistent in their abilities, in the best cases, with accuracy ranging from 72% to 90%, across morphs created using both open-source and closed-source morphing software, but they require an additional genuine photo for comparison.

The post Data protection digest 18-31 Aug 2025: Greater simplification of GDPR, ‘personalisation’ in AI systems appeared first on TechGDPR.

Personal data protection should be the cornerstone of risk assessments for organisations. The Polish regulator UODO came to this conclusion after investigating a ransom attack in a children’s clinical hospital in Białystok. Access to IT systems was blocked, which resulted in a breach of confidentiality and availability of personal data of approximately 2,000 employees, including the possibility of obtaining unauthorized access to them. In the circumstances of this case, the risk assessment was conducted on the basis of a flawed procedure – from the perspective of the hospital as an organisation, and not from the perspective of protecting data subjects. 

The documents, which were supposed to prove that the risk analysis had been conducted, were inconsistent and full of ambiguities. The hospital did not indicate which processes it was analysing, nor did it link these processes to identified threats, vulnerabilities and the final risk assessment. When explaining what technical measures it used to secure its IT systems, the administrator referred to an audit conducted for compliance with the act on the national cybersecurity. However, this act focuses primarily on ensuring a safe and uninterrupted system for providing services, and not – as is the case with the GDPR – on protecting the rights and freedoms of natural persons.

The hospital did not implement an appropriate procedure for performing and documenting recovery tests, and did not apply appropriate security measures for the backup copies created, which could have contributed to the fact that the hospital was unable to fully restore the data lost as a result of the attack.

Stay up to date! Sign up to receive our fortnightly digest via email.

Other legal developments

From 19 June, the Data Use and Access Act 2025 (DUAA) amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR), to promote innovation (eg, commercial scientific research, automated decision-making) and economic growth. Whilst it still protects people and their rights, the DUAA simplifies personal data usage in the following ways: 

• New ‘recognised legitimate interests’ lawful basis of data processing (from public safety to direct marketing)
• Assumption of compatibility for some data reuses
• ‘Soft opt-in’ (eg, for charities)
• More flexible requirements on cookies
• Reasonable and proportionate subject access requests, etc.

At the same time, if you provide an online service that is likely to be used by children, the DUAA explicitly requires you to take their needs into account. The data subject complaints must also be facilitated by offering electronic complaint forms and respecting the 30-day legal time frame for acknowledgement and response. The changes will be phased in between June 2025 and June 2026. More summaries of changes can be found here and here.

GDPR enforcement ease: The Council of the European Union and the Parliament have reached a deal to make cross-border GDPR enforcement work better for citizens. Once adopted, the regulation will speed up the process of handling cross-border GDPR complaints, and any follow-up investigations.  The co-legislators agreed on an overall investigation deadline of 15 months, which can be extended by 12 months for the most complex cases. The early resolution mechanism will allow data protection authorities to resolve a case before triggering the standard procedures for handling a cross-border complaint. This may be the case where the company or organisation in question has addressed the infringement and where the complainant has not objected to the early resolution of the complaint.

AI and web scraping

The GDPR, in many cases, applies to AI models trained on personal data, due to their memorisation capabilities. To that end, a French CNIL guide specifies the conditions for using legitimate interest in the development of AI in the case of web scraping.  In line with the opinion adopted by the EDPB in December 2024, the CNIL considers that the development of AI systems does not systematically require the consent of individuals. Legitimate interest is a possible legal basis for the development of AI systems, subject to strong safeguards. 

The guide offers examples of concrete safeguards adapted to the different types of AI systems: exclusion of certain data from collection, increased transparency, facilitation of the exercise of data subject rights, etc. For example, the reuse of future conversations of users with a chatbot for the improvement of the AI model can be based on legitimate interest provided that certain strong guarantees are put in place: information for individuals, right to object, restriction of processing towards pseudonymised/anonymised data, etc. 

More from supervisory authorities worldwide

COPPA update: In the US, the amended Children’s Online Privacy Protection Rule took effect on 23 June. It includes a new definition for a mixed audience website or online service that is intended to provide greater clarity regarding an existing sub-category of child-directed services. The amendments also modify operators’ obligations concerning direct and online notices; information security, deletion, and retention protocols; annual assessment, disclosure, and reporting requirements. It also adopts rules related to parental consent requirements, methods of obtaining verifiable parental consent, and exceptions. 

Biometric identifiers vs biometric data: The JDSupra legal blog explains the differences between the two categories, specified in the Colorado Privacy Act, which went into effect on July 1: Biometric identifiers is data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics which can be processed for identification. Biometric data is a subset of biometric identifiers which are used or intended to be used for identification purposes. It does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes. Both categories can be considered sensitive data and can require a privacy notice and consent. 

Child data: Also in the US, New York’s Child Data Protection Act (NYCDPA) went into effect on June 20. The Office of the Attorney General issues the practical guidance in advance concerning the application of NYCDPA to minors’ data and the federal COPPA Rules; operator responsibilities concerning user-provided age flags; requirements for schools, school districts, and their third-party contractors; parental requests for products and services, etc. The guidance refers to a website, online service, online application, mobile application, or connected devices directed at minors. 

DeepSeek AI

Germany’s data protection commissioner has asked Apple and Google to remove Chinese AI startup DeepSeek from their app stores in the country due to concerns about data protection, Reuters reports. According to its privacy policy, DeepSeek stores numerous pieces of personal data, such as requests to its AI or uploaded files, on computers in China. The commissioner took the decision after asking DeepSeek in May to meet the requirements for non-EU data transfers or else voluntarily withdraw its app. DeepSeek did not comply with this request. Across Europe the authorities have also been evaluating the app, but while Italy has completely blocked it on app stores, the UK government said that the use of DeepSeek remains a personal choice for members of the public. 

In other news

Data access requests: The Swiss FDPIC concluded its investigation into Cembra Money Bank AG. After receiving complaints, the privacy regulator contacted Cembra with a view to a low-threshold intervention. Cembra replied that due to staff shortages, responses to requests for information were delayed. The company was reminded of the legal deadline for responding to requests for information within 30 days. The regulator also ordered the bank to provide all persons who had previously received only a standardised response to their requests with the actual information on their personal processed data. 

Telemarketing and data subject rights: An organisation must provide the most important information about the processing of personal data immediately during the first direct marketing call, if it has obtained the person’s contact information from somewhere other than itself, states the Finnish data protection authority. If a person submits a request to delete their data to customer service, the request cannot be left unprocessed because it has not been submitted to the data protection officer.

The organisation must ensure that the request is transferred to the party that processes it. The same applies to the prohibition of direct marketing: If a person wants to prohibit direct marketing during a call, the request cannot be bypassed by giving instructions for prohibiting it. 

Unjust dismissal

The Italian regulator Garante fined Autostrade per l’Italia Spa 420,000 euros for having unlawfully processed the personal data of an employee, which was then used to justify her dismissal.  The authority’s intervention followed the complaint of the worker who had reported the use, by the company, of content extracted from her Facebook profile and private chats on Messenger and WhatsApp to justify the disciplinary proceedings  against her. The content used also included excerpts of comments and photo descriptions in quotation marks. 

The investigations revealed that the content had been used by the employer without a valid legal basis, through screenshots provided by some colleagues and a third party, present among the employee’s “friends” on Facebook and active in her private conversations on Messenger and WhatsApp. Furthermore, the communications concerned opinions and exchanges that took place in contexts outside the employment relationship, not relevant for the purposes of assessing professional suitability. 

AI prohibited practices in the gaming sector

The Maltese data protection authority IDPC warns us that AI systems used for player profiling, personalised gaming experiences and monetisation are not just subject to Art. 22 of the GDPR, which restricts automated decisions that carry legal or similarly significant implications for individuals, but are also high-risk under the AI Act so as to qualify them as prohibited practices. Manipulative AI deploys subliminal or deceptive techniques with the object of distorting player behaviour by impairing their ability to make an informed decision, causing them to take a decision they would have otherwise not taken, (for eg, AI powered algorithms which regulate emotion-triggered loot boxes which distort player behaviour). 

Other prohibited techniques in the gaming sector are exploitation of vulnerabilities and social scoring. 

In case you missed it 

Video integration into websites: Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has carried out an automated website check for the first time and identified violations in the integration of YouTube videos on federal websites. YouTube videos can be used by public authorities and others on their websites in compliance with data protection regulations. However, this becomes problematic when videos are embedded directly. 

When the website is accessed, the user’s browser automatically connects to YouTube servers and transmits, among other things, IP addresses. This data transfer takes place without the user’s prior consent and thus violates the Telecommunications Digital Services Data Protection Act (TDDDG). For implementing video integration in compliance with data protection regulations, the BfDI offers two other options: 

• Self-hosting is the gold standard: Videos are hosted on your own servers and embedded on the website. This ensures complete control over data processing and user interactions.
• Two-click solutions: Users must actively click on a preview image before the connection to YouTube is established. (With this option, an equivalent alternative without a third-party provider should always be offered).

The post Data protection digest  17 Jun – 1 Jul 2025: protecting individuals, not organisations, should be the focus of risk assessment appeared first on TechGDPR.

IAB Europe and Belgium’s data protection authority have each claimed a ‘partial victory’ in the latest court decision over whether the IAB is liable for personal data processing over the online ad tools the industry group provides for the market, Telecompaper reports. The Belgian Market Court has annulled the regulator’s 2022 decision due to procedural irregularities, notably the fact that the regulator failed to adequately justify why it considered TCF (Transparency and Consent Framework) Strings as personal data. Nevertheless, the 250,000 fine against IAB Europe was upheld.

In IAB Europe’s view, the court has rejected that it is a joint controller together with TCF participants for their own respective processing of personal data for digital advertising, in line with the CJEU judgment from 2024. The court upheld only part of the decision, namely that IAB Europe is a joint controller together with TCF participants solely regarding the creation and use of TC Strings by publishers and vendors. The IAB said it has a solution to the concerns expressed by the court that is ready for implementation.

The Belgian regulator takes a different view, believing that the court ruling means that the TC String is personal data within the meaning of the GDPR and that IAB Europe acts as a joint data controller for the processing of user preferences within the TCF. However, the court annulled the decision from 2022 on procedural grounds. The ruling should have a lasting impact on the online ad industry and its real-time bidding systems in the EU, the regulator added. The Irish Council for Civil Liberties has even suggested that tracking-based advertising by Google, Microsoft, Amazon, and X, across Europe, now has no legal basis for personal data processing. 

Stay up to date! Sign up to receive our fortnightly digest via email.

More official guidance

Schools’ data: The education sector processes a lot of personal data: school registrations, an extensive digital work environment, and pedagogical follow-up of students. This data can be subject to data breaches, and news reports show that schools are not spared from these incidents. Over the past five years, the CNIL has only been notified of about thirty data breaches per year in the first and second degrees. However, during its interventions in the field, the regulator noted that this figure does not reflect the daily reality of educational establishments. The CNIL has identified several reasons that may explain this under-declaration:

• It is not always easy to identify what constitutes a “data breach”.
• The procedure to follow in the event of a data breach is sometimes unknown to operational personnel.
• The system of responsibility for processing implemented in the national education sector is complex.

To that end, the French CNIL offers two new guides (in French) for data protection officers, school principals, school heads and administrative staff to help them react in the event of a personal data breach.

GDPR and AI equation: The Swiss data protection regulator FDPIC reminds us that, because of the rapid increase in AI-supported data processing, regardless of future regulations, the data protection provisions already in force must be complied with. In particular, the Federal Data Protection Act, which has been in force since 1 September 2023, is directly applicable to AI-supported data processing. The FDPIC alerts manufacturers, providers and users of such applications that, when developing new technologies and planning their use, they are required by law to ensure that data subjects have the highest possible degree of digital self-determination. 

NIS2 guidance

The European Union Agency for Cybersecurity has developed the European Vulnerability Database as provided for by the NIS2 Directive. The EUVD service now openly provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services. The aggregated information of the database is displayed through dashboards: for critical vulnerabilities, for exploited ones, and for EU-coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.

Cookie consent

The Norwegian data protection authority summarises the main steps for companies to follow in order to meet the requirements for voluntary, explicit, informed, and unambiguous consent. The list also outlines what companies must and should not do. The Norwegian Storting passed a new Electronic Communications Act that came into force on 1 January 2025. The rules set clearer requirements for businesses that use cookies and similar technologies: 

• Provide unambiguous information in the consent box
• Fill out the consent banner with complete information
• Do not make access to the website or service conditional on consent
• Let the user choose which purposes they will consent to or not
• Don’t use pre-ticked boxes or acceptance by inaction
• Don’t make opting out of consent require extra clicks or be more laborious
• Don’t hide the option to decline consent, or give it a lower attention value
• Use clear and simple wording in buttons or similar design solutions
• Make it easy to withdraw consent and inform about this.

More from supervisory authorities

AI literacy: The European Commission has published an AI Literacy Q&A. Art. 4 of the AI Act requires providers and deployers of AI systems to ensure sufficient AI literacy of their staff and other persons dealing with AI systems on their behalf. The implementation plan for organisations may be built on the following steps: 

• In which sector and for which purpose/service is the AI system being used? What are its opportunities and dangers?
• Consider the role of the organisation: is my organisation developing AI systems or just using AI systems developed by another organisation?
• What do employees need to know when dealing with such AI system? What are the risks they need to be aware of, and do they need to be aware of mitigation?

EU Merger: The Commission also seeks feedback on the review of EU merger guidelines dating from 2004 and 2008. It should reflect the economic changes such as digitalisation, globalisation, innovation, as well as the case practice and the case law developed over the past 20 years by the Court of Justice of the EU. Any interested citizen, business or association can contribute by replying to the general public consultation questionnaire available here until 3 September. 

Space systems security: In Germany, the Federal Office for Information Security, in collaboration with representatives of the national information security and space industries, has developed the second part of the Technical Guideline, (BSI TR -03184), on securing space systems. A space system comprises the space and ground segments. The focus of this publication is on the ground segment. Business processes across the entire life cycle of a ground segment, from conception to decommissioning, were considered. It identifies hazards for various future space mission processing and assigns risk management measures. 

GDPR simplification plans

The European Commission has consulted the EDPB and EDPS on a proposal to introduce further exemptions from the GDPR’s obligation to keep records of personal data processing for SMEs. The exemption, which currently applies to companies with fewer than 250 employees, is proposed to be extended to companies with fewer than 500 employees. The EDPB and EDPS shared the opinion that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. In parallel, the EU is already working on finalising a new law to speed up the procedural rules for privacy regulators to coordinate on major GDPR cases in Big Tech. 

Data brokers

The UK Department for Science, Innovation and Technology closed a call for evidence on data brokers and their impact on national security. This inquiry concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure, etc). This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. To support policy development, the government wanted to identify several main points: a) the definition and services of data brokers, b) national security risks associated with the data broker industry, c) the effectiveness of data brokers’ security and governance frameworks, and d) a breakdown of brokers’ customer base. 

Record year for data breaches

The Australian Information Commissioner stated that businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018, and a 25% increase from 2023. Malicious and criminal attacks have been the main source of breaches. Health service providers and the Australian government again reported the most data breaches of all sectors, (20% and 17% of all breaches, respectively), highlighting that both the private and public sectors are vulnerable. The report also shows that the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.

Road cameras

The Estonian Data Protection Inspectorate sent an appeal to the Ministry of the Interior, drawing attention to the inadequacy of the legal basis for the license plate recognition cameras used in the preventive activities of the Police and Border Guard Board. In the regulator’s opinion, the processing of personal data using these cameras is not based on a sufficiently clear and specific legal basis. The Inspectorate has initiated a supervisory procedure to clarify how data is processed in the police database POLIS and whether it meets data protection requirements. 

In other news

Workers’ data: Bird&Bird research examines the German Federal Labour Court’s judgment to award an employee non-material damages of 200 euros after the employer put additional personal data into the “Workday” HR management software outside the agreed-upon limitations of a completed work agreement. The parties specified which data might be submitted for testing purposes. Because the agreed-upon restrictions had been exceeded, the employer could not rely on the work agreement as the legal basis.

Aggressive telemarketing: The Italian privacy regulator Garante has imposed millions of euros in fines and stringent corrective measures against Acea Energia Spa and a network of agencies and companies. All were involved in a massive system of procurement of contracts for the activation of electricity and gas supplies based on aggressive telemarketing practices and illicit processing of personal data. The investigations revealed significant evidence of illicit activities carried out through the use of lists of users who had recently changed energy suppliers. The call-centre operators contacted these users, mentioning non-existent technical problems in switching between suppliers and, fearing risks of economic damage, induced them to activate a new supply.

Geolocating remote workers: An employer cannot geolocate employees in smart working. This was also stated by the Italian Garante in imposing a fine of 50 thousand euros on a company that detected the geographic position of about one hundred employees during the work activity carried out in agile mode. The investigation revealed that the company monitored its employees to verify the exact correspondence between their geographic location and the address declared in the individual smart working agreement. These checks were then followed by disciplinary proceedings by the company. This all took place in the absence of an appropriate legal basis and adequate information, in addition to the consequent interference in the private lives of employees.

In case you missed it 

NOYB vs Meta AI: The privacy advocacy group NOYB has sent Meta a formal settlement proposal, ‘cease and desist’ letter, over Europe-wide AI training. After this, if the injunctions are filed and won under the new EU Collective Redress Directive, Meta may also be liable for damages to consumers. Damages could reach billions. Meta has announced it will use EU personal data from Instagram and Facebook users to train its new AI systems from 27 May onwards. Instead of asking consumers for opt-in consent, Meta relies on an alleged ‘legitimate interest’ and offers users the possibility to object to the processing before the training has started. 

Facebook data leak compensation: Meanwhile, Facebook users in Germany whose data was affected by the data breach that came to light in 2021 can now join the class action lawsuit filed by the German Federation of Consumer Organisations. This follows a ruling by the Federal Court of Justice in November 2024, according to which the mere loss of control over personal data can justify a claim for damages regardless of any other disadvantages. The court considers an amount of 100 euros to be appropriate for this purpose. In serious cases, for example, when sensitive data such as date of birth, relationship status, or email address has been made public, the consumers can seek compensation of up to 600 euros. Those affected can use a dedicated complaint form to see if participation is an option for them and register the complaint. 

The post Data protection digest 3 – 16 May 2025: ‘divided’ court ruling on IAB Europe, data brokers and national security appeared first on TechGDPR.

From 2025, people covered by health insurance will be able to use the electronic patient records, (ePA in German), voluntarily and free of charge. This record can digitally gather information about the person’s medical history in a single place. Patients will decide how long someone is granted access to their records. The information includes test results and diagnoses, as well as medical treatment reports or information about recommended treatments. 

Reportedly, the ePA will be subject to test criteria developed by the German Federal Office for Information Security, (BSI). Encrypted data processing will take place in a technically secure and trustworthy environment. No other authority should get access to it. Additionally, the ePA data will be transferred automatically and securely in the case of a change of health insurer. All existing objections and substitutions will be transferred. Patients can also add their information, such as a pain diary or old results that they already have in paper format. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Data scraping on Facebook: In Germany, the Federal Court of Justice ruled on a case from 2021, when data from around 533 million Facebook users from 106 countries was publicly distributed on the Internet. The platform did not take sufficient security measures and enabled the user’s profile to be found using their telephone number, depending on the user’s searchability settings.

Unknown third parties entered randomized sequences of numbers on a large scale via the contact import function and accessed the public data available. The court decided that the plaintiff’s claim for compensation for non-material damage could not be denied. According to the privacy advocacy group NOYB, this decision aligned with the clear provisions in the GDPR, (Art. 82 – Liability and right to compensation), and several CJEU rulings. German courts previously had regularly refused damages in data protection cases. 

NIS2 guidance: ENISA has made available the draft implementing guidance of  cybersecurity risk-management measures complying with the NIS2 Directive. It can be useful not only for regulated service providers but for other public or private actors to maintain compliance, and streamline audits. A mapping table correlates each requirement with European and international standards or frameworks, (ISO/IEC 27001:2022, ISO/IEC 27002:2024, NIST Cybersecurity Framework 2.0, ETSI EN 319 401 V2.2.1 (2018-04), CEN/TS 18026:2024), and with national frameworks. 

In parallel, the Cyber Resilience Act was published in the Official Journal of the EU, setting uniform cybersecurity standards for the development, production and distribution of hardware and software products and remote data processing solutions, placed on the EU market. It also overlaps with other pieces of the EU legislation including the NIS2 Directive, AI Act and DORA, according to a DLA Piper analysis. The Act provides for a transition period of three years ending in December 2027. 

Short-term vehicle rental

The data protection authorities of the Baltic States conducted a joint preventive inspection to assess the compliance of the short-term vehicle rental industry. The main problem was the lack of transparency – companies were unable to provide data subjects with clear and understandable information. Some companies chose an inappropriate legal basis or were unable to sufficiently justify its adequacy.

In some cases, the same legal basis was used for all data processing activities. In some cases, customer data was not deleted according to the established criteria. Finally, in some cases, facial images were processed for customer identification based on the data subjects’ consent, without an alternative option.  

More official guidance

Data protection by design:  Once again the Latvian data protection agency DVI has issued a reminder that when processing personal data, organisations must ensure that their processing complies with the principles of data protection by design and by default. This principle means that the technologies are designed in such a way that the user’s data is processed only to the minimum extent and only for as long as necessary, without requiring the user to take special steps to protect their privacy. 

In a broader sense, such measures include any method or means that an organisation may apply in the process of data processing: data pseudonymisation, user-friendly interface and possibilities for users to control their data processing, implementation of malware detection systems, employee training on the basics of cyber hygiene, establishing privacy and information security management systems, and determination of contractual obligations for processors. 

Data access response: When a data subject access request is made, an organisation must take reasonable steps to comply. This includes identifying all relevant filing systems and databases, as well as using appropriate search parameters that are considered reasonably likely to find information relating to the person. Organisations must be able to demonstrate why they consider the search parameters used to be reasonable and must also be able to explain why any filing systems or electronic databases have not been searched. Otherwise, data subjects will be unable to understand the full extent of the data being used, states the Guernsey data protection authority, based on a recent enforcement case. 

MS Copilot

The Norwegian regulator looked at which assessments the Norwegian University of Science and Technology should make before Microsoft’s AI assistant is put into use. M365 Copilot sits on top of Microsoft’s M365 cloud solution. It is a prerequisite that the organisation carries out all necessary security and privacy assessments relating to the M365 platform itself. Responsibility for the data used in the Copilot rests with the businesses that use the tool. 

In the next step, purposes, tasks and legal bases associated with the personal data processing must be identified. Additionally, there is a requirement to run a multiple impact assessment when using generative AI that processes personal data and logs all interactions. It is therefore important to assess whether other AI solutions, (eg, locally installed), with a lower privacy risk can meet the specific needs. Finally, structured monitoring must also be made for follow-ups and the quality of what the solution produces over time.

Identity card as a loyalty card

The Belgian DPA has imposed a series of corrective measures on Freedelity, a company specialising in the collection and pooling of consumer identity and contact data in partnership with various retailers. Freedelity keeps the electronic identity card number, the municipality of issue and the date of validity of the card, but this data is of no relevance to Freedelity and to the customer’s relationship with the brands. This data is mainly collected through terminals made available to retailers by Freedelity. These vendors store, share and use the customers’ data for marketing and customer relationship management purposes. 

One of the brands requires the acceptance of Freedelity’s terms and conditions to benefit from commercial advantages. Another brand considers that the insertion by a customer of his identity card in a Freedelity terminal amounts to a default consent of the customer to the processing of their data for three distinct purposes. Some brands do not mention, for example, the processing of “data sharing” when asking the consumer for consent. Additionally, the mechanisms put in place by Freedelity and its partners to withdraw consent are not sufficiently accessible or intuitive. 

More enforcement decisions

AI-powered cameras: Cameras equipped with AI offer new methods of analysis to assist professional drivers, notes the French regulator. In most cases, the employer’s legitimate interest appears likely to be concentrated on ensuring the safety of goods and people. The measures implemented should not lead to continuous monitoring of employees during their working hours. Only the data necessary to generate an alert in real-time can be processed.

Neither the images nor the technical data, (timestamp, geolocation, alert type), generated as part of the alert should be retained.

 X’s Grok: The Norwegian authority looks at X’s AI model training on users’ posts, including the generative chatbot Grok. Last summer it became clear that X had trained its AI models with users’ posts without informing them. The function was pre-ticked in the user settings. X paused the processing of EU/EEA citizens’ posts after 1 August for purposes related to AI training. Now, however, X has resumed processing. According to X, they use the separate company xAI as a service provider to process X posts as well as Grok interactions, inputs and results to train and fine-tune their AI.

Platform workers: The Italian Garante has ordered Foodinho, a company of the Glovo group, to pay 5 mln euros for having unlawfully processed the personal data of over 35.000 delivery riders through their digital platform. The authority has prohibited the further processing of biometric data, (facial recognition), of riders used for identity verification.

Also, through direct access to the systems, the company carries out different automated processing of riders’ data, for example, through the so-called excellence system, (a score that allows priority booking of a work shift), and the order assignment system within the shift, or to deactivate or block the account. 

Meta will give users more options

Users of Facebook and Instagram will in future be able to use the services for free and at the same time receive ads based on less personal data than before, (including age, location and gender). The prices for monthly subscriptions also will be reduced. In a low-data environment, Meta plans to introduce ad breaks to allow advertisers to connect with a wider audience. This means that some of the ads will be unskippable for a few seconds. Such practice is already offered by many of Meta’s competitors. The new option will apply in the EU, EEA and Switzerland. 

From chatbots to adbots

Privacy International investigates how AI giants want to monetise their tools to pay for their high costs, and advertising appears to be a component of many of these schemes. Microsoft, for example, is experimenting with formats of advertising through its ads for chat API. Amazon’s latest Rufus shopping chatbot aims to enable the chatbot to proactively recommend products based on what they know of user habits and interests.

As a result, the sponsored chatbot outputs can be far more invasive because they can be based on far more intimate information collected over time about the user and how they behave and react. 

The post Data protection digest 16-30 Nov 2024: Electronic patient records as a holistic picture of your health? appeared first on TechGDPR.

The Data Act will become applicable in the EU starting on 12 September 2025. In the runup, the European Commission has published an FAQ on the new legislation. Together with the Data Governance Act, it enables a fair distribution of value by establishing clear rules related to the access and use of data within the EU’s data economy. While the Data Act does not regulate the protection of personal data, the GDPR remains fully applicable to all personal data processing activities under the Act. 

This includes the powers and competences of supervisory authorities and the rights of data subjects. Sometimes, it complements the GDPR, (eg, real-time portability of data from Internet-of-Things objects). In other cases, it restricts the re-use of data by third parties, such as for profiling purposes, (unless it is necessary to provide the service to the user). In the event of a conflict between the GDPR and the Data Act, the GDPR rules shall prevail, (see Art. 1(5) of the Data Act).  

Stay up to date! Sign on to receive our fortnightly digest via email.

Corrective powers under the GDPR

The CJEU has ruled that a supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on their initiative. The case relates to a savings bank in Germany where one of its employees had consulted a customer’s data on several occasions without being authorised to do so. The employee had confirmed in writing that she had neither copied nor retained or shared the data, and the bank had taken disciplinary measures. The data controller nevertheless notified the data protection authority of this breach.

More legal updates

California tech updates: Among over a dozen new bills covering personal data and generative AI, Governor Gavin Newsom signed a bill on training data sources into law. It includes reporting provisions for developers on sources or owners of datasets, a description of data points in them, whether the datasets contain personal information, how the datasets further the intended purpose of the AI system or service, whether the datasets include any data protected by copyright, trademark, or patent and more. Changes will be due on 1 January 2026. 

California has also expanded the definition of personal data to more abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. At the same time, a landmark artificial intelligence safety bill was blocked by the governor after strong opposition from major technology companies. The draft bill required the most powerful AI models to undergo safety testing and other oversight obligations.

Lax social media privacy controls: The Federal Trade Commission has examined the data practices of major social media and video streaming services, revealing they engaged in vast surveillance of consumers to monetize their personal information while failing to adequately protect users online, especially minors. Among other things, companies feed users’ and non-users personal information into their automated systems, including for use by their algorithms, data analytics, and AI, without proper testing and oversight. Meanwhile, data subjects had little or no way to opt out of how their data was used by these automated systems.

Who determines how to secure data?

The Polish Supreme Administrative Court has made a final decision on whether a data controller can use an employee to determine how to secure data. In a related case, the probation officer of a district court lost an unencrypted pendrive with the personal data of 400 people. The analysis of the case showed that the controller had not fulfilled security obligations correctly. 

Before the incident, the controller issued the device and instructed the probation officer to implement security measures on their own. The obligation to register and encrypt the medium was introduced only after the officer lost it. Additionally, employees were only given basic training in data protection, which did not give them enough knowledge on securing digital mediums or calculating the risks of data loss. As a result, the employee decided to protect the data by carrying their drive in a locked bag.

More from supervisory authorities

Data accountability from A to Z: The Luxembourg data protection and cybersecurity authorities have recently developed DAAZ, a GDPR compliance tool that addresses the challenges faced by start-ups and small and medium-sized enterprises, (available in English). The tool comes in response to the personal data protection challenges faced by SMEs in particular, which are often at a disadvantage compared with large organisations in terms of resources and expertise.

Mobile applications: The French CNIL has published the final version of its recommendations to help professionals design privacy-friendly mobile applications. From 2025, these will be the subject of a specific control campaign. According to the latest data, a typical French consumer downloads 30 apps and uses their mobile phone for an average of 3 hours and 30 minutes per day. Among other things, the recommendations include best practices for stakeholders to ensure that users understand whether the requested permissions are really necessary for the application to function.

AI Act and GDPR: Finally, the Belgian regulator published its information guide, (available in English), on the EU AI Act from a GDPR perspective. It includes sections on AI system definition, and data protection principles such as purpose limitation, data minimisation and data subject rights in an AI context. It also emphasizes accountability, security measures and human oversight in AI development. 

Termination of employment

Although former employees have the right to request the deletion of their data, it should be understood that this right is not absolute, according to the Latvian regulator. In one example, the former employer has the right to temporarily retain an e-mail box for a certain period to ensure continuous communication with the company’s customers, (eg, by forwarding e-mails), and access information that is essential to the operation of the company. However, the employer must clearly define for how long this e-mail address will be stored and communicate it to employees. 

This does not mean that the employer can use the information found in the e-mail for other purposes. The principle of purpose limitation should be taken into account here. If an employer recovers, for example, a computer or smartphone used by an employee after the end of the employment relationship, they may discover that private e-mails or other communication channels were accessed on it. If the employee is not logged out of these accounts, the employer has no right of access, despite owning the device.

Data requests via a representative

Finland’s data protection commissioner has stated that a person can make an inspection request for their data with the help of an agent and, for example, ask the organisation to provide the agent with that information. Data protection legislation does not prevent the exercise of data protection rights through another person. An individual who contacted the regulator’s office had asked the Tax Administration to deliver all information about them to their representative’s postal address. However, the Tax Administration refused to provide information to the agent, citing that the information could only be provided to the person directly.

More enforcement decisions

Commercial legitimate interest: Hogan Lovells’ law blog reports that a Dutch court once again has recalled a decision of the data protection authority for its overly strict interpretation that purely commercial interests cannot be legitimate interests under the GDPR. The court ruled in favour of the unnamed company by suspending a 120,000 euro fine, as there was still room for legal discussion. 

The cumulative criteria for a valid legitimate interest, (eg, for direct commercial marketing), requires a careful assessment, including whether the data subject could reasonably expect the data processing. Additionally, the personal data concerned should be strictly necessary for the legitimate interests pursued, and, finally, the fundamental rights and freedoms of the data subject must be preserved. 

Meta fine for password storage in plaintext: The Irish Data Protection Commission has fined Meta Ireland 91 million euros. This inquiry was launched in April 2019, after the company notified the regulator that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, (eg, without cryptographic protection or encryption). These passwords were not made available to external parties. 

Selling data to competitors: A man in the UK has pleaded guilty and been fined for unlawfully retaining and selling thousands of details of customer records from the car leasing company he worked for. Shortly before he resigned from his role as sales consultant, at Leaseline Vehicle Management Ltd, he sold over 3,600 pieces of personal information he’d taken from the company’s internal customer database. He approached multiple competitor companies with this information, whilst claiming that the data belonged to him.

Data security

Facial recognition: The German Data Protection Conference observes that some authorities are already using biometric facial recognition in public spaces, citing non-specific criminal procedural rules. However, the legal framework and the civil liberties of those affected – potentially all citizens – are not sufficiently taken into account. For this reason, the European legislators have excluded certain applications in the AI Act and set strict limits for others. The regulator calls upon the national legislators to create specific and proportionate legal bases for the use of facial recognition systems in public spaces.  

Minor’s data: Following the UK Ofcom’s publication of the draft Children’s Codes of Practice which are due to come into effect in early 2025, Instagram has changed the way it works for minors, connectedworld.clydeco.com reports. For all under 18s, the new “teen accounts” will activate several privacy settings by default, such as preventing non-followers from seeing their material and requiring them to manually accept new followers.

Also, the only way for 13 to 15-year-olds to change the settings is to add a parent or guardian to their account. Strict guidelines will also be applied to sensitive content to avoid suggesting potentially dangerous material and muting notifications overnight, (“sleep mode”). 

Portability right: A new portability right applies to employees and consumers in Québec, JD Supra law blog reports. The purpose is to allow individuals in private and public sectors to access their data and transfer it to another legally authorised organization of their choice. It only applies to data that has already been digitally stored, and directly provided by the individual. Though the legislation does not specify any particular format. PDFs, pictures, and proprietary formats that call for additional software or costly licensing should be avoided in favour of formats like CSV, XML, or JSON. 

The post Data protection digest 17 Sep – 1 Oct 2024: EU Data Act as an illustration of the GDPR ‘prevail’ principle appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

AI and data protection standardisation

The French CNIL elaborates on the contribution of ISO/IEC 27701 and 42001 standards on compliance with data protection laws. For many years, IT security has benefited from two recognised international standardisation frameworks: ISO/IEC 27001, and 27002, which detail best practices for implementing the necessary security measures. The ISO/IEC 2770, published in 2019, complements these two standards by defining and detailing a “privacy management system”. 

At the same time, the new ISO/IEC 42001, published in 2023, proposes a “management system for AI” for organisations. This standardisation tool describes the processes for managing concerns related to the reliability of AI systems: security, safety, fairness, transparency, and data and system quality throughout the lifecycle. In addition, it provides a series of operational measures to implement them including the various impacts and risks of an AI system, ensuring responsible development and use and documenting and monitoring. 

Public tasks and AI

The Swedish IMY is starting a regulatory sandbox project to test how generative AI can create more efficient data processing when issuing public documents. The goal of Lidingö city’s project “Right to transparency 2.0” is to be able to use generative AI to get help with masking personal data and confidential information. In addition to IMY, the Atea Sweden company will participate with technical expertise and know-how. 

CPPA enforcement

California’s Privacy Protection Agency has issued its first enforcement advisory – on applying data minimisation to consumer requests. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information. For example, it shall not require a consumer to provide additional information beyond what is necessary to send the opt-out signal, (of selling/sharing their data), or when determining the method by which to verify the consumer’s identity. What is the minimum personal information that is necessary to achieve this purpose? Read in the original guidance.

More official guidance

Patient medical apps: The Italian ‘Garante’ has published a guide on apps and sites that connect patients with healthcare professionals, including general practitioners and pediatricians, concentrating on free choice, the booking of visits, and the sending and archiving of health documents, (in Italian only). The compendium provides clarifications concerning three macro types of processing: 

• patient data, necessary to offer them online services,
• data of healthcare professionals processed for various purposes,
• data on the health of patients, processed for diagnosis and treatment purposes.

Tech vendors and HIPAA: The US government reminds us of the correct use of online tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act, (HIPAA). As a rule, they are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information, (PHI), to tracking technology vendors, (eg, via user webpages and mobile apps). This primarily includes the disclosures of PHI for marketing purposes without a user’s HIPAA-compliant authorisation.

AI-powered employment practices: Privacy International has responded to the UK ICO’s draft guidance for employers and recruiters on deploying AI tools. Its response focuses on the processor/controller designation of recruiters and the third-party LLMs they outsource and candidates’ employment rights that may be undermined by algorithmic decision-making.  PI’s submission relates to the different technologies used and different types of data collected, the use of candidate data for model training purposes, the role of DPIAs and what constitutes meaningful human intervention. 

UK standard clauses

As of 21 March 2024, any contracts depending on the old EU SCCs for data transfers with the UK should have been upgraded to the UK IDTA or UK Addendum. From 21 September 2022, organisations had to utilise the IDTA or the Addendum if they intended to engage in new, (or update the existing), arrangements for transfers that are subject to the UK GDPR. The deadline is further explained by the TechGDPR blog post. 

German healthcare data

The country’s new Health Data Use Act entered into effect on 26 March, IAPP News reports. By allowing pharmaceutical corporations to access patient health data for research reasons, the act seeks to further health research. Researchers will only be permitted to access pseudonymised data, and any violations of patient privacy would result in administrative sanctions. The original legal text in German can be consulted here. 

More legal updates

Florida’s under 16 law: The Florida Governor signed a bill that bans children aged under 14 from social media platforms and requires 14 and 15-year-olds to get parental consent. The measure requires social media platforms to terminate the accounts of people under 14 and those of people under 16 who do not have parental consent. It also requires the use of a third-party verification system to screen out those who are underage. On 1 January 2025, the measure will become law. The critical views can be read in the original analysis by Reuters.

Australia’s doxxing reform: The Government proposes new provisions to address doxxing as part of the Privacy Act Review. ‘Doxxing’ is the intentional online exposure of an individual’s identity, private information or personal details without their consent, (eg, for de-anonymising, targeting purposes). A new statutory tort for serious invasions of privacy would allow individuals to seek redress through the courts if they have fallen victim to doxxing, as well as access, objection and erasure rights, and the right to correct their personal information.

Chinese restricted transfers: The Cyberspace Administration finalised guidelines setting out exemptions to certain cross-border data transfer laws, DLA Piper reports. This includes collection outside of mainland China, cross-border HR management, cross-border contracts, volume thresholds and others. The guidelines include updated filing templates for those still falling outside the exemptions and a reminder that consent and contractual/other measures remain in place. More details on the current security assessments and standard contracts for data exporters are available here. 

UK data protection reform

UK civil society organisations have issued an alert on the financial surveillance powers proposed in the UK Data Protection and Digital Information Bill, (in the Committee stage now). It introduces mass algorithmic surveillance aimed at scrutinising banks and any third-party accounts purportedly to detect welfare fraud and errors. Reportedly, there are no restrictions on the type of information that can be requested. Enacting a law that allows for disproportionate mass surveillance could also impact the adequacy status of the EU. 

Facial recognition abuse at the workplace

Facial recognition to check attendance in the workplace violates employee privacy, stated the Italian ‘Garante’ when sanctioning five companies all engaged in various capacities at the same waste disposal site, for having unlawfully processed the biometric data of a large number of workers. In particular, three companies had shared the same illegal biometric detection system for more than a year, without having adopted adequate technical and security measures. The companies had not provided clear and detailed information to workers nor had they carried out an impact assessment. They should have more appropriately used less invasive systems to control the presence of their employees in the workplace, (such as by badge). 

More enforcement decisions

Cookie walls: The Danish data protection authority has confirmed its decisions in the cases concerning JFM’s, (media company), and GulogGratis’, (online marketplace), approach to using cookie walls. In particular, statistics were not a necessary part of the paid access alternative – the processing of personal data to generate statistics was not directly linked to financing the content. The marketing purpose – unlike the statistical purpose – made it possible for advertising partners to buy access to banner advertisements etc. on the website to process personalised ads and thus generate advertising revenue. 

Access and log control: The Norwegian data protection authority has issued an approx. 1.7 mln euro fine and several injunctions to the Norwegian Labor and Welfare Agency, (NAV). NAV lacked management and understanding of the importance of safeguarding data confidentiality through access management and log control. The majority of Norwegian citizens receive benefits from NAV at one time or another during their lives. 

There is therefore an inherently high privacy risk in NAV’s operations. But in fact, local offices were given greater freedom to organise themselves in their own ways. As a result, special categories of personal data were often treated for a long time and involved a large number of people, without the necessary security measures being established, and despite repeated calls for compliance.

Retailer’s indefinite data storage: The Finnish data protection commissioner has ordered Verkkokauppa.com to pay an administrative fine of 856,000 euros, as the company had not defined how long the data of online store customer accounts would be kept. The limitation of the data retention period was left to the responsibility of the customer. In addition, Verkkokauppa.com’s policy of making online purchases require the creation of a customer account violates data protection regulations. 

Data breaches

Ransom attack: The Estonian privacy regulator explains the recent Asper Biogene data leak. Sensitive personal health data was leaked. The company learned of the intrusion through a ransom demand. Thanks to the notification made by the data controller, people learned about the situation – this allowed them to protect themselves from possible fraudulent letters. The data leak involved a healthcare service provider and an authorized processor, (Asper Biogene). In this case, the agreement concluded between the controller and the authorised processor largely helped to confirm the parties’ roles and goals in data processing. 

Data security 

Human factor: What is the weakest link in the data security chain? The Estonian regulator states that it is still a person that interacts with that data. Therefore every month there are cases where the requirements for personal data processing are violated due to an employee’s mistake, carelessness or lack of organisation in the workplace. Some recent cases resolved by the regulator included: 

• an intranet was accessible from the public Internet, where the only measure to protect its content was the same username and password used by multiple persons.
• the employees of a cafe discovered that paper documents concerning the inmates of a detention facility had been left there.
• a hosting company sent a newsletter to its customers in a way where the e-mail addresses of others were visible to all recipients.
• an employee of a financial company was mistakenly given access to a bank account used for salary payments of the company’s employees.
• the publication of people’s debt data in various default registers without a legal basis. 
• a ransomware and code injection attack, hijacked employees emails and phishing. 

Latest technology guide: The French CNIL has published a new edition of its Personal Data Security Guide, (available in English). The new version restructures the guide and introduces new fact sheets, including tips on artificial intelligence, mobile applications, cloud computing, and application programming interfaces. For instance, current practices such as the use of BYOD have been added to the existing fact sheets. This guide references DPOs, CISOs, IT specialists, and the CNIL assessments. 

Big Tech

Google Incognito data deletion: The Guardian reports that Google settled a lawsuit alleging it surreptitiously monitored the internet activities of users who believed they were surfing incognito on its Chrome browser, and it agreed to delete billions of data sets. Users alleged that Google’s analytics, cookies and apps let the Alphabet unit improperly track people who set Google’s Chrome browser to “incognito” mode and other browsers to “private” browsing mode. This included Google’s analytics, cookies and apps. As part of the settlement, Google will update its disclosures on the data it gathers during “private” surfing. Users in incognito mode will also be able to disable third-party cookies.

Mozilla/Onerep data brokerage case: The nonprofit that supports the Firefox web browser is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by US cybersecurity expert Brian Krebs forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years. 

In the US, data brokers, people-search services like Onerep, and online reputation management firms exist because virtually all US states exempt so-called “public” or “government” records from consumer privacy laws. Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, social media data and known associates.

The post Data protection digest 18 Mar – 02 Apr 2024: AI and DP standardisation, patient medical data, human factor in data security appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Personal data gaps in information systems

The Spanish data protection agency AEPD examines the distinction between addressing security by focusing exclusively on information systems or from the perspective of the treatments carried out. Under the GDPR rules, a data controller must evaluate the risks to the rights and freedoms of natural persons whose data is being processed and apply measures to mitigate them. Therefore security focused on processing activities is a broader concept than security focused exclusively on systems. The scope of application of the GDPR is the processing of personal data, understood as processes with an ultimate and specific purpose, while the scope of application of other regulations, such as cybersecurity or artificial intelligence, is oriented to information and communications systems. 

An example that illustrates this difference is the case of access control operations in personal data processing – when third parties use compromised credentials to log into a service or application. Some controllers may incorrectly claim that a breach within the meaning of the GDPR has not occurred since, according to their opinion, the information systems have not been compromised. These controllers understand that the use of valid credentials to log in to the system has not led to a personal data breach in the processing as the system has functioned correctly.

“Consent or Pay” initial guidance

Some businesses are considering giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. In principle, data protection law does not prohibit business models that involve “consent or pay”, states the UK ICO. However, some types of access mechanisms aren’t likely to comply with expectations in data protection law for consent to be ‘freely given’. The relevant context may include power imbalance, equivalence, appropriate fees, privacy by design, and information obligation:

“Being upfront and honest with people about what happens to their personal information when they use the service is a good thing.”

More official guidance

Data obtained as part of work duties: The Latvian regulator DVI explains the legality of data processing through information systems that hold personal information and to which access is authorised through employment. We may directly or indirectly come into contact with other people’s data while carrying out our job, including customers, coworkers, and residents.

The organisation that grants its employees access to the systems must ensure, (if technically possible), that the employee accesses only the information necessary to perform the duties of their position. Personal interest or curiosity is no longer an adequate basis for looking into a database. In the case of a data processing infringement, the organisation should anticipate that, as the data controller, they would be the main responsible. 

Automated decisions: The Spanish AEPD has updated guidance on the degree of human intervention in automated decisions, (Art. 22 of the GDPR). Many automated decisions involve some degree of human intervention. However, to be considered as such, it has to be active and not just a symbolic gesture, that is, it has to have a certain degree of relevance and capacity. Evaluating whether human supervision is possible and effective involves evaluating both the system used and the treatment and its context. To carry out this evaluation systematically, it is recommended to objectively assess a person’s participation in the decision process. More details in the original publication (in Spanish). 

Public affairs: As part of their activity, public affairs professionals, (public affairs or lobbying consulting firms, internal departments), collect personal data relating to individuals in sectors such as government, administrative, associative, parliamentary, media actors, etc. To help them comply with the GDPR, several associations representing business and public relations professionals have jointly developed a guide, drafted in consultation with the CNIL, (in French). 

Legal  processes

EU AI Act: The Guardian analyses the practical implications of the upcoming regulations for customers and businesses. The act will soon become law and go into effect gradually over the following three years. Customers will feel more certain that the AI technologies are configured for safe use as a result. Similar to how the GDPR role model worked, the legislation will likewise have an impact outside the EU. However, the EU’s proposed cap on computing power used to train AI models is far lower than equivalent laws in the US. Consequently, European companies could even decide to relocate west to get around EU regulations, warn some tech businesses.

European Health Data Space: EU legislators have struck a provisional agreement on the exchange and access of health data at the union level. Currently, the level of digitalisation of health data in the EU varies from one member state to another. The proposed regulation requires all electronic health record systems to comply with the specifications of the European electronic health record exchange format, ensuring that they are interoperable at the EU level.

Patients still will have the right to opt-out from primary and secondary use of their data or restrict access to it with some exceptions, (eg, scientific research, public interest, vital interests). 

IAB Europe: The CJEU holds, as argued by the Belgian data protection regulator, that a structured character string capturing internet users’ preferences such as IAB Europe’s TC string can be considered personal data. TC String constitutes personal data, in particular, because its purpose is to link advertising preferences to a specific individual. As a sectoral organisation which standardises and prescribes the method for capturing and transmitting user preferences, IAB Europe can be indeed considered a (joint) controller concerning the processing carried out following this method.

Data erasure request

Another ruling by the CJEU states that the supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. Such erasure may cover data collected from that person and data originating from another source if such a measure is necessary to fulfil its responsibility for ensuring that the GDPR is fully enforced. The case relates to the provision of financial support to persons who have been made vulnerable by the COVID-19 pandemic, (in Hungary), and the data breaches committed by a local administration affecting eligible persons who had not applied for the support. 

Bank security failed

The Italian data protection authority Garante fined UniCredit 2.8 million euros and the company responsible for carrying out its security tests 800,000 euros. The violation had occurred due to a massive cyber attack on the mobile banking portal. The attack caused the illicit acquisition of the name, surname, and other identifiers of approximately 778,000 customers and former customers and, for over 6,800 of the customers, it had also led to the disclosure of the portal access PIN. The data was made available in the HTTP response provided by the bank’s systems to the browser of anyone who tried to access, even unsuccessfully, the mobile banking portal. 

More enforcement decisions

Invalid consent in cookie walls: The Danish data protection authority Datatilsynet ruled the use of cookie walls on Berlingske.dk must take place within the framework of the data protection rules. Berlingske’s specific approach is to greet users with a cookie wall when they try to access embedded content, (eg, video players or blog posts). This means that the content is unavailable unless the user accepts the processing of their data for statistical and marketing purposes through the use of cookies. 

European Commission’s use of  Microsoft 365: Following its investigation, the EDPS has found that the European Commission has infringed several key data protection rules when using Microsoft 365.  The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. More details of the case can be read here. 

Commercial prospecting: The French CNIL fined Foriou company 310,000 euros for using data provided by data brokers for commercial prospecting purposes. It conducts telephone canvassing campaigns to promote the loyalty programs and cards it sells. The misleading appearance of the collection forms implemented by the brokers at the origin of the collection did not make it possible to obtain valid consent from the persons concerned. The size of this fine, which represents approximately 1% of the company’s turnover, was decided in light of the seriousness of the breach. 

Information security audit

Moorfields Eye Hospital NHS Foundation Trust has undergone a consensual data protection audit conducted by the UK’s ICO. The scope areas were determined following a risk-based analysis of the trust’s processing of personal data. The suggestions for improvement included some tips on information security and data sharing, and included the following advice:

• The permanent roles which make up the Information Security function should be filled quickly to ensure that operational responsibility is clearly in place.
• A template letter should be in place to notify data subjects of a data breach which includes all appropriate information including details of the DPO, a description of the likely consequences of the breach and the measures which have been taken.
• Appropriate reviewing processes should be in place for all data-sharing agreements, which include review schedules and review logs.
• The trust should have measures in place to ensure that relevant staff receive appropriate training, and ensure this is periodically refreshed.

Among best practices, the ICO recognised that the trust tests their physical security on-site, with police officers being shown around and then returning at a later date in plain clothes to assess the security, for example by seeing if they can get into secure areas or move around unchallenged without appropriate ID. 

When user login data is made public

The Lithuanian data protection authority VDAI reminds us that upon receiving information about potentially leaked login names and passwords, an organisation, (the data controller), should conduct a preliminary investigation and determine whether there has been a violation of the confidentiality, integrity or availability of personal data. For example, it should establish whether the personal data processed in the organisation’s information systems has been compromised.  

1. If the processed personal data has not been accessed by unauthorised persons, the data controller still must assess the risks, prevent possible negative consequences, and let users know what action they can take in this situation, (eg, block user accounts whose login data matches the leaked data, generate new temporary passwords and send them to affected data subjects, activate two-factor authentication, etc.) 

2. If the processed personal data has been accessed by unauthorised persons, (eg, illegal logins to user accounts are detected or it is not possible to unequivocally determine that there were no such logins, illegal actions on accounts are detected, etc.),  the organisation must conduct a full investigation, take immediate measures, notify the data subjects, and report to the regulator within 72 hours of becoming aware of the breach. 

As a general precaution, VDAI also advises individuals to take the following precautions in similar situations:

• Change your password to a new and unique one. If you have used the same password on other systems, please change them as well.
• It should consist of at least 12 characters: letters, numbers, at least one capital letter and a special character.
• Do not store your passwords in browsers.
• Watch for news or announcements from your service provider, or authorities.
• Install and regularly update antivirus software on your devices.
•  If you notice any suspicious activity in your account or related systems, notify your service provider immediately.

Big Tech

OpenAI “Sora”: Italian regulator Garante has opened an investigation against OpenAI that in recent weeks has announced the launch of a new AI model, ‘Sora’, which, according to the announcement, can create dynamic, realistic and imaginative video sequences from short text instructions. OpenAI will also have to clarify several issues: 

• how the algorithm is trained; 
• what data is collected and processed to train the algorithm, especially whether it is personal data; 
• whether particular categories of data, (religious or philosophical beliefs, political opinions, genetic data, health, sexual life), are collected, and 
• which sources are used.

Crackdown on mass data collectors: Several recent FTC enforcement actions reflect a heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data, states an FTC blog post. Taken together, browsing and location data paint an intimate picture of a person’s life, including their religious affiliations, health and medical conditions, financial status, and sexual orientation. None of the underlying datasets at issue in the FTC’s proposed complaints, (against Avast, X-Mode, or InMarket), are alleged to have contained people’s names, social security numbers, or other traditional standalone elements of personally identifiable information. 

What makes the underlying data sensitive springs from the insights they reveal, (eg, through proprietary algorithms), and the ease with which those insights can be attributed to particular people. People also have no way to object to how their data is collected, retained, used, and disclosed when these practices are hidden from them. Moreover, any safeguards used to maintain people’s privacy are often outstripped by companies’ incentives and abilities to match data to particular people. 

The post Data protection digest 3-17 Mar 2024: Personal data gaps in information systems, TC string, mass data collectors appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Web browsing data for sale

The UK software provider Avast will have to pay 16.5 million dollars to the US Federal Trade Commission, and the business will not be allowed to sell or license any web browsing data for advertising purposes. Avast Limited, a UK-based firm, obtained customer surfing data unjustly through its antivirus software and browser extensions, retained it indefinitely, and sold it without providing consumers with sufficient notice or asking for their consent. The company also did this through its Czech subsidiary. 

Following its acquisition of rival antivirus software supplier Jumpshot, Avast renamed the business as an analytics firm. Jumpshot sold surfing data that Avast had gathered from users between 2014 and 2020 to a range of customers, including marketing, advertising, and data analytics firms as well as data brokers. The business said that before sending the data to its clients, it eliminated identifying information using an algorithm. 

However, according to the FTC, the business did not adequately anonymise user web browsing data that it sold through a variety of products in non-aggregated form. The FTC says, the business did not prohibit some of its data purchasers from using Jumpshot’s data to re-identify Avast users. For instance, Jumpshot allegedly signed a deal with advertising giant Omnicom for a supply of an “All Clicks Feed” for 50% of its clients in the US, UK, Mexico, Australia, Canada, and Germany. 

Americans’ sensitive data

The US seems to have increased regulations on restricted cross-border data transfers due to national security concerns. 

President Biden issued an Executive Order to protect Americans’ sensitive personal data. It will prevent the large-scale transfer of America’s sensitive and government-related data to countries of concern, (reportedly they are China, Cuba, Iran, North Korea, Russia and Venezuela), and prohibit commercial data brokers and other companies from selling biometrics, healthcare, geolocation, financial and other sensitive data to countries of concern, or entities controlled by those governments, intelligence services and militaries. 

The US Justice Department’s National Security Division has already published an Advance Notice of Proposed Rulemaking to provide transparency and clarity about the intended scope of the program. It would include six defined categories of bulk US sensitive data – US persons’ covered personal identifiers, personal financial data, health, precise geolocation data, biometric identifiers, human genomic data, and combinations of those data. The security requirements for certain data classes of transactions would include: 

• basic organisational cybersecurity posture,
• measures against unauthorised disclosure, 
• data minimisation and masking,
• use of privacy-preserving technologies,
• compliance requirements and audits.

The Department of Justice is also considering identifying three classes of restricted data transactions: a) vendor agreements, (including for technology services and cloud services), b) employment agreements, and c) investment agreements. Nonetheless, the order program is without prejudice to the free flow of data necessary for substantial consumer, economic, scientific, and trade relationships that the US has with other countries. 

Other official guidance

The EDPB’s new enforcement action: 31 data protection authorities across the EEA, (DPAs), including 7 German state-level regulators, will participate in the 2024 enforcement action, (mixture of surveys and formal investigations), on implementing the right of access. It is one of the most frequently exercised data protection rights, which DPAs receive many complaints about. In addition, it often enables the exercise of other data protection rights, such as the right to rectification and erasure. To understand how organisations must respond to access requests from individuals, see the EDPB’s latest guidelines on the right of access. 

Generative AI and data protection: In the UK, the House of Lords Communications and Digital Committee has published a report on large language models, (LLMs). These may have personal data in their training sets, drawn from proprietary sources or information online. Safeguards to prevent inappropriate regurgitation are being developed but are not robust. Data protection in healthcare attracts particular scrutiny as some firms are already using the technology on NHS data, which may yield major benefits. 

But equally, models cannot easily unlearn data, including protected personal data. There may be concerns about these businesses being acquired by large overseas corporations involved in, for example, insurance or credit scoring. Clear guidance is needed on how the data protection law applies to the complexity of LLM processes, including the extent to which individuals can seek redress if a model has already been trained on their data and released. Also, data protection provisions have to be embedded in licensing terms.

Consent principle

It is not always necessary for a company or an authority to obtain your consent before they can handle your data explains the Danish data protection authority. This is because consent is only one of several legal bases when it comes to the handling of your data. Storage of your information shall cease when you withdraw your consent, but only the information that is handled or processed based on consent. 

Information where the legal basis is someone else, for example in the case of a commercial contract or employment relationship, can continue to be handled or stored. It is also not needed if you, the data subject, are unable to give consent, for example, to a healthcare facility due to a serious illness. Public authorities can also process your data for specific tasks, such as handling your tax declarations. Private companies might have some legitimate reasons too, (such as for maintaining user services), but they should not violate your interests or rights. 

Finally, a revocation of consent does not have a retroactive effect, and the revocation therefore does not affect the handling of information that took place before.

 Rise in outsourcing contracts in the banking sector

The European Central Bank urges supervised institutions to tackle vulnerabilities stemming from their increasing operational reliance on third-party providers. Most banks outsource certain services to take advantage of lower costs, more flexibility and greater efficiency. Considering the relatively stringent data protection regulations in the EU, it is noteworthy that personal data processing is included in 70% of outsourcing contracts, and over 70 major banks contract these vital services out to companies with headquarters located outside the EU, (eg, cloud services in the US, the UK, and Switzerland). 

The ECB discovered that over 10% of contracts concerning essential tasks do not adhere to the applicable requirements. Furthermore, 20% of these non-compliant contracts have not had a rigorous risk assessment during the past three years, and 60% have not undergone an audit.

Starting in 2025, the Digital Operational Resilience Act will go into effect and offer further tools for monitoring important IT service providers, particularly those that ensure the operational resilience of financial institutions.

Illicit marketing

The Italian privacy regulator imposed a fine of over 79 million euros on Enel Energia for serious shortcomings in the processing of personal data of numerous users in the electricity and gas sector, carried out for telemarketing purposes. The case originated from a previous investigation which involved a 1,8 million euro privacy fine on four companies and confiscated databases used for illicit activities. It emerged that Enel Energia had acquired 978 contracts from the above companies, even though these did not belong to the energy company’s sales network. 

Furthermore, the information systems used for customer management and service activation by the company showed serious security shortcomings. Enel failed to put in place all the necessary measures to prevent the unlawful activities of unauthorised actors who for years fueled an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers. Over time it involved the activation of at least 9,300 contracts.

Meanwhile, in California, a company will pay a 375,000 dollar civil penalty after it violated multiple consumer privacy laws. DoorDash is a San Francisco-based company that operates a website and mobile app through which consumers may order food delivery. To reach new customers, DoorDash participated in marketing cooperatives and disclosed consumers’ personal information as part of its membership without providing notice or an opportunity to opt-out. The other businesses participating in the cooperative also gained the opportunity to market to DoorDash customers. 

Data brokerage

Belgium’s data protection regulator recently fined Black Tiger Belgium, (formerly Bisnode Belgium), a company specialising in big data and data management, a total of 174,640 euros. At the time when the complaints were lodged, Bisnode Belgium operated a consumer database and a company database through which Bisnode Belgium offered “Data quality”, (to improve the quality of its customers’ data), and “Data Delivery”, (to provide data to its customers, especially for the implementation of marketing campaigns). These databases consisted of personal data and user profiles from various external sources. 

The regulator received a complaint based on the so-called ‘right of access’ with Bisnode, which allows anyone to request access to the data it keeps about them at any time. The investigation found that the company under its legitimate interest indirectly collected and processed personal data on a large scale, for a long period, (15 years), without the data subjects being informed individually, clearly and proactively about the processing carried out. The company also lacked records of its processing activities. 

Other enforcement decisions

Student privacy vs teachers’ authority: The Icelandic data protection authority ruled on personal data processing by the University of Iceland. According to the complaint, a teacher had monitored a student through the teaching site in the Canvas learning management system. However, the supervisory authority concluded that there was no electronic monitoring, as the teacher’s assessment of the complainant’s activity in the learning management system was not sustained or repeated regularly. It was also considered that the said processing of personal information had been necessary for the university in connection with statutory tasks entrusted to the university by law. 

However, the complainant was not sufficiently informed of the teacher’s ability to examine their use of the Canvas learning management system and make it the basis for grading. The peer assessment of the complainant’s fellow students in a group project was one of the factors that formed the basis of the grading for the assessment component. The University’s processing therefore failed to comply with the transparency requirements under privacy legislation.

Biometric scanning abuse: In the UK Serco Leisure, Serco Jersey and seven associated community leisure trusts have been issued enforcement notices ordering them to stop using facial recognition technology and fingerprint scanning to monitor employee attendance. The investigation found that Serco and the trusts have been unlawfully processing the biometric data of more than 2,000 employees at 38 leisure facilities. Serco had to record employee attendance to pay workers as per its contractual duties but rejected less invasive options available, including timesheets or electronic cards. Although Serco had indicated that these choices may be abused, it had shown no proof of real, widespread misuse. 

Data security

Password retention guide: Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data is used to illicitly enter entertainment sites, (35.6%), social media, (21.9%) and e-commerce portals, (21.2%). In other cases, they allow access to forums and websites of paid services, (18.8%), and financial services, (1.3%). As a result, the Italian data protection authority recently developed an FAQ and more detailed guidelines regarding password storage, providing cryptographic functions currently considered the most secure, (in Italian only). 

Cybersecurity core 2.0: America’s NIST has meanwhile released version 2.0 of its landmark Cybersecurity Framework. The agency has finalised the framework’s first major update since its creation in 2014. Now it explicitly aims to help all organisations — not just those in critical infrastructure, its original target audience — to manage and reduce risks. The framework’s core is now organised around six key functions: Identify, Protect, Detect, Respond and Recover, along with CSF 2.0’s newly added Govern function. The CSF is used widely internationally. Versions 1.1 and 1.0 have been translated into 13 languages, and the NIST expects that CSF 2.0 also will be translated by volunteers around the world. 

Federated Learning

The UK Responsible Technology Adoption Unit, in cooperation with the NIST, published a series of analyses about Privacy-Preserving Federated Learning. Organisations often struggle to articulate the benefits of the approach, associated with machine learning that involves training a model without the centralised collection of training data. This can lead to lower infrastructure and network overheads. However, bespoke privacy infrastructure can introduce additional costs. Plus, there are fewer people with the skills and experience required to design and deploy it. 

On the other hand, federated learning allows organisations to use and monetise data assets that would not have previously been accessible. In removing the need for access to the full data, it protects the value of the data for the data owner. Finally, legal consultation is a necessary cost, but in principle PETs can significantly reduce data protection risks, as when used appropriately, differentially private data can be considered anonymised. 

The post Data protection digest 18 Feb – 2 Mar 2024: web browsing data for sale, banking sector outsourcing, cybersecurity core 2.0 appeared first on TechGDPR.