The Hamburg Data Protection Commissioner provided a comprehensive questionnaire for determining the legitimate interests legal basis for processing. It helps those responsible to examine and document precisely what their interest in data processing is and whether the rights and interests of the data subject are adequately considered. It guides users step-by-step through the most important checkpoints:

• Determination: What objectives are pursued with the data processing, and are these legally permissible?
• Necessity: Is the processing necessary, and is only the required personal data collected?
• Balancing: Are the rights and interests of the individuals concerned sufficiently considered and protected?
• Documentation and compliance: Are the audit procedures recorded and regularly updated?

You can download the LIA questionnaire in German or the LIA questionnaire in English.

Stay up to date! Sign up to receive our fortnightly digest via email.

EDPB updates

The European Data Protection Board welcomes comments on the recommendations on the elements and principles to be found in Processor Binding Corporate Rules – BCR-P. Such comments should be sent by 2 March. BCRs are a tool for providing appropriate safeguards for transfers of personal data by a group of undertakings engaged in a joint economic activity with third countries that have not been providing an adequate level of protection pursuant to the GDPR. The recommendations clarify when BCR-P can be used, namely, only for intra-group transfers between processors, when the controller is not part of the group. Read more about the scope of BCR-P and its interplay with the data processing agreements here.

Other developments

AWS Europe Sovereign Cloud: The German Federal Office for Information Security BSI has announced its support for the US cloud provider Amazon Web Services in the design of security and sovereignty features for its new European Sovereign Cloud (ESC): an independent cloud infrastructure located entirely within the EU, whose operation will be technically and organisationally independent from the global AWS instance.

Later this year, the BSI will publish general sovereignty criteria for cloud computing solutions based on the new framework. It will serve as a basis for assessing the degree of autonomy of cloud solutions and can also be used in procurement processes. 

HIPAA Security Rule: In the US, for HIPAA-covered entities and business associates, the HIPAA Security Rule requires ensuring the confidentiality, integrity, and availability of all electronic protected health information (ePHI) that the regulated entity creates, receives, maintains, or transmits. To that end, the US Department of Health and Human Services has published the latest recommendations on System Hardening and Protecting ePHI. The measures include: 

• patching known vulnerabilities
• removing or disabling unneeded software and services
• enabling and configuring security measures that sometimes intersect with some of the technical safeguard standards and implementation specifications of the HIPAA Security Rule, such as access controls, encryption, audit controls, and authentication.

GDPR certifications and codes of conduct

France’s CNIL maps the deployment of GDPR compliance tools across Europe. Two maps list the certifications and codes of conduct approved by national supervisory authorities or by the European Data Protection Board since the entry into force of the GDPR. These instruments may operate at either the national or European level. Certification (Art. 42 of the GDPR) makes it possible to demonstrate that a product, service, or data processing activity meets data protection criteria set out in an approved referential. And a code of conduct (Art. 40 of the GDPR) translates the Regulation’s obligations into concrete, sector-specific rules, and becomes binding on its members. 

UK international transfers

The UK Information Commissioner published an updated guidance on international transfers of personal data, making it quicker for businesses to understand and comply with the transfer rules under the UK GDPR. It sets out a clear ‘three-step test’ for organisations to use to identify if they’re making restricted transfers. New content also provides clarity on areas where organisations have questions, such as roles and responsibilities, which reflects the complexity of multi-layered transfer scenarios.

Multi-device consent

The French regulator also published its recommendations (in French) on the collection of cross-device consent. For instance, when a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices are then automatically applied to all devices connected to that account. This includes, but is not limited to, their phone, tablet, computer or connected TV, as well as the browser or app they are using. Thus, users must be well-informed of this login system.

More from supervisory authorities

Remote job interviews: According to the Latvian regulator DVI, an employer may collect the content of a remote job interview using AI tools if an appropriate legal basis can be applied. Such data processing may be carried out based on the candidate’s consent or the legitimate interests of the company. Consent must be freely given, specific, unambiguous and informed. If the processing is carried out based on legitimate interests, a balancing test of the interests of both parties must be carried out before such processing is initiated.

Regardless of the chosen legal basis, the data controller is obliged to inform the candidate before the interview about the planned data processing during the interview, including the use of AI tools, the purposes of processing, the data retention period and the candidate’s rights. The candidate has the right to object, and such objections must be taken into account; in the event of potential harm, the processing must be stopped.

Cybersecurity guide: The Australian Cyber Security Centre published guidance with a checklist on managing cybersecurity risks of artificial intelligence for small businesses when adopting cloud-based AI technologies. Reportedly, more small businesses are using AI through applications, websites and enterprise systems hosted in the public cloud like OpenAI’s ChatGPT, Google Gemini, Anthropic’s Claude, and Microsoft Copilot. Before adopting AI tools, small businesses should understand the related risks and ways to mitigate them, including: 

• data leaks and privacy breaches
• reliability and manipulation of AI outputs
• supply chain vulnerabilities.

Data subject rights in the event of a bankruptcy

The Norwegian data protection authority has imposed a fine on Timegrip AS. The case concerns a retail chain that went bankrupt, and the employees needed to document the hours they had worked. The company Timegrip had been the data processor for the retail chain until the bankruptcy, and stored this data. However, they would not provide the data to either the bankruptcy estate or the employees themselves. 

Timegrip argued that the company did not have the right to provide the complainant with a copy because a data processor can only process personal data on the basis of an instruction from the controller. Since the controller retail chain had gone bankrupt, Timegrip claimed that no one could give them such an instruction. At the same time, Timegrip refused access requests from 80 different individuals, despite the company being aware that they were in a vulnerable situation and dependent on the timesheets to document their salary claims. 

In addition, it was Timegrip that made decisions about essential aspects of the processing, such as what the data could be used for, the storage period and who could have access to the personal data. In other words, it was clear that it was Timegrip that exercised the real control over the personal data.

Google multimillion-dollar settlement over child data

In the US, a federal judge granted final approval for a 30 million dollar class action settlement against Google, after six years of litigation with parents claiming the tech giant violated children’s privacy by collecting data while they watched YouTube videos. Although Google doesn’t charge for access to YouTube, the company does use it as a revenue source. It collaborates with advertisers and the owners of popular YouTube channels to advertise on specific videos, with Google and the channel owners splitting the payments received from advertisers.

In other news 

Free mobile fine: The French CNIL issued two sanctions against the companies FREE MOBILE and FREE, imposing fines of 27 and 15 million euros, respectively, over the inadequacy of the measures taken to ensure the security of their subscribers’ data. In October 2024, an attacker managed to infiltrate the companies’ information systems and access personal data concerning 24 million subscriber contracts, including IBANs, when the people were customers of both companies. 

The investigation has shown that the authentication procedure for connecting to the VPN of both companies, used in particular for the remote work of the company’s employees, was not sufficiently robust. In addition, the measures deployed by the companies in order to detect abnormal behaviour on their information system were ineffective.

Major university data breach: In Australia, a cyberattack compromised the personal information of students from all Victorian government schools. An unauthorised external third party accessed a database containing information about current and past school student accounts, including student names, school-issued email addresses, and encrypted passwords. In the opinion of the Australian legal expert from Moores, who analysed the breach, certain factors tend to correlate with such incidents. These include:

• Adoption of new CRMs and platforms (including leaving administrator access open, and having incorrect privacy settings, which make online forms publicly searchable);
• Keeping old information which is no longer required;
• A spike in emails sent to incorrect recipients on Fridays and in the lead-up to school holidays.
• Spreadsheets sent via email (instead of SharePoint, for example).

Business email compromise

Business Email Compromise (BEC) is currently one of the fastest-growing forms of digital fraud, according to the Dutch National Cybersecurity Centre. In BEC, criminals pose as trusted individuals within an organisation, often a director or manager, but also a colleague, supplier, or customer.

The criminals’ goals can vary, such as changing account numbers, obtaining login credentials, stealing sensitive information, or using compromised accounts for new phishing campaigns. The power of BEC lies not in its technical complexity but in exploiting the principles of social influence. BEC fraudsters cleverly utilise subtle social pressure, for example, by capitalising on scarcity by creating a sense of urgency, exploiting reciprocity by first building trust or asking for small favours, or relying on an authority figure. 

And finally 

AI prompting guide: IAB Europe has published its AI Prompting Guide. It provides practical, reusable techniques you can apply immediately, including, among others, managing risks such as hallucinations, sensitive data exposure, bias, and prompt injection. Mitigating methods in this case may be addressed through careful prompting, review, and user judgment, while others require more structural safeguards such as validation, monitoring, and clear boundaries around how models are used. 

For instance, sensitive data exposure occurs when confidential, personal, or proprietary information is included in prompts or generated in outputs inappropriately. This can involve personal data, commercial secrets, or information subject to legal or contractual restrictions. The mitigation strategy would include: 

• removing or anonymising sensitive information before including it in prompts 
• limiting the amount of context shared to what is strictly necessary for the task 
• following organisational guidance on approved tools and data handling, and 
• applying access controls where models are integrated into workflows. 

For sensitive use cases, ensure outputs are reviewed before being stored, shared, or acted upon.

The post Data protection digest 4-18 Jan 2026: Legitimate Interests Assessment, AWS Europe Sovereign Cloud, Google settlement over child data appeared first on TechGDPR.

The 23andMe genetic company filed for bankruptcy in the US after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation, Reuters reports. US officials had questioned what would happen to the genetic data collected by 23andMe, although the company’s privacy policies state that the data could be sold to other companies. 23andMe reassured customers that the bankruptcy process will not affect how it stores, manages, or protects customer data. 

Given the uncertainties about the future of the company, the amount of data it has, and the risks inherent in the use of these tests, the French CNIL presents the procedure to follow to have your data permanently deleted in your profile settings. Also, the purchase of a genetic test on the Internet by people residing in France is punishable by a fine of 3,750 euros. Similarly, carrying out a genetic test outside the medical and scientific fields is prohibited and punishable by a fine of 15,000 euros and one year in prison for people or companies offering these tests.

Digital spring cleaning in Germany

Digital documents and paper files containing personal data may only be retained for as long as necessary, reminds the Hamburg data protection authority. At least once a year, taking stock of what’s still stored and whether this data or files will be needed for longer is recommended. Professional data processors handle this automatically. Where no automated routines are in place, deletion must be done manually.

Plus, German companies and authorities should check whether their deletion routines already take into account the new statutory retention periods that will apply from 2025. Specifically, some retention periods have been lowered by federal lawmakers, which means that the impacted data must also be removed sooner. (The Fourth Act to Reduce Bureaucracy). Changes, among other things, have been made to the German Commercial Code and the German Fiscal Code. Accounting paperwork, the most significant case group in practice, must now be kept for eight years rather than the prior ten before being destroyed. You can find more business document retention periods here. 

BCRs approval

The procedure for approving Binding Corporate Rules for controllers and processors for intragroup transfers of EU personal data to non-EU countries is laid out by provisions in Art—47, 63, 64 and 65 of the GDPR. As a result, BCRs are to be approved by the competent supervisory authority in the relevant jurisdiction by the consistency mechanism, under which the EDPB will issue a non-binding opinion on the draft decision by the competent regulator. As the intracompany groups applying for the BCR approval may have entities in more than one Member State, this procedure will involve all the concerned supervisory authorities in those countries from where the data transfers are to take place. To that end, the EDPB has just revised its approval process to shorten the time it takes for a BCR to be approved. 

Privacy policy shortcomings

The Latvian data protection inspectorate DVI conducted a preventive inspection of the privacy policies published on the websites of thirty Latvian-registered merchants whose main activity is related to retail sales by mail order or in online stores. The content of the privacy policies was checked for compliance with the requirements of Art. 13 and 14 of the GDPR. At least some shortcomings were found in each inspected document.

The regulator assumes that it is initially more difficult to prepare such a document because there is not sufficient understanding of its necessity and content. At the same time, it reminds controllers that their responsibility for customers’ data is proven not by a written statement that it processes data appropriately but by clear implementation of the rules. Other shortcomings in the published policies were related to the failure to provide or incorrect provision of information, particularly the contact information of the supervisory authority, the rights of the data subject, information about processors and partners to whom the customer’s data has been transferred, but most often involving incorrectly specified purposes and lawful grounds for data processing. 

Data breach form

The Corporate Data Protection Association, (Switzerland), has published a data breach report template. Data security breaches can trigger various reporting obligations under the Swiss Data Protection Act, the EU’s GDPR, the new Swiss Information Security Act, and the EU NIS2 Directive. The template is intended to contribute to the practical implementation of digital regulatory requirements and can be used freely by companies. The template is initially available in German. An English version is currently being developed.

More from supervisory authorities

Online stores security: The Lithuanian regulator VDAI meanwhile monitored the security measures for personal data processed by online stores and provided some recommendations: a) ensure control over the management of access rights, b) develop and implement effective data deletion, c) use advanced encryption, (during transmission and storage), d) improve management change processes, (eg, implementation of new systems), e) regularly review and update your policies, (using both the latest legal requirements and best practices).

Connected cars: Modern cars act as “chatterboxes on wheels”, collecting information on everything from your daily routines to biometric data. How does this affect the protection of your data? The Danish Datatilsynet advises you to check the privacy settings on your automobile carefully and to be cautious about sharing personal information:

• Unclear consent (Many drivers are forced to accept terms of use that require the sharing of personal data to use the car’s features).
• Data abuse (Data about your driving and location may end up with third-party companies or there is a risk that hackers will gain access).
• Targeted marketing (Car manufacturers can share your data with companies without your full knowledge).
• Negative impact (Worse insurance terms, warranty termination, shutdown of services).

Multi-factor authentication (MFA): The French CNIL publishes recommendations to support users and providers of multi-factor authentication solutions, (in French). In particular, it explains: 

• the conditions under which the use of MFA is appropriate for security needs;
• on compliance with the principles of the GDPR, including a legal basis, data minimisation, the retention periods and the exercise of rights by the data subjects;
• on the determination of the qualification of the actors involved;
• on the choice of modalities, (authentication factors: knowledge, possession, inherence), and their GDPR compliance, etc.

Honda privacy fine

The California Privacy Protection Agency, (CPPA), has issued a decision that requires American Honda Motor Co. to change its business practices and pay a 632,500-dollar fine to resolve claims that the company violated the CCPA. The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies. Honda violated Californians’ privacy rights by:

• requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
• using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• making it difficult for Californians to authorise other individuals or organisations to exercise their privacy rights; and
• sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Human research samples

Finland’s Data Protection Commissioner has requested information from the University of Helsinki on how it has implemented the transfer of data related to human research samples to a Chinese company. The regulator is investigating whether the university protected personal data in the manner required by data protection legislation when the data was transferred to China. According to the University of Helsinki, it has purchased genetic analysis services from the Chinese genetic technology company BGI Group.

No adequacy decision has been made for China, and the European Commission has not yet examined the level of data protection in China, (in connection with the Irish investigation into TikTok). At the moment, personal data can be transferred freely within the European Economic Area. Data can also be transferred directly to a country for which the Commission has made a so-called adequacy decision. These include the US, the UK, Japan and South Korea.

More enforcement decisions

Apple ATT sanction: The French Competition Authority fined Apple for abusing its dominant position due to the implementation of the App Tracking Transparency, (ATT), system. In its competitive analysis, the authority took into account the opinions issued by the data protection regulator CNIL. Since 2021, app publishers who want to track their users for advertising purposes across multiple apps or sites have been required to obtain explicit permission from the user through a partially standardized window designed by Apple. 

The competition authority received complaints from several online advertising trade associations against Apple. The implementation of the agreement appeared to be neither necessary nor proportionate to Apple’s stated objective of protecting personal data due to the constraints weighing on publishers and users. The CNIL had previously considered that the ATT system could be adapted in order to allow actors to obtain valid consent within the meaning of the GDPR and to avoid, in particular, double solicitations.

Software provider fine: The UK’s ICO has fined Advanced Computer Software Group Ltd, (Advanced), 3.07m pounds for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication. The cyber attack was widely reported at the time, with reports of disruption to critical services and access to patient records.  

Scientific research and data reuse

The EDPB has published a final study on the secondary use of personal data in the context of scientific research, which highlighted the lack of a uniform approach among Member States. The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules, (such as Council of Europe Convention 108+), and ethical standards, (such as the World Medical Association (WMA)’s Declaration of Helsinki, (DH), and EU sectoral legal frameworks, (e.g. on clinical trials, biobanks). 

AI cameras in shops

According to the CNIL, some tobacconists in France have deployed AI-based cameras to estimate the age of customers and avoid the sale of prohibited products to minors. In practice, these cameras scan the person’s face at the time of purchase to assess whether they are a minor or an adult and inform the merchant using a warning light (e.g. a green or red light). The use of these devices pursues a dual objective of public interest: protecting young people and the preservation of public health. However, the fact that this verification is carried out through algorithmic processing of automated image analysis is not trivial and may entail risks for the protection of personal data and the privacy of individuals.

In case you missed it 

US technology risks: The Netherlands’ House of Representatives approved a resolution on risk assessments and exit strategy for US tech corporations’ cloud services on March 18. According to the motion, all government cloud services that are now purchased from American suppliers must go through a risk assessment and, if required, have a written exit strategy that enables them to switch to Dutch or European providers. By the end of 2025, this procedure is expected to be finished.

Outdated IT systems and AI: According to the Guardian newspaper, the UK government’s goal to increase efficiency by integrating AI into every aspect of its operations runs the risk of being hampered by outdated technology, low-quality data, and a shortage of qualified personnel. The cross-party public accounts committee report revealed that over 20 government IT systems were classified as “legacy,” which means outdated and unsupported. A January official strategy for the technology, however, called for the government to “rapidly pilot” AI-powered services, claiming that doing so would boost productivity. 

The post Data protection digest 18 Mar – 2 Apr 2025: 23andMe bankruptcy case, digital spring cleaning appeared first on TechGDPR.

Regulatory updates

5 years of the GDPR: The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. It is too early to revise the regulation, although several important challenges lie ahead, such as procedural rules relating to cross-border enforcement. The EDPB will keep on supporting the implementation of the GDPR in particular by SMEs, seeking greater clarity and uniformity of guidance and powers available. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. In addition, the supervisory authorities need sufficient resources to continue carrying out their tasks. 

“Cookie fatigue”: The EDPB also welcomed the voluntary business pledge initiative by the European Commission to simplify the management of cookies and personalised ads choices by consumers. It would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. However, the EDPB flagged that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive.

COPPA: The US Federal Trade Commission plans to strengthen children’s privacy rules to further limit companies’ ability to monetize children’s data. The new rule would require targeted ads to be off by default, limit push notifications, restrict surveillance in schools, limit data retention, and strengthen data security. COPPA rules require US websites and online services that collect information from children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from these children, (persistent identifiers, geolocation data, photos, videos, and audio). 

UK BCRs

The UK Information Commissioner updated a guide on the binding corporate rules for organisations managing data transfers between the UK and EU. Organisations with an existing EU BCR can add the UK Addendum thus creating a new UK BCR, to include UK-restricted transfers. It contains all relevant provisions of Art. 47 of the UK GDPR, meaning that your EU BCR will work in the UK. Finally, under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.

Log data access

An administrative court in Finland has published a decision regarding the right to inspect log data. An employee of the bank, who was also a customer of the bank, demanded to know the persons who had reviewed his customer information during the bank’s internal audit. The bank refused to disclose the identity of the employees because the log data resulting from viewing the data was the personal data of the employees in question. However, the bank did give the reason why customer data had been viewed. 

The person complained about the bank’s procedure to the data protection commissioner’s office. The regulator rejected the request and stated that the bank does not need to provide information about the identity of employees. The case ended in the CJEU. The EU top court ruled that everyone has the right to know the times and reasons for queries made to their data. However, there is no right to receive information about persons who have processed information under the authority of their employer and by the employer’s instructions.

Health data processing

Certain processing of health data is subject to the performance of preliminary formalities with the data protection authority. To facilitate the procedures of the bodies concerned and the compliance of their processing, the French regulator CNIL has published, (in French), reference standards to which they must refer: 

• “soft law” and guide frameworks (eg, data retention periods,  processing of personal data for the management of pharmacies); and
• the repositories for processing subject to authorisation, (eg, creation of a health data warehouse, research requiring the collection of consent).

Other official guidance

Sports archives: The storage of sports archives must comply with the regulations on the protection of personal data. Some personal data collected on athletes, federal officials or club presidents, such as results, awards, photographs and posters, may be of historical interest, invoked by the players in the ecosystem, (in particular institutions, clubs, sports federations, professional leagues), to justify the retention of data without limitation in time. In practice, the purposes associated with the retention of this data are very numerous, and the retention periods will vary. 

Also, depending on the status of the person who produced or received them, these records are either public or private. For example, the results of a sports competition organised by a delegated federation, (eg, the results of the championships of France), constitute public archives. On the other hand, in the context of a gala, if a sports competition is organised by the same delegated federation, the documents produced constitute private archives (the gala does not fall within the scope of the public service missions assigned to the organising delegated federation).

Purchase data: The Finnish data protection authority considers that keeping purchase data for the entire duration of the customer relationship does not adhere to the data minimisation principle. In the related Kesko, (retail company), case, the purchase data of a loyalty system, detailed and product-specific, had been processed for various reasons including for business development, and targeting of marketing. The customers themselves had been able to see their purchase information for five years. Kesko was then ordered to clearly define retention periods, clarify the purposes of the use of personal information, and delete or anonymize data that had been stored longer than necessary. 

Cross-border enforcement

Joint controllership: The EDPB published the final decision of the Hungarian supervisory authority about infringement of Art. 26 of the GDPR. The Slovak supervisory authority objected to processing carried out by a foundation as the presumed controller of two Hungarian–language websites. Certain recordings available on the foundation’s websites presumably feature children performing and singing specifically from a Slovak primary school. The Hungarian regulator established that there was no arrangement between the foundation and the school within the meaning of Art. 26 (1) of the GDPR, concerning joint processing and their respective responsibilities.  

Sanctions

Illegal university telemarketing: In the US, the Federal Trade Commission has sued Grand Canyon University for deceptive advertising and illegal telemarketing. The agency says the university, its marketer, and its CEO deceptively advertised the cost and course requirements of its doctoral programs and made illegal calls to consumers. Prospective students were told that the total cost of “accelerated” doctoral programs was equal to the cost of just 20 courses.

In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The defendants also used abusive telemarketing calls to try to boost enrollment. The university advertised on websites and social media urging prospective students to submit their contact information on digital forms. Telemarketers then used the information to illegally contact people. 

AI facial recognition banned: Also in the US, Rite Aid will be prohibited from using facial recognition technology for surveillance purposes to settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in hundreds of stores. From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behaviour. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were falsely accused of wrongdoing. 

Deleted CCTV footage: The Greek data protection agency fined Alpha Bank for failure to satisfy the right of access of its customer, who exercised the right of access to the recorded material from the store’s video surveillance system. It emerged that the bank failed to deal with the complainant’s request promptly, resulting in the material being scheduled to be deleted when the retention period expired. The authority found a violation of Art. 12 and 5 of the GDPR.

Audit reports

Cyber security framework: The UK Information Commissioner has carried out a voluntary data protection audit of Lewisham and Greenwich NHS Trust. One of the areas of improvement found included a cyber security framework that should be further embedded, by integrating new cyber staff roles into the organisation, and ensuring staff with key cyber security responsibilities complete additional specialised training relevant to their responsibilities. 

This should be supported by continuing security controls in place, such as plans to implement multi-factor authentication to protect higher risk or more sensitive personal data processing activities, and a regular programme of practical social engineering or phishing tests to ensure staff are familiar with such scams and what action to take.

Cyber risks relating to third-party suppliers should be reviewed periodically to ensure the Trust has assurance that cyber security controls are in place and effective. Further to this, Data Protection Impact Assessments should identify cyber risks and mitigating controls. Additionally, Information Asset Owners should be actively involved in assessing the cyber risks and monitoring the effectiveness of the mitigating controls. 

Ongoing work to replace or decommission legacy devices that cannot receive security patches and phase out or update servers with unsupported operating systems should continue. All network devices should be able to receive security patches that address cyber vulnerabilities, and systems approaching the end of life should be removed or updated on time.

Data breaches

Car parking data stolen: Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data. EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack, the Guardian reports. The breach brings to light the centralisation of parking services, as physical meters and parking attendants are gradually replaced by websites and apps. 

Data security

Children’s privacy: The Spanish data protection authority presented its age verification system. It consists of the principles that an age verification system must comply with, a technical note with project details and practical videos that demonstrate how the system works on different devices and using several identity providers. The risks of the age verification systems currently used on the Internet, eg self-declaration or sharing credentials with the content provider, have demonstrated clear risks of the location of minors, lack of certainty on the declared age, exposure of the identity to multiple participants, and mass profiling. 

PETs: Privacy-enhancing and preserving technologies generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals. While there is no unified definition denoting a technology as a PET, the Centre for Information Policy Leadership’s year-long study investigates and provides 24 case studies on its three main categories: 

• cryptographic tools that allow certain data elements to remain hidden while in use; 
• distributed analytics tools where data is processed at the source; and 
• tools for pseudonymisation and anonymisation. 

Authentication: Logging in with a password is still one of the most commonly used forms of authentication. Depending on what you have to protect, this may also be enough, states the Dutch data protection authority. Yet logging in with a single factor remains unsafe. It is better to use multiple factors, such as a password combined with a code via SMS. Using biometric data, even if very reliable, demands extra protection and must therefore meet stricter security requirements. Another alternative is a digital token – the unique series of numbers is not generated from your characteristics but is stored on a chip in your access card. However, it would only work if it is and remains strictly personal. 

Big Data

TikTok Australia: The Australian Information Commissioner has launched an inquiry into the platform’s use of marketing pixels to track people’s online habits, The Guardian reports. This can include where they shop, how long they stay on websites and personal information, such as email addresses and mobile phone numbers of non-TikTok users. The probe will determine whether TikTok is harvesting the data of Australians without their consent. Chinese conglomerate, ByteDance, which owns the video-sharing platform has denied it violated Australian privacy laws. New privacy legislation in response to a review of the Privacy Act is expected to land in the Australian parliament this year and will allow more inquiries like this.

Body-related data: Organisations building immersive technologies, from everyday consumer products like mobile devices and smart home systems to advanced hardware like extended reality headsets, often rely on large amounts of data about individuals’ bodies and behaviours, states the Future of Privacy Forum. Thus, it offers detailed and illustrated instructions, on how to document body-related data categories, (raw voice recording, facial geometry, fingerprints), handle complicated data practices, (eg, eye tracking), evaluate privacy and safety risks, and implement best security practices. Download the framework here. 

Cookie depreciation: Google begins the next step toward phasing out third-party cookies in Chrome: testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. The company will roll this out to 1% of Chrome users globally, (a key milestone in their Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024).  Participants for Tracking Protection are selected randomly — and if you’re chosen, you’ll get notified when you open Chrome on either desktop or Android.

The post Data protection digest 18 Dec – 2 Jan 2024: EDPB says too early to revise GDPR, cross-border enforcement challenge ahead appeared first on TechGDPR.

Legal processes

New rules on GDPR fines: New rules, issued by the EDPB, are now in effect for calculating fines for companies that violate the GDPR. All privacy supervisors in the EU will calculate the size of fines in the same way. The size and turnover of a company will play a major role. Companies can find in the guidelines which amount is used as a starting point for calculating the fine for a particular violation and the severity level for a company of their size. 

US State legislation: More state privacy laws have joined the ranks of those in the US enacting such legislation – Montana, Florida, and Texas. California, Virginia, Colorado, Utah, and Connecticut were the five states with consumer privacy laws in 2022, with all of them slated to go into effect in 2023. Early this year, Iowa, Indiana, and Tennessee passed their own privacy legislation, that will take effect by 2025 or 2026. In many circumstances, the new legislation compels covered entities to recognize opt-out preferences for users and to include particular disclosures in the sale of sensitive personal data or biometric data.

Foreign Surveillance: The White House is putting pressure on to reauthorize an electronic surveillance law that allows the targeted monitoring of foreign individuals. The Foreign Intelligence Surveillance Act’s Section 702 is due to sunset at the end of the year. While the program is designed to acquire information on non-Americans residing outside the US, it also collects information on their conversations with US citizens. Curbing US state surveillance practices is also a cornerstone of the future EU-US Data Privacy Framework, which is now being considered by the EU Commission for adoption. 

Official guidance

Updated BCR-C: The EDPB approved the recommendations regarding Controller Binding Corporate Rules. All data controllers using BCRs must update the rules they use to comply with the new recommendations. It clarifies, among other things, what should be included in the controller’s BCR rules, and what must be presented in the BCR application. The recommendations also include an updated standard application form for the BCRs. All users of the BCRs and those applying for approval under them must bring themselves into compliance either during the application process or as part of the annual update, depending on their situation. The EDPB is currently drafting recommendations on the BCRs for personal data processors as well.

Data subject complaints: Another form issued by the EDPB makes it easier for individuals to make complaints to data protection authorities in the EU and EEA. Its use is voluntary for data protection authorities, and they can modify the model to suit their national requirements. The form can be used in cases where a private person files a complaint, or cases where someone else files a complaint, (a legal representative or an entity acting on behalf of an individual).

Age assurance tech:  The “Future of Privacy Forum” organisation publishes infographics on age assurance technology. The analysis outlines the three categories of age assurance, their risks and advantages: a) Age declaration, (age gate, parental consent/vouching); b) Age estimation, (facial characterisation and other algorithmic estimation methods based on browsing history, voice, gait, or data points/signals); c) Age verification, (government, biometrics or digital ID). another report by the organisation looks at verifiable parental consent, a form of age declaration and requirement of the Children’s Online Privacy Protection Act, and its analyses of new children’s privacy laws in various US states.

‘Gestiona’ tool: The Spanish data protection agency has launched a new version of its Gestiona tool, aimed especially at small public or private entities,  which allows managing records of processing activities, carrying out risk management and, where appropriate, providing support for carrying out impact assessments. The tool now has a more intuitive design and incorporates the latest guidelines. The management is carried out in the user’s own browser, without data being transmitted to the regulator.. The information can be stored in a file on the user’s computer and retrieved after each session.

PETs: The UK Information Commissioner’s Office issued guidance that discusses privacy-enhancing technologies in detail. The first part of the guidance is aimed at DPOs, (data protection officers) and those with specific data protection responsibilities in larger organisations. The second part is intended for a more technical audience, and for DPOs who want to understand more detail about the types of PETs that are currently available. It gives a brief introduction to eight types of PETs and explains their risks and benefits, with reference tables and case studies. 

Case Law

‘Right to know’: The CJEU stated that every person has the right to know the date of and the reasons for the consultation of their personal data. In the related case, an employee of a bank, who was also their client, had requested information about the persons who had reviewed his customer information in connection with an internal audit. The bank had refused to disclose the identity of the employees who performed the review but disclosed the reasons and other details. The CJEU states that a person has the right to receive a ‘copy’ of information about the inquiries, such as log data, (eg, it may show the frequency of the review). However, the data subject does not have the right to receive information about the identity of the reviewer, under the authority of the data controller.

DPO’s conflict of interest: In a recent ruling, (not yet published in full), the German Federal Labour Court, (‘BAG’), has decided that the chair of a works council is not eligible to serve as DPO, Ius Laboris Law blog reports. In the case in question, following GDPR instructions, an employer twice dismissed the works council chairman as DPO as a precautionary measure. Before deciding that the revocation of the appointment had been justified, the court had referred the question to the CJEU. 

The CJEU ruled that the roles of works council chair and DPO could not be undertaken by the same individual without creating a conflict of interest. Because the works council decides the aims and means of processing personal data, (as required by applicable laws), the works council chair is unable to supervise data protection law compliance in a sufficiently independent manner. The court clearly left open the question of whether all members of the works council are barred from acting as DPO. However, the conflict of interest considerations may exist for them as well. 

Enforcement decisions

IAB Europe’s TCF update: Interactive Advertising Bureau Europe, (the European-level association for the digital marketing and advertising ecosystem), launched an updated Transparency & Consent Framework in response to industry demand and the Belgian data protection authority action plan. Among changes, the TCF includes revised purpose names and descriptions, new retention periods, the removal of the legitimate interest legal basis for advertising and content personalisation, the introduction of data categories used in conjunction with the purposes, and a more robust vendor compliance program. Participants will have until the end of the third quarter of 2023 to adopt it.

User profiling for direct marketing: The Swedish Privacy Protection Agency issued a sanction of approx. 1 mln euros against Bonnier News, because the group profiled its customers and web visitors without their consent. The company, as a stated legitimate interest, collects information from several different sources for targeted advertising on the web and marketing via physical mail and telephone sales. The data includes information about purchases made in various companies in the group and surfing behaviour. In some cases, this information is also combined with other personal data that is bought in from outside, such as information about the customer’s gender, the household’s car ownership and postcode, as well as statistical information based on the individual’s area of ​​residence such as stage of life, purchasing power and type of residence.

Facial recognition at stadiums: The Danish data protection authority reauthorized Brøndby football club’s use of facial recognition at stadiums for its matches. Brøndby will be able to use images from surveillance cameras to register individuals who violate the rules of order so that such persons can be apprehended when they subsequently try to access the stadium again. The club must ensure it observes the duty of disclosure when collecting the personal data of individuals concerned and provide information that access control is being carried out. The storage period for such data would be for 30 days or even longer. 

Personalised ads: Criteo, which specialises in “behavioural retargeting”, was fined 40 million euros in France for failing to verify an individual’s consent and the fulfilment of data subject rights. The company collects the browsing data of Internet users thanks to its cookie which is placed on their terminals when they visit certain e-commerce websites. The company determines which advertiser and which product would be most relevant to display to a particular user. Then, it participates in real-time bidding to display it. Additionally, when a person exercises their right to withdraw consent or deletion of their data, the process implemented by the company only stops the display of personalised advertisements to the user and does not delete the identifier assigned to the person or erase navigational history. 

E-mail service provider: The Finnish data protection authority has issued a notice to an e-mail service provider, as the company had not offered the user the possibility to transfer their e-mail messages from the service as required by the GDPR. Users of the free version of the e-mail service had the option to manually export their messages one at a time. Instead, customers who paid for the use of the service were offered tools that made it possible to export messages in bulk. As a rule, the registered person must receive his personal data in a structured, commonly used and machine-readable format, and the controller must not make it difficult or prevent the transfer of data, (Art. 20 of the GDPR “Right to data portability”).

Data security

Mobile device data: In an effort to assist organisations with deployment strategies, the US National Institute of Standards and Technology released a revised guide for managing the security of mobile devices in the enterprise. The publication provides a five-step enterprise mobile device deployment life cycle:

• Identify Mobile Requirements, (Bring Your Own Device or Corporate-Owned and Personally-Enabled is selected).
• Perform Risk Assessment, (performed on a regular basis).
• Implement Enterprise Mobility Strategy, (management, policies, configurations, system testing, additional security).
• Operate and Maintain, (control settings, periodic audits).
• Dispose of and/or Reuse Devices. 

Big Tech

Draft Data Act: The Council and the Parliament reached an agreement on rules to access and use data collected in the EU across all economic sectors, where the data are generated through smart objects, machines, and devices. The Data Act will provide consumers more control over their data by strengthening portability rights, interoperability standards, and safeguards against unlawful data transfers by service providers. The Data Act takes into account current horizontal and sectorial laws including the GDPR. 

It has received criticism from a variety of sources, including by the crypto industry bodies on the wide classification of smart contracts as “computer programs.” Smart contracts might potentially be constructed to provide an access control mechanism, but this would undermine the technology’s basic functions. Concerns were expressed by software businesses about a clause requiring corporations to share data that might jeopardize trade secrets. Furthermore, some scientists are concerned that the Data Act would favor companies in its goal of expanding access rights to big data, and that publicly financed science will suffer as a result.

Metaverse: Finally, the EU Parliament issued a comprehensive analysis of the Metaverse. Commercial, industrial and military applications bring both opportunities as well as significant concerns for everyday life, health, work, and security, says the paper. The metaverse can be provided by public or private actors for single users or as a networking platform. It can mirror reality, create a simulation of an entirely new space and actors , or mix both. Forecasts indicate that we are experiencing a decade of metaverse and that it will take 6 to 8 years to achieve its full potential. However, important elements of the metaverse such as digital ethics, digital twins, blockchain, generative AI, tokenization, or digital humans will start to have significant impact much earlier, (1 to 3 years and 3 to 6 years). See the full report here.

The post Data protection digest 17 June – 2 July 2023: rules on GDPR fines, controllers’ BCRs and ‘right to know’ appeared first on TechGDPR.

Legal processes: Microsoft Office 365 cloud services, privacy complaints, lead supervisory authority, NIS2 Directive, Australia data breach penalties

The German Data Protection Conference negatively assessed the data processing agreements for Microsoft 365 cloud services, regarding the requirements of Art. 28 of the GDPR. The regulators came to the conclusion that “no data protection-compliant use of it is possible”. The assessment is based on the “Data Protection Addendum for Microsoft Products and Services”, including the current updated version. The central and recurring question of the series of talks with Microsoft was: in what cases it acts as the processor and in which as the controller. 

• Microsoft does not fully disclose which processing takes place in detail, including subcontracting relationships. In addition, 
• it does not fully explain which processing takes place on behalf of the customer or which for its own purposes. 

During the discussions with Microsoft, the working group was not able to achieve any significant improvements in the drafting of the contracts, (eg, client specific and detailed).The regulators also were not able to identify additional protective measures that could lead to the legality of data export to the US. Many of the services included in MS 365 require the company to access the unencrypted, non-pseudonymized data. You can read the detailed assessment summary in German here.

The Stockholm Administrative Court held that the data protection authority must investigate complaints. This also applies if the authority opened a parallel ex officio investigation into a similar matter and at the same company. In 2019, a data subject filed a complaint in response to Spotify’s answer to an access request with the Austrian authority. The complaint was forwarded to Sweden as the lead supervisory authority for Spotify. After three years of inactivity, the data subject requested a formal decision. 

The EDPB is finalising an updated guidelines on identifying a controller or processor’s lead supervisory authority. The rule is to  determine the location of the controller’s main establishment or single establishment in the EU, (if any), where decisions about the purposes and means of the processing of personal data are taken. This place has the power to have such decisions implemented. However, there can be situations where more than one lead supervisory authority can be identified, in cases where a multinational company decides to have separate decision-making centres, in different countries, for different processing activities. But the most complicated might be so-called “borderline cases”, when, for example, decisions are taken exclusively outside of the EU/EEA. 

The EU has approved the Directive on measures for a high common level of cybersecurity across the EU, (NIS2 Directive). Member states will have 21 months from its entry into force to incorporate the provisions into their national law. The act will repeal the current directive, amending the rules on the security of network and information systems of critical public and private sectors. The new rules will also protect so-called “important sectors” such as postal services, waste management, chemicals, food, manufacturing of medical devices, electronics, machinery, motor vehicles and digital providers. All medium-sized and large companies in selected sectors would fall under the legislation.

In parallel, the UK government is introducing a new mandatory reporting obligation on managed service providers to disclose cyber incidents, alongside minimum security requirements which could see fines of up to 17 million pounds. The announcement was made as the government published its response to a public consultation on amending the NIS Regulation after Brexit.

After several major data leaks in Australia, the Parliament has approved a draconian privacy penalty bill. Companies which fail to take adequate care of customer data will face much higher fines – from the current 2.22 million dollars penalty to whichever is the greater of:

• 50 million dollars;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

The bill also provides the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers. The higher penalties and new powers will come into effect the day after it receives Royal Assent ahead of an overhaul of the Privacy Act following a comprehensive review by the Attorney-General’s Department, currently being finalised.

Official guidance: EU-US data transfers, BCR-C, transfer risk assessment, trusted processors, Google Fonts, whistleblowing management

The Hamburg Data Protection Commissioner published its observations on the proposed EU-US Data Privacy Framework. The regulator advised data transfer impact assessments must follow the ruling by the CJEU on lawful EU-US transfers until the proposed framework is finalised. At the current time, nothing decisive has changed in the legal situation in the USA. Joe Biden’s recent Executive Order provides for a transitional period of up to one year. That’s how long the eighteen US secret services have to integrate the guarantees provided for in the legal act into their practical work. This applies in particular to the new requirement to restrict data access to a reasonable level. The same applies to the institutional guarantees through the creation of a complaints body and a data protection court. These committees are still under construction. The ability to work will only be guaranteed in several months.

The UK Information Commissioner’s Office has updated its guidance on international data transfers. This includes a new transfer risk assessment section and a TRA tool. It gives an initial risk level for categories of data, and transfers that significantly increase the risk of either privacy or other human rights breaches. Earlier this year the UK adopted an International Data Transfer Agreement and Addendum that replaced Standard Contractual Clauses for organisations transferring personal data outside of the UK. 

The EDPB has updated recommendations on Controllers Binding Corporate Rules, (BCR-C). The holders are asked to make the changes according to the instructions provided in the document. The GDPR expressly provides for the use of such data transfer policies by a group of undertakings. The BCR approval only covers transfers to third countries or to international organisations, however, groups may design BCR to be used as their global data protection policy. The updated recommendations also bring the existing guidance into line with the requirements in the CJEU’s Schrems II ruling, which invalidated EU-US data transfers. 

The Baden-Wuerttemberg data protection commissioner has presented a Code of Conduct for data processors, to create more legal certainty. By committing themselves to the code, processors make it clear to the outside world that they follow the guidelines and submit to monitoring by a body accredited by the regulator. Those interested can find the Trusted Data Processor code of conduct here. 

Meanwhile, the Hessen data protection authority issued a  warning about the use of Google Fonts. If they are integrated online, the user’s browser loads these fonts when the website is accessed and contacts the Google servers for this purpose. User data is transmitted to Google at this point. If personal data is transferred to a third country, such as the US, the requirements for third-country transfers must also be met. If these requirements cannot be met, the transfer is inadmissible. It is also advisable to self-host Google Fonts locally on your own web server. This applies equally to other font providers.

Who becomes a data controller when outsourcing an internal whistleblower scheme? In various scenarios an external supplier can handle reports from whistleblowers via a) direct contact, b) an available  IT platform, or c) a combination of both. In the case of direct contact, the subcontractor gets a level of independence and decision-making, and both parties would act as data controllers, (unless the employer provides very strict instructions to the supplier). However, the supplier can become a processor in relation to the operation, (hosting), of the IT platform, and there may be a need for a data processing agreement. 

Enforcement actions: M&A customer data, retention periods, account ownership, consent forms, data brokers, consent layers, misleading and incomprehensible commercial prospecting

The Italian regulator Garante fined the Douglas perfume chain 1.4 mln euros: the data of millions of customers was kept for many years. The company was born in 2019 having incorporated three companies in the sector. Douglas decided to keep the data of almost 3.3 million customers of the previous companies,without requesting their consent. The company will have to destroy data dating back more than 10 years and delete or pseudonymise the more recent files, properly secure them, and inform the customers. It will have to change the setting of the Douglas app, clearly distinguishing the contents of the privacy information. Customers must be allowed to express free and specific consent for the various activities, (marketing of the company, marketing of third parties and profiling).

The French CNIL imposed a fine of 800,000 euros on Discord Inc. also with regard to retention periods and the security of personal data. This US “voice over IP” service offers instant messaging, in which users can create servers, text, voice and video rooms. The company did not have a written data retention policy: there were 2,47 mln accounts of French users who had not used their account for more than three years. Discord’s password management policy was not robust, (only six characters including letters and numbers), and when a user logged into a voice room closed the app window by clicking the “X” icon, they were  just putting the app in the background and staying connected. 

The CNIL also sanctioned EDF 600,000 euros for commercial prospecting practices. The standard prospect data collection forms were made available by a data broker. However , the EDF was not able to communicate to the CNIL the list of partners receiving the data, whereas such a list must be made available to individuals at the time of giving their consent. Finally, the measures put in place by EDF with its data brokers to ensure that consent was validly given were insufficient. At the time of the audits, the EDF did not check the consent forms used and it did not conduct due diligence on data brokers.

The Spanish AEPD fined online banking service Bankinter 80,000 euros for violating security obligations. The complainant had access to the data of a third party alongside their personal data, whilst accessing their monthly statement on Bankinter’s website. The incident occurred due to an error in managing the ownership of the accounts. The AEPD also fined BBVA 80,000 euros for violating the integrity and confidentiality principle: the claimant had requested a certificate of ownership for their account from the bank, however they received a copy of a third party contract. Moreover, it took BBVA too long to remove the link to the file, so the claimant could not access, download or view the document.

The Danish data protection authority Datatilsynet criticised JP/Politik’s consent procedure. It gave visitors three options, (Necessary only, Customize Settings and Accept all). From the “first layer” it appeared that JP/Politiken processed personal data for statistical and marketing purposes. In the “second layer”, which the visitor could access by clicking on Customize Settings , the visitor could select the processing purposes preferences. However, the regulator assessed that visitors who clicked on Accept all did not receive information about all processing purposes.

The Italian competition authority AGCM fined Enel Energia and partner agencies over 5 million euros for unfair commercial practices. Various complaintants received misleading messages disseminated by an answering machine and call centre operators, which were intended to induce consumers to sign a contract with Enel Energia. In most cases, the consumers involved had never provided their consent, and some had been contacted despite their telephone numbers being in the Do Not Call register. 

The Italian Garante also issued a similar fine to the one above against Vodaphone. In this case, a woman over 80 was offered a contract at a speed of 200 words per minute for 6 minutes, in a so-called “vocal order“, (contract concluded directly by telephone). The offer was judged to be incomprehensible, even after repeated listening. The fine of 500,000 euros imposed on Vodafone was calculated taking into account the aggravating circumstances of having committed other telemarketing violations in the previous three years. 

Data security: public WI-FI, World Cup apps, M&A due diligence

Ahead of the festive season, America’s NIST reminds consumers of secure use of public Wi-Fi networks. They are wireless local area networks that are available to the public and do not require a password. Unfortunately, many public Wi-Fi hotspots and access points do not provide encryption. Networks that lack data-in-transit protections are at risk of unauthorised eavesdropping taking place to access sensitive information. Employees can use public Wi-Fi to work remotely from numerous public places such as hotels, airports, and coffee shops. If information is compromised, it may lead to serious harm, financial loss, or reputational damage for an organisation. To mitigate this threat, individuals or enterprises should be mindful of using secure connections to websites and resources:

• a virtual private network (VPN) solution can ensure all communication to and from their applications is encrypted prior to leaving the device.
• Websites that use Hypertext Transfer Protocol Secure (HTTPS), which is HTTP transmitted over Transport Layer Security.

Visitors to the World Cup in Qatar are asked to pay close attention to their digital security. Two apps are required to attend the festivities. They are advised to use a telephone that they do not use for anything else. No other personal data, such as telephone numbers, image or sound files should be stored on this device. After using the apps, the operating system and all content on the phone used should be completely deleted.

The Starwood/Marriott data security breach in Canada provides an important signal for parties to M&A transactions and for all organisations that handle personal information. After the two hotel chains merged Marriott delayed measures to improve the security of the Starwood networks as they were due to be decommissioned. Then Marriott discovered a breach of the Starwood network involving unauthorized access to approximately 339 million customer records. The regulator concluded that Marriott failed to perform an ongoing assessment of the security safeguards in breach of the PIPEDA requirement. Class action lawsuits also were commenced against Marriott in Canada and the US. 

Big Tech: Meta Ireland “data scraping”, Amazon Prime subscriptions, Voodoo gaming apps, Google location tracking

The Irish data protection commission concluded an inquiry into Meta Platforms Ireland, data controller of the “Facebook” social media network, imposing a 265 million fine and a range of corrective measures. The regulator commenced the inquiry after media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of data security measures of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools. There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU.

A recent class action filed in Washington alleges that Amazon used dark patterns to make cancelling customers’ Prime subscriptions more difficult. Amazon’s deceptive cancellation interface effectively prevents Prime subscribers from ending their memberships, leads to further subscription fees, and allows the company to continue collecting, retaining, and using the personal data of misdirected subscribers.

The UK ICO published the Age Appropriate Design Code audit report for Voodoo mobile gaming apps. Among high priorities, Voodoo does not have an accurate understanding of the age demographics of the players, (users are asked to confirm that they are 16 or over via a self-declared age-gate). Younger users are not provided with age-appropriate prompts, information messages, or explanations. There has not been a documented assessment of serving a high volume of advertising at minors, and no consent options were provided.

Finally, Google agreed  to a 391.5 million settlement in most US states over misleading location tracking practices, the biggest of its kind. The confusion arose around the Location History setting and the extent to which users could limit Google’s location tracking by adjusting their account and device settings, CNN reports. Location data collected by Google could be used to target advertising and build profiles on internet users; or disclose highly sensitive information to law enforcement.

The post Data protection & privacy digest 9 – 30 Nov 2022: Microsoft 365 non-compliance, Meta “data scraping” fine, Amazon Prime class action appeared first on TechGDPR.

Legal processes: UK new data protection draft bill, rules to prevent child abuse online

A UK new data protection draft bill was published on a parliamentary website. This document is intended to update and simplify the UK’s data protection framework to reduce organisational burdens while maintaining high data protection standards. The bill was introduced to the House of Commons and given its first reading on 18 July. This stage is formal and takes place without any debate. MPs will next consider it at the second reading on 5 September. The main provisions of the bill include:

• greater flexibility on how to comply with certain aspects of the data protection legislation (eg, relying on legitimate interest or amending the requirement for controllers to keep logs relating to processing);
• improving the clarity of the framework, particularly for research organisations;
• more certainty and stability for cross-border flows of personal data;
• changes to the Privacy and Electronic Communications Regulations 2003, relating to the confidentiality of terminal equipment, (eg, cookie rules), unsolicited direct marketing communications, (eg, nuisance calls), and communications security (eg, network traffic and location data);
• a framework for providing digital verification services in the UK to secure those services’ reliability and enable digital identities to be used with the same confidence as paper documents;
• a wider application of provisions on information standards extending to persons including providers of IT, IT services or information processing services used, or intended for use, in connection with the provision of health or the adult social care sector in England;
• smart data schemes to allow for the secure sharing of customer data, (eg, held by a communications provider or financial services provider), upon the customer’s request, with authorised third-party providers;
• use of personal data for law enforcement and national security purposes.

Meanwhile, the Irish government has approved the expansion of the Data Protection Commission, (DPC). The intention is to appoint two additional commissioners to support the evolving organisational structure, governance and business needs of the DPC. The appointments are to be made following the Data Protection Act 2018, which allows up to three commissioners to be appointed. The commission and its stakeholders, like the Irish Council for Civil Liberties, have regularly highlighted the increased working burden and investigative complexity. Ireland is a notable one-stop shop for the Big Tech companies headquartered in the EU. The DPC’s GDPR enforcement capacity, especially its cross-border aspects, has also been a point of debate in recent years across Europe. 

The EDPB and EDPS have adopted a joint position on the proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse. The proposal lacks clarity on critical elements, such as the notions of “significant risk”. Furthermore, the entities in charge of applying those safeguards, starting with private operators and ending with administrative and/or judicial authorities, enjoy a very broad margin of appreciation, which leads to legal uncertainty on how to balance the rights at stake in each case. The EDPB and EDPS also believe scanning audio communications is particularly intrusive and must remain outside the scope of the obligations in the proposed regulation, both concerning voice messages and live communications. The regulators express doubts regarding the efficiency of blocking measures and consider that requiring providers of internet services to decrypt online communications to block those concerning CSAM would be disproportionate.

Official guidance: UK BCRs, use of biometric data, age verification online

The UK Information Commissioner’s Office, (ICO), has released updated guidance on GDPR-governed Binding Corporate Rules, (BCRs), application forms, and tables for data controllers and processors. The concept of BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, (specifically, Art. 47). BCRs are intended for use by multinational corporate groups, groups of undertakings or enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships. The guidance is intended to assist controllers when preparing the UK BCR pack for approval: the application form, the binding instrument, and any supporting documents. EU and UK BCRs requirements in both jurisdictions currently overlap. Therefore, the ICO has simplified the UK BCR approval process for applicants.

The Spanish privacy regulator AEPD published a blog post, (in Spanish), on the use of biometric data from a data protection perspective. Biometric data processing techniques are based on collecting and processing people’s physical, behavioral, physiological, or neural traits through devices or sensors, creating signatures or patterns that enable the identification, monitoring, or profiling of people. Some methods require the cooperation of the individual. In contrast, other methods can capture biometric data remotely, without requiring the cooperation of the individual and without the individual being aware of it. When demonstrating the adequacy of treatment to the GDPR, it is convenient to use classification criteria of biometric operations: 

• purpose of operations with biometric data concerning the purpose of the treatment, 
• legal framework,
• scope of treatment,
• qualified human intervention,
• transparency,
• free choice of the data subject,
• adequacy, sustainability and necessity,
• minimum data,
• degree of user control,
• Implicit collateral effects in the biometric operation, (eg, proctoring), etc.

How to perform age control on a website? The French CNIL offers some effective and privacy-friendly solutions. After analyzing existing systems, the French privacy regulator recommends developing new solutions. The age control to protect young people is compatible with the  GDPR, provided that sufficient guarantees are presented to minimize privacy breaches and prevent age control from being an opportunity for publishers to retrieve additional data on Internet users visiting their site. In addition, it is necessary to avoid the data being captured by a third party for malicious uses, (biometric data breach, phishing, spoofing, blackmail). 

It is possible to verify age by using an automatic system’s credit card, facial analysis of facial features. However, these solutions must be operated by third parties with sufficient security and reliability to avoid data theft and ensure that the additional risks generated by their use are considered. Another solution is possible, says the CNIL, but presents specific technical difficulties or a lower maturity. In this case, a trusted third party is provided with reliable proof of age by an administration or a company that knows the Internet user and can certify his age. This proof would then be transmitted by the trusted site or by the user himself to the site to which the user requests access. The system recommended by the CNIL would provide triple protection of privacy:

• the person providing proof of age knows the identity of the user, but does not know which site is being visited;
• the person who transmits the proof of age to the site may know the site or service consulted, but does not know the identity of the user;
• the site or service subject to age verification knows that the user is of legal age and that a person is consulting it, but does not know their identity.

Investigations and enforcement actions: vehicle rental, progressive health research, wrongful patient referral, passwords in plain text, cookie violations

The supervisory authorities, (SAs), of the Baltic States launched coordinated preventive supervision on the compliance of personal data processing in the field of short-term vehicle rentals, the EDPB reports. The SAs have agreed that supervision will be carried out on enterprises whose main recipients of services are natural persons (eg, electric scooters). Primarily, merchants whose principal place of business is located in one of the Baltic States and who offer their services throughout the Baltics will be monitored. Concerning its decision-making, each SA may extend the scope of the supervision to the activities of enterprises that are also active in only one Member State.

The EDPB has published a selection of cases of strategic importance where there is a likely high risk to the rights and freedoms of natural persons. The degree of public debate and media attention is not included as a separate criteria, but the data protection authorities can take these factors into account. A proposal may be made if it concerns:

• a structural or recurring problem in several Member States;
• a case related to the intersection of data protection with other legal fields;
• a case that affects a large number of data subjects in several Member States;
• a large number of complaints in several Member States; 
• a fundamental issue falling within the scope of the EDPB strategy;
• a case where the GDPR implies that high risk can be assumed, such as the processing of special categories of data, processing regarding vulnerable people such as minors, situations where a data protection impact assessment, (DPIA), is required, or situations where a DPIA is required based on the criteria for processing operations that are likely to result in high risk (as laid down in the EDPB Guidelines).

The Italian privacy regulator ‘Garante’ gave a favorable decision on the processing of data by a hospital aimed at the study of patients suffering from neoplastic, infectious, degenerative, and traumatic pathologies of the thoracic region. The project envisages the creation of a database and research activity in nine areas that will be the subject of further specific protocols and submitted to the competent ethics committees for each area. To give the green light, however, the authority asked the researchers to base the collection – and the subsequent processing of health data for medical research purposes – on “progressive stages” consent. 

Garante previously authorized the collection and storage of data in the “Torax” database based on an initial consent expressed by patients at the time of participating in the study, provided that the hospital subsequently acquired specific consent from the patients. Garante decided for deceased or no longer contactable patients, and research projects were better defined and approved by the territorially competent ethics committees. The authority has favorably taken note of the technical measures implemented by the hospital to eliminate the risk of patient identification, deeming them suitable for ensuring the anonymization of the data processed. However, the company must periodically check these measures and possibly adjust.

Meanwhile, the Polish supervisory authority UODO imposed an administrative fine on the University Clinical Center of the Medical University of Warsaw. The decision was due to the failure to notify the UODO of a breach of personal data protection and the failure to notify the data subject. A patient received a referral from a doctor to a specialist clinic containing personal data about another person: their name, surname, address, identification number, information about the diagnosis and purpose of the advice. The administrator confirmed that there was a mistake in entering another patient’s personal data on the referral to a specialist clinic. Still, after analyzing it, he concluded that the referral used the personal data of a person who did not exist in reality. Although the controller qualified the incident as a security incident, it was not considered to have significant effects on the rights and obligations of the data subject. 

In the opinion of the UODO, there was a breach of personal data protection consisting of the disclosure of personal data to an unauthorized person, (another patient), as a result of an error by a doctor issuing a referral to a specialist clinic. The document issued by the doctor contained only one mistake in the patient’s favour. However, the rest of the data contained in the referral, eg, name, address, and identification number, did apply to the patient. Hence, it cannot be considered that the event concerned a non-existent person. Despite the mistake to this person’s advantage, they can be easily identified.

The Danish data protection authority criticized and issued two orders to EG Digital Welfare ApS. The IT system Mediconnect offered by EG, among other things, is used by municipalities, regions, and insurance companies to handle sensitive and confidential information about citizens. In this context, EG acts as a data processor for the Mediconnect IT system. It appears from the case that passwords are stored in the Mediconnect IT system in plain text, opening the possibility of access to special categories of data that are username and password-protected. The regulator issued an order to carry out irreversible encryption of passwords, and to ensure that the login solution is not done exclusively using a username and password (eg, multi-factor login, certificates, tokens, or a PKI solution).

Spain’s AEPD fined Vueling Airlines 30,000 euros for cookies violations. According to the complaint, when accessing Vueling’s website, users could not reject cookies or purchase tickets without accepting the sending of commercial communications and promotions. Vueling’s misuse of cookies on its website constituted a violation of Art. 22 of the country’s Information Society Services and Electronic Commerce legislation. The AEPD imposed on Vueling the above fine, which was subsequently reduced to 18,000 euros following Vueling’s admission of guilt and the voluntary payment of the fine.

Audits: an insurance company’s data processing

The UK ICO has audited Somerset Bridge Insurance Services Ltd data processing. The company agreed to it consensually. It was agreed that the audit would focus on direct marketing: the processes in place where an organisation undertakes marketing activities directed at customers on their database and/or obtained from third-party lists. This would include controls for management structures, policies, and procedures, monitoring and reporting, training, fairness and transparency, lawful consent, accuracy and integrity of records, operations, and data subjects’ rights. The summary of the audit was as follows:

• The company processes personal data from customers obtaining insurance quotes and policies. 
• It collects personal data directly from its customers through its website, aggregator sites, or telephone calls.
• It only relies on active opt-in consent for any form of marketing, including via email, phone, or SMS. 
• It currently does not use soft opt-in. Electronic marketing is mainly through a monthly newsletter. Each email to the customer includes the option to unsubscribe.
• It does not process special category data when processing data for marketing purposes. 
• Automated marketing calls are not made. 
• It does not buy in marketing lists from third parties. 

The ICO auditors reported a high level of assurance that the direct marketing activities conducted by the company were compliant with the UK GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations. 

Data security: ransomware attacks

The EU cybersecurity agency ENISA stated that ransomware is one of the most devastating types of cybersecurity attack over the last decade and has grown to impact organisations of all sizes across the globe in the last year:

• About 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees’ data.
• At least 47 unique ransomware threat actors were found.
• For 94.2% of incidents, it is unknown if the company paid the ransom.
• When negotiation fails, the attackers usually publish the data on their web pages. This happens often and is a reality in 37,88% of incidents.
• The remaining 62,12% of companies either came to an agreement with the attackers or found another solution.

Several different ransomware business models emerged from the study: a) individual attackers; b) ransomware-as-a-service model; c) a data brokerage model; and d) a model aimed mostly at achieving notoriety. Thus the ENISA report recommends the following:

• keep an updated backup of your business files & personal data;
• keep this backup isolated from the network;
• apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
• run security software designed to detect most ransomware in your endpoint devices;
• restrict administrative privileges, etc.

Big Tech: Paramount Global, US tech in Russia, TikTok in US, Manchester City’s smart scarf

Paramount Global, owner of CBS, is facing a class action lawsuit that alleges the Hollywood giant tracked and collected CBS.com subscriber data and sold it to Facebook without users’ consent. Paramount is accused of violating the Video Privacy Protection act, and Facebook has already recognised it uses CBS.com subscriber data, via the Facebook Tracking Pixel that Paramount uses.

Russia continues to tighten the regulatory screws on US tech firms, with fines imposed on Snapchat, WhatsApp, and Tinder for failing to store the data of their Russian users on local servers. Local data storage is a requirement since a 2019 law, although many western companies have fallen foul of it, and the number is growing.

China’s TikTok has paid a 92 million dollar settlement in a 2019 case brought in a Federal court in Illinois, alleging multiple data protection and privacy violations and illegal collection of biometric data. As part of the deal, TikTok must now restrict and disclose in its privacy policy what it collects and end the secret sending of data overseas.

Tech incorporated in clothes gives you useful feedback on a range of things. Now Manchester City have made their fans a scarf that gives the club loads of information about the wearer’s match experience. An EmotiBit sensor can read blood pressure, heart rate, emotional arousal or stress levels. The club has partnered for the pilot stage with Cisco, tech and production company Unit9, and sports marketers Octagon UK, although Man City is being coy for the moment about just what personal data will be collected and shared and with whom.

The post Weekly digest 25 July – 1 August 2022: UK publishes new data protection draft bill and updates BCRs appeared first on TechGDPR.