Data subject rights (DSRs) are not optional check boxes. They are legally enforceable rights granted to individuals whose personal data is processed. Businesses must respect data subject rights throughout all stages of AI development, deployment, and ongoing system management. The GDPR grants individuals several rights over their personal data. Let us focus on four of these here:

1. Right to be informed: As with other data protection frameworks, transparency is key under the GDPR. This right takes the form of a duty to inform prior to the processing taking place. Businesses must include information on how they collect, use, store, and share data, the purpose of processing, the legal basis, data retention periods, and who may receive the data. Privacy notices are the typical repositories for this information. They must be concise, accessible, and written in plain language.
2. Right of access: Data subjects can request access to the exact personal data a business holds about them. Businesses must provide information about processing activities, data categories, and any third parties with whom they share the data.
3. Right to rectification: Data subjects can request organizations to correct incorrect or incomplete data without delay. Businesses must respond promptly and update the data across systems and third-party processors where necessary.
4. Right to object, right to be forgotten and right to revoke consent: It allows individuals to exercise control. The European Data Protection Board (EDPB)  published a case digest on right to object and erasure. Data subjects must be able to object to the use of their data and request its erasure when it is no longer necessary, when they withdraw consent, or for purposes like direct marketing.

Incorporating data minimization in AI Systems

One of the most effective ways businesses can respect data subject rights is by adhering to the data protection principle of data minimization. This GDPR principle requires businesses to collect and process only the minimum personal data necessary to achieve their specific purpose. Avoid over-collecting data, use anonymized or synthetic data for training, and regularly review AI outputs to remove unnecessary personal information.

Implement transparent data practices

Transparency is central to building trust and achieving legal compliance. Always define the purpose of processing, specifically the training of AI models. If businesses rely on legitimate interest, they must show that they gave data subjects the chance to object; otherwise, they invalidate their legal basis.

Clearly inform existing customers in advance when using their data to train AI models, and provide opt-out options before processing begins. Transparency is key. 

When there’s no direct relationship with the individual (such as when using publicly available data or from data brokers), the GDPR requires information to be provided within one month of its collection GDPR Articles 14.  

In 2023, the Italian DPA temporarily banned OpenAI’s ChatGPT, citing a lack of transparency around how it used personal data for training. The DPA later required the company to implement clear privacy notices and provide users with ways to exercise their rights.

Respect the right to access 

Can data owners request access to training data? 

This becomes complicated with large language models, but under the GDPR, individuals have the right to know if and how their data is being used.

How to exercise that right? 

Under the GDPR, individuals have the right to know if and how their personal data is used, including data processed by AI systems. While this is straightforward for users with an existing relationship (who can submit data subject access requests via account settings or customer support), it’s more complicated when there’s no direct connection.

In such cases, organizations must ensure proactive transparency by clearly informing people through privacy policies and AI transparency reports. Failure to uphold this right contributes to loss of trust and accountability in AI use and development.

Develop clear processes for data deletion and rectification 

Can data be corrected or deleted after it has been used to train an AI model? 

While difficult, companies must explore the use of data architectures that allow tracing of personal data contributions. The GDPR (Recital 26) considers even pseudonymous data, like randomly generated user IDs, as personal data since organizations can technically link it back to a person, directly or indirectly.

To reduce data subject risk while improving compliance, companies could implement the following measures:

• Data encryption: Businesses should ensure proper security implementation, especially when handling sensitive personal information.
• Anonymization and pseudonymization: Where possible, anonymize or pseudonymize data before using it in AI models. Anonymization and pseudonymization protect personal data by reducing breach risks and limiting the impact on individuals in case of a data exposure.
• Access control: Implement strict access controls and monitoring to ensure only authorized personnel can access personal data. This prevents unauthorized exposure of sensitive information.

By embedding these practices into AI development pipelines, organizations can take meaningful steps toward compliance, trust-building, and ethical AI deployment.

Ensure security and privacy by design

Organizations should build user trust and meet regulations by embedding privacy from the start, not treating it as an afterthought. This is the core of the privacy by design principle under the GDPR.

Key steps include:

• Promoting user choice and control: Provide clear opt-out options before processing data—whether in email campaigns, mobile app popups, or web trackers.). Empower users with privacy dashboards that let them view, manage, and delete their personal data at any time.
• Secure data handling: Businesses must encrypt personal data used in AI training while transmitting and at rest. Implement strict access control mechanisms to ensure that only authorized personnel can interact with sensitive data.

Embedding privacy and security into system architecture from the outset not only ensures compliance, trust-building, and ethical AI deployment.

Maintain ongoing communication and feedback loops

Transparency shouldn’t stop at data collection. When introducing AI processing, update your privacy notices to reflect new processing activities, as required by the GDPR. Use layered notices to highlight AI-specific practices like model training, profiling or automated decision-making. Importantly, inform users before processing, not after. True consent means giving people a real choice. Building feedback loops as user input is essential for improving fairness, spotting issues, and building trust in your AI systems.

Conclusion

As AI continues to shape modern business, respecting data subject rights is not just a legal obligation; it’s a foundation for responsible innovation. By embedding privacy by design, adopting transparent data practices, and enabling user control, organizations can align AI development with GDPR principles and foster long-term trust. Data protection isn’t a compliance checkbox, it’s a strategic imperative for ethical and sustainable AI.

Feel free to reach out to us for any clarification of AI compliance needs.

The post Respecting Data Subject Rights in AI: A Practical Guide for Businesses appeared first on TechGDPR.

The Imperative for Ethical AI

The integration of AI into business operations brings forth unprecedented opportunities for innovation and efficiency. However, it also raises significant ethical and compliance challenges, from data privacy concerns to fairness and accountability issues. As pioneers in GDPR and privacy consulting, TechGDPR understands the criticality of addressing these challenges head-on. Our new services are tailored to empower organizations to leverage AI technologies while ensuring ethical integrity and regulatory compliance.

Why is TechGDPR best placed to support with AI Ethics & Compliance?

TechGDPR’s unique blend of experience in privacy consulting and AI governance positions us as your ideal partner in this journey. Our team, trained as AI Governance Professionals by the International Association of Privacy Professionals (IAPP) and recognized as Foundational Supporters of the IAPP’s AI Governance efforts, brings unparalleled expertise to the table. This background equips us with the skills to provide comprehensive support, from regulatory compliance assessments to the development of ethical AI frameworks.

Our AI Ethics & Compliance Services

Our AI Ethics & Compliance services are designed to meet the needs of businesses at the earlier stages of AI adoption, in particular for the users (“deployers” by the definition of the -draft- EU AI Act). In particular for companies using standard Generative AI, Large Language Models like ChatGPT, Google Gemeni, MidJourney or custom trained AI models to support with business functions. Our offerings include:

• AI Compliance Strategy Development: Crafting tailored strategies to navigate the regulatory landscape of AI.
• Ethical AI Frameworks: Establishing ethical guidelines to guide the development and deployment of AI systems.
• Risk Assessment and Mitigation: Identifying potential ethical and compliance risks and developing strategies to address them.
• Training and Education: Equipping your team with the knowledge to implement and manage AI responsibly.

If you are in the process of training your own model, or even developing or deploying your own algorithm, we can help. In particular ensuring solid Privacy by Design is utmost important to ensure no fatal mistakes from the data protection and privacy point of view, but also early synchronization with regulatory requirements under the AI act are essential.

Looking Ahead: AI Ethics and Compliance for companies using AI

As we launch these services, we invite you to join us in shaping a future where AI not only advances technological boundaries but does so with integrity and compliance at its core.

For more information on how we can support your AI initiatives, visit our newly launched page on Artificial Intelligence Ethics and Compliance.

The post Introducing TechGDPR’s AI Ethics & Compliance Services appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Legal processes

Digital Services Act: Online services will have new obligations when the application of the EU’s digital services regulation begins as of 17 February. The purpose of the new regulation is to reduce illegal content and increase the transparency of advertising and recommendation systems and the protection of minors. The internet giants have been already supervised and regulated directly by the European Commission since mid-2023, whereas Member States are responsible for the supervision of smaller platforms as of mid-February. 

EU adequacy decisions list: The European Commission successfully concluded its review of 11 existing adequacy decisions. Thus Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to benefit from adequate data protection safeguards. The Commission also monitors the latest arrangements that are in place with the UK, US, Japan and South Korea. 

Regulatory updates

Decentralised clinical trials: To support sponsors in the design of their decentralised clinical research projects, the French data protection regulator CNIL and its state partners are setting up a pilot phase, from January to June 2024. 20 projects will be selected and will receive targeted support. In 2022, the European Commission published the European recommendations on decentralised clinical trials in the wake of the COVID-19 pandemic.  Each application must include:

• a specific question mentioning the decentralised component and summarizing the problem encountered;
• a proposal for a complete scenario for the implementation of the decentralised element of the research project, a summary of the protocol and the information notice for future participants.

DPO evaluation: The EDPB identified areas of improvement to promote the role and recognition of data protection officers. In 2023, thousands of organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors, and more than 17,000 replies were received and analysed. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular training; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. They generally have sufficient resources to carry out their tasks and are, in most cases, involved in decisions relating to personal data.

However, the answers provided highlight the significant disparity in resources between the DPOs of large companies and those of small communities: the public officer often carries out his duties alone while the private delegate generally has a team.

Transfer Impact Assessment

A Transfer Impact Assessment must be undertaken by controllers or processors acting as data exporters, with the assistance of the importer, before transferring data from a European Economic Area country to a third country where such transfer is based on an Art. 46 of the GDPR transfer tool. Since the importer has a lot of information needed for this assessment, its cooperation is essential for the realisation of the TIA. To that end, the French data protection authority decided to give indications on how the analysis can be carried out by following the steps set out in EDPB’s recommendations. You can read the draft TIA guide, (in English), here. The consultation on it is open until 12 February. 

(If the country of destination is covered by an adequacy decision by the European Commission, the exporter is not subject to this obligation. The same applies if the transfer is carried out based on one of the derogations listed in Art. 49 of the GDPR).

Cookies and audience measurement

The Spanish data protection authority published a guide on the use of cookies for audience measurement, (in Spanish). The management of a website, or mobile application, by a publisher generally requires the use of traffic or performance statistics. The information processed through the use of cookies for this purpose can be managed directly by the publisher or by a provider who can provide a comparative audience measurement service. In that case, the provider would act as a data processor for one or more publishers. 

Cookies used to obtain traffic or performance statistics may be exempt from consent under certain conditions, (limited strictly to what is necessary for the provision of the service). On the contrary, to be exempt from consent, these cookies or similar technologies must not result in the data being compared with other processing operations or in the data being transmitted to third parties. In addition, they should not allow aggregate tracking of the navigation of the person who uses different applications or browsers, (as is the case with audience measurement offers available on the market).

Similarly, the Austrian data protection authority published a FAQ on cookies and data protection, (in German). In particular, it explains what are “technically necessary” cookies,  how to use industry standards or “cookie consent tools”, and finally how to identify the GDPR-governed roles and responsibilities of a data controller or a processor if cookies are set for your digital services.

More official guidance

Fitness trackers: Such apps and devices are usually connected to the Internet as well as other apps and devices of various kinds. This implies the exponential multiplication of sensitive data processed and shared and the possible risks related to IT security. According to the Italian data protection agency, when using these tools it is therefore always good to adopt some important precautions: 

• always read the information notice carefully, (who and how will process your data);
• minimise data collection, (disable features that are not essential, use a pseudonym, delete data);
• If the connection to other devices is not essential for the device or app to function, do not grant permission, (such as contacts in the address book, photos, agenda or microphone);
• safety first (complex and secure authentication, downloads via official digital services, periodic updates);
• If you don’t use it, turn it off, or uninstall it from your device, and 
• avoid the use of devices and apps by minors unless supervised by an adult. 

Generative AI: Meanwhile the UK Information Commissioner’s Office, (ICO), has launched a consultation series on generative Artificial Intelligence. Generative AI models are being used across the economy to create new content, from music to computer code. The first consultation examines when it is lawful to train generative AI models on personal data scraped from the web. The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI. The first consultation is open until 1 March.

CJEU ruling

Controller’s (non) strict liability: In one of its recent decisions the CJEU held that a controller will be held liable for a breach committed by a processor intentionally or negligently if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out the processing for:

• their purposes; or
• non-compliance with the framework of, or arrangements for, the processing as determined by the controller, or 
• in such a manner that it cannot reasonably be considered that the controller consented to such processing.

The case relates to the development of a COVID-19 mobile application, raising questions of joint controllership between the IT service provider and the Lithuanian Public Health Centre that ordered its creation but did not enter into a contract to proceed with its publication. The app was eventually made available on Google Play, and its privacy policy still referenced the public centre and the service provider as controllers. 

Unsolicited marketing

Food delivery spam: The UK Information Commissioner fined food delivery company HelloFresh 140,000 pounds for 79 million spam emails and 1 million spam texts over seven months. The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text. Whilst there was a reference to marketing via email, this was included in an age confirmation statement which was likely to unfairly incentivise customers to agree. Customers were also not given sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their subscriptions.

“Do not call” register: The UK Commissioner also fined Poxell Ltd 150,000 pounds for making over 2.6 million unlawful marketing calls between March and July 2022. The company made dozens of calls to individuals with dementia and other serious illnesses offering home improvement solutions. The aggressive salesperson failed to identify themselves, allow their number to be displayed to the person receiving the call or provide a contact address or freephone number if asked. After receiving the initial investigation letter, it continued to make unsolicited direct marketing calls until its account was terminated by its communications service provider. 

Customer data deletion: The Danish data protection regulator imposed a fine of approx. 33,000 euros against the Royal Theater for not having laid down rules for deleting customer information for marketing use. The theatre stored information on approx. 520,000 customers and newsletter recipients for marketing purposes, without having set deletion deadlines or established fixed procedures or guidelines for deleting the information. The information was only deleted in cases where individual customers specifically requested deletion or revoked their consent to receive direct marketing. 

Data breaches

Inappropriate coding: The Danish data protection regulator also recommended a record fine of approx. 2 mln euros against Netcompany. As a data controller it had not implemented appropriate security measures in connection with the development of mit.dk. This system enabled users to read and respond to their digital correspondence from the authorities, while also being able to access their medical records and pay bills. Netcompany used inappropriate coding in the component that authenticated mit.dk. users. When mit.dk. was put into operation in March 2022, an error therefore occurred almost immediately when several users logged on and accessed other users’ sensitive information.

Password recycling: Finally, tech giant 23andMe, a DNA-testing company, blames its users for data breaches, Messenger.com reports. The recent October breach exposed the 23andMe accounts of about 6.9 million users. Customers received a letter from the corporation informing them that 23andMe was not responsible for the occurrence. Rather, the incident was a result of users’ failure to safeguard their account credentials: a key that allowed criminal actors to use 23andMe’s DNA Relative matching service was supplied by some customers who recycled passwords that were exposed in prior data breaches that targeted other websites. Due to the data breach, the corporation has been sued many times, with every claim citing inadequately secured customer information.

More enforcement decisions

Electronic payments: The French data protection regulator imposed a fine of 105,000 euros on NS CARDS France. The company publishes the neosurf.com website and the mobile app “Neosurf” which allows you to make online payments after registering for digital services. The company had set a ten-year retention period at the end of which user accounts were deactivated, but not deleted. The account data was therefore kept for an indefinite period. In addition, the ten-year retention period was applied to all user accounts, without sorting out the data to be kept, for example by certain consumer rights. Another failing was the user account password complexity rules were insufficiently robust, (eg, stored in plain text in the database and associated with the users’ email address and ID). 

The regulator also noted the deposit of Google Analytics cookies on the user’s terminal without their consent. NS CARDS France also used a reCAPTCHA mechanism, provided by Google, when creating the account and logging in to the website and mobile application. The collected data was transmitted to Google for analysis but the company did not provide any information to the user and did not obtain their prior consent.

Risk assessment failed: Meanwhile, the Dutch data protection authority imposed a fine of 150,000 euros on International Card Services (ICS). ICS failed to carry out a DPIA before the company started digitally identifying customers in the Netherlands in 2019. Furthermore, the personal information used for identification was sensitive. In addition to customers’ names, addresses, telephone numbers and e-mails, this included a photo that customers had to take of themselves and send via a mobile phone or webcam. ICS then used these photos to compare them with copies of customers’ IDs. 

Data security

Data breach types: The Danish data protection authority focuses on 10 typical breaches of personal data security and comes up with concrete proposals on how they can be avoided, (in Danish). This includes things like auto-complete which causes e-mails to be sent to the wrong recipients, broad access to data on network drives, unauthorised access to data due to poor design, coding errors and insufficient testing, failure to delete data using digital tools, loss/theft of portable devices with unencrypted data, disclosure of data stored in template and form solutions, and more.

My Health My Data: Washington State published a FAQ on the My Health My Data Act. It is the first privacy-focused law in the United States to protect personal health data collected and shared outside the state and under federal healthcare privacy regulations. This concerns information that can identify a consumer’s past, present, or future physical or mental health status. For example, information about the purchase of toilet paper or deodorant is not consumer health data, while an app that tracks someone’s digestion or perspiration is. Regulated entities or small businesses shall:

• publish a separate and distinct link to their consumer health data privacy policy on their homepage;
• secure valid authorisation from a customer to sell their data. 

Consumers have a right to withdraw consent and a right to have their data deleted. The act takes effect on 31 March for regulated entities. Small businesses have until the end of June to comply with new rules.

Big Data

Meta’s “Pay or okay” consent model: Privacy-advocacy group NOYB stated that Meta unlawfully ignores the users’ right to easily withdraw consent. The group has filed a new complaint with the Austrian data protection authority. According to Meta, the Facebook and Instagram service tries to abide by EU regulations requiring users to have the option of whether or not their data may be gathered and used for targeted advertising. Users who agree to be monitored receive a free service funded by advertising income. However, while one click is enough to consent to be tracked, users can only withdraw their consent by switching to a paid subscription, NOYB concludes.

The post Data protection digest 3 – 17 Jan 2024: digital services transparency and risk assessment in the focus of regulators appeared first on TechGDPR.

Regulatory updates

5 years of the GDPR: The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. It is too early to revise the regulation, although several important challenges lie ahead, such as procedural rules relating to cross-border enforcement. The EDPB will keep on supporting the implementation of the GDPR in particular by SMEs, seeking greater clarity and uniformity of guidance and powers available. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. In addition, the supervisory authorities need sufficient resources to continue carrying out their tasks. 

“Cookie fatigue”: The EDPB also welcomed the voluntary business pledge initiative by the European Commission to simplify the management of cookies and personalised ads choices by consumers. It would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. However, the EDPB flagged that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive.

COPPA: The US Federal Trade Commission plans to strengthen children’s privacy rules to further limit companies’ ability to monetize children’s data. The new rule would require targeted ads to be off by default, limit push notifications, restrict surveillance in schools, limit data retention, and strengthen data security. COPPA rules require US websites and online services that collect information from children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from these children, (persistent identifiers, geolocation data, photos, videos, and audio). 

UK BCRs

The UK Information Commissioner updated a guide on the binding corporate rules for organisations managing data transfers between the UK and EU. Organisations with an existing EU BCR can add the UK Addendum thus creating a new UK BCR, to include UK-restricted transfers. It contains all relevant provisions of Art. 47 of the UK GDPR, meaning that your EU BCR will work in the UK. Finally, under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.

Log data access

An administrative court in Finland has published a decision regarding the right to inspect log data. An employee of the bank, who was also a customer of the bank, demanded to know the persons who had reviewed his customer information during the bank’s internal audit. The bank refused to disclose the identity of the employees because the log data resulting from viewing the data was the personal data of the employees in question. However, the bank did give the reason why customer data had been viewed. 

The person complained about the bank’s procedure to the data protection commissioner’s office. The regulator rejected the request and stated that the bank does not need to provide information about the identity of employees. The case ended in the CJEU. The EU top court ruled that everyone has the right to know the times and reasons for queries made to their data. However, there is no right to receive information about persons who have processed information under the authority of their employer and by the employer’s instructions.

Health data processing

Certain processing of health data is subject to the performance of preliminary formalities with the data protection authority. To facilitate the procedures of the bodies concerned and the compliance of their processing, the French regulator CNIL has published, (in French), reference standards to which they must refer: 

• “soft law” and guide frameworks (eg, data retention periods,  processing of personal data for the management of pharmacies); and
• the repositories for processing subject to authorisation, (eg, creation of a health data warehouse, research requiring the collection of consent).

Other official guidance

Sports archives: The storage of sports archives must comply with the regulations on the protection of personal data. Some personal data collected on athletes, federal officials or club presidents, such as results, awards, photographs and posters, may be of historical interest, invoked by the players in the ecosystem, (in particular institutions, clubs, sports federations, professional leagues), to justify the retention of data without limitation in time. In practice, the purposes associated with the retention of this data are very numerous, and the retention periods will vary. 

Also, depending on the status of the person who produced or received them, these records are either public or private. For example, the results of a sports competition organised by a delegated federation, (eg, the results of the championships of France), constitute public archives. On the other hand, in the context of a gala, if a sports competition is organised by the same delegated federation, the documents produced constitute private archives (the gala does not fall within the scope of the public service missions assigned to the organising delegated federation).

Purchase data: The Finnish data protection authority considers that keeping purchase data for the entire duration of the customer relationship does not adhere to the data minimisation principle. In the related Kesko, (retail company), case, the purchase data of a loyalty system, detailed and product-specific, had been processed for various reasons including for business development, and targeting of marketing. The customers themselves had been able to see their purchase information for five years. Kesko was then ordered to clearly define retention periods, clarify the purposes of the use of personal information, and delete or anonymize data that had been stored longer than necessary. 

Cross-border enforcement

Joint controllership: The EDPB published the final decision of the Hungarian supervisory authority about infringement of Art. 26 of the GDPR. The Slovak supervisory authority objected to processing carried out by a foundation as the presumed controller of two Hungarian–language websites. Certain recordings available on the foundation’s websites presumably feature children performing and singing specifically from a Slovak primary school. The Hungarian regulator established that there was no arrangement between the foundation and the school within the meaning of Art. 26 (1) of the GDPR, concerning joint processing and their respective responsibilities.  

Sanctions

Illegal university telemarketing: In the US, the Federal Trade Commission has sued Grand Canyon University for deceptive advertising and illegal telemarketing. The agency says the university, its marketer, and its CEO deceptively advertised the cost and course requirements of its doctoral programs and made illegal calls to consumers. Prospective students were told that the total cost of “accelerated” doctoral programs was equal to the cost of just 20 courses.

In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The defendants also used abusive telemarketing calls to try to boost enrollment. The university advertised on websites and social media urging prospective students to submit their contact information on digital forms. Telemarketers then used the information to illegally contact people. 

AI facial recognition banned: Also in the US, Rite Aid will be prohibited from using facial recognition technology for surveillance purposes to settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in hundreds of stores. From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behaviour. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were falsely accused of wrongdoing. 

Deleted CCTV footage: The Greek data protection agency fined Alpha Bank for failure to satisfy the right of access of its customer, who exercised the right of access to the recorded material from the store’s video surveillance system. It emerged that the bank failed to deal with the complainant’s request promptly, resulting in the material being scheduled to be deleted when the retention period expired. The authority found a violation of Art. 12 and 5 of the GDPR.

Audit reports

Cyber security framework: The UK Information Commissioner has carried out a voluntary data protection audit of Lewisham and Greenwich NHS Trust. One of the areas of improvement found included a cyber security framework that should be further embedded, by integrating new cyber staff roles into the organisation, and ensuring staff with key cyber security responsibilities complete additional specialised training relevant to their responsibilities. 

This should be supported by continuing security controls in place, such as plans to implement multi-factor authentication to protect higher risk or more sensitive personal data processing activities, and a regular programme of practical social engineering or phishing tests to ensure staff are familiar with such scams and what action to take.

Cyber risks relating to third-party suppliers should be reviewed periodically to ensure the Trust has assurance that cyber security controls are in place and effective. Further to this, Data Protection Impact Assessments should identify cyber risks and mitigating controls. Additionally, Information Asset Owners should be actively involved in assessing the cyber risks and monitoring the effectiveness of the mitigating controls. 

Ongoing work to replace or decommission legacy devices that cannot receive security patches and phase out or update servers with unsupported operating systems should continue. All network devices should be able to receive security patches that address cyber vulnerabilities, and systems approaching the end of life should be removed or updated on time.

Data breaches

Car parking data stolen: Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data. EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack, the Guardian reports. The breach brings to light the centralisation of parking services, as physical meters and parking attendants are gradually replaced by websites and apps. 

Data security

Children’s privacy: The Spanish data protection authority presented its age verification system. It consists of the principles that an age verification system must comply with, a technical note with project details and practical videos that demonstrate how the system works on different devices and using several identity providers. The risks of the age verification systems currently used on the Internet, eg self-declaration or sharing credentials with the content provider, have demonstrated clear risks of the location of minors, lack of certainty on the declared age, exposure of the identity to multiple participants, and mass profiling. 

PETs: Privacy-enhancing and preserving technologies generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals. While there is no unified definition denoting a technology as a PET, the Centre for Information Policy Leadership’s year-long study investigates and provides 24 case studies on its three main categories: 

• cryptographic tools that allow certain data elements to remain hidden while in use; 
• distributed analytics tools where data is processed at the source; and 
• tools for pseudonymisation and anonymisation. 

Authentication: Logging in with a password is still one of the most commonly used forms of authentication. Depending on what you have to protect, this may also be enough, states the Dutch data protection authority. Yet logging in with a single factor remains unsafe. It is better to use multiple factors, such as a password combined with a code via SMS. Using biometric data, even if very reliable, demands extra protection and must therefore meet stricter security requirements. Another alternative is a digital token – the unique series of numbers is not generated from your characteristics but is stored on a chip in your access card. However, it would only work if it is and remains strictly personal. 

Big Data

TikTok Australia: The Australian Information Commissioner has launched an inquiry into the platform’s use of marketing pixels to track people’s online habits, The Guardian reports. This can include where they shop, how long they stay on websites and personal information, such as email addresses and mobile phone numbers of non-TikTok users. The probe will determine whether TikTok is harvesting the data of Australians without their consent. Chinese conglomerate, ByteDance, which owns the video-sharing platform has denied it violated Australian privacy laws. New privacy legislation in response to a review of the Privacy Act is expected to land in the Australian parliament this year and will allow more inquiries like this.

Body-related data: Organisations building immersive technologies, from everyday consumer products like mobile devices and smart home systems to advanced hardware like extended reality headsets, often rely on large amounts of data about individuals’ bodies and behaviours, states the Future of Privacy Forum. Thus, it offers detailed and illustrated instructions, on how to document body-related data categories, (raw voice recording, facial geometry, fingerprints), handle complicated data practices, (eg, eye tracking), evaluate privacy and safety risks, and implement best security practices. Download the framework here. 

Cookie depreciation: Google begins the next step toward phasing out third-party cookies in Chrome: testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. The company will roll this out to 1% of Chrome users globally, (a key milestone in their Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024).  Participants for Tracking Protection are selected randomly — and if you’re chosen, you’ll get notified when you open Chrome on either desktop or Android.

The post Data protection digest 18 Dec – 2 Jan 2024: EDPB says too early to revise GDPR, cross-border enforcement challenge ahead appeared first on TechGDPR.

Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.