For the data protection professionals, the story opens an even broader discussion of what risks voice and image generation technology bring to the rights and freedoms of individuals.

AI-generated speech and images

In its recent opinion, the Latvian data protection regulator DVI presumed that, when using an image created with the help of AI from scratch (eg, by entering the keywords “children playing”), personal data is not processed as it does not refer to a specific real person. However, there are many cases where the image is created using a photograph or visual description of a specific person. And if such an image is later associated with an identifiable person, its generation and publication may be considered as processing of personal data. Although the use of synthetic images can raise doubts about the veracity of the content, AI-generated visual materials still allows for the provision of the necessary information to the audience while respecting people’s privacy, (eg, fundraising campaigns for children in distress), stipulates the regulator.

Similarly, voice generation technology is taking over our everyday lives. The Liechtenstein data protection commissioner, in its recent interview, reminds us that, for instance, cloned voices can be deceptively similar to genuine ones and can therefore easily be used to mislead third parties, for example, in fraudulent calls or fake audio recordings of politicians, celebrities or even colleagues. Anyone who makes their voice publicly available or works with language professionally is providing potentially valuable training material for AI systems. Thus, it is recommended to provide clear copyright notices and, if necessary, contractually agree to the use by third parties. A general or tacit consent to processing is not sufficient – rather, an explicit, informed consent is required. The data controller may be also obliged to conduct a data protection impact assessment (DPIA) if the data processing is expected to pose a high risk to the rights and freedoms of natural persons.

Stay up to date! Sign up to receive our fortnightly digest via email.

EU AI Code of Practice

The European Commission published the final version of the General-Purpose Artificial Intelligence Code of Practice. The document helps industry comply with the AI Act legal obligations on safety, transparency and copyright of general-purpose AI models. The code was published on July 10, 2025. In the following weeks, Member States and the Commission will assess its adequacy. Additionally, the code will be complemented by Commission guidelines on key concepts related to general-purpose AI models, to be published later in the month. More information on the code is available in this dedicated Q&A.

US child privacy updates

On 1 July in Connecticut, the Act concerning Social Media Platforms and Online Services, Products and Features enters into force. According to a digitalpolicyalert.org analysis, the act expands the Connecticut Data Privacy Act, defining “heightened risk of harm to minors” to include risks such as anxiety disorders, compulsive use, physical violence, harassment, sexual exploitation, unlawful distribution of restricted substances, and unlawful gambling. The act requires owners of social media platforms to incorporate an online safety methodology by 1 January 2026. Data controllers must use reasonable care to avoid such risks, conduct data protection assessments, and implement mitigation plans. Processing of minors’ personal data for targeted advertising, sales, or profiling is prohibited, and precise geolocation data collection requires safeguards. Impact assessments are mandated for profiling-based services, detailing purpose, risks, data categories, and transparency measures.

In parallel, Oregon will begin to regulate the use of minors’ information and sale of users’ location data (regardless of age) with an update to its Oregon Consumer Privacy Act. These revisions will go into effect January 1, 2026. As amended, those subject to the law will not be able to profile or serve targeted advertising to anyone under 16. And Maryland will impose a similar prohibition on the same date, but for information of those under 18, eyeonprivacy.com law blog reports.

Anonymisation

The Asia Pacific Privacy Authorities (APPA) have published an overview of basic anonymisation concepts and practical steps that can be put in place to enable organisations to kickstart their anonymisation journey. Proper anonymisation requires both good knowledge of the data context and competency with the technicalities of anonymisation. Where the data controller does not have the necessary level of skills, they should consider engaging an expert to perform the anonymisation.

It is also recommended to refer to the ISO standard titled ‘Information Security, Cybersecurity and Privacy Protection – Privacy Enhancing Data De-identification Framework’ (ISO/IEC 27559:2022). This standard recognises that anonymisation involves not only the data itself but also the context in which data is shared and used, as well as the governance practices in place.  

Audience consent exemption

The management of a website or mobile application generally requires the use of traffic or performance statistics, which are often essential for the provision of the service. Cookies placed for this purpose may be exempt from consent under certain conditions, states the French CNIL. In order to limit themselves to what is strictly necessary for the provision of the service and thus be exempt from consent, these trackers must:

• be used for a purpose strictly limited to the sole measurement of the audience of the site or application (performance measurement, detection of navigation problems, optimisation of technical performance or its ergonomics, estimation of the power of the servers required, analysis of the content consulted);
• be used to produce anonymous statistical data only.

Conversely, to be exempt from consent, these trackers must not:

• lead to data being cross-referenced with other processing operations or to non-anonymous data being transmitted to third parties;
• allow tracking of the individual’s browsing experience using different applications or browsing different websites. Any solution using the same identifier across multiple sites (for example, via cookies placed on a third-party domain loaded by multiple sites) to cross-reference, split, or measure a unified content reach rate is excluded.

AI system data quality

The Federal Office for Information Security in Germany presented a methodological guide called QUAIDAL (in German), aimed primarily at providers of high-risk AI systems, for which the AI Act defines detailed requirements regarding documentation, data management, and continuous quality assurance. The modular design of the guideline allows project managers and development teams to select appropriate measures to ensure data quality at an early stage and systematically demonstrate their implementation. Furthermore, this modular concept can be flexibly expanded in the future to accommodate new technological developments. 

More from supervisory authorities

Emotion recognition: The Dutch data protection regulator AP notes that organisations are increasingly using AI to recognise emotions in people: the voice can be used to analyse your emotional state during a customer service conversation; your smartwatch measures your stress; or a chatbot that recognises your emotions can therefore respond more empathetically.

However, emotion recognition is based on controversial assumptions about emotions and their measurability. It’s not always clear how AI systems recognize emotions, nor whether the results are reliable. People are also not always aware that emotion recognition is being used, nor are they always aware of the data used. Finally, in education and the workplace, the use of AI systems for emotion recognition is already prohibited under the EU AI Act. 

LLMs and data subject rights: A consultation on processing personal data in large language models in a way that complies with data protection laws has been launched by the German Federal Data Protection Commissioner, running until August 10. Limits on anonymisation, the memorisation of personal information, the dangers of data extraction, and the protection of GDPR data subject rights in AI systems are among the main topics. The results will aid in the creation of compliant methods for handling AI’s memorised personal data, summed up in a digitalpolicyalert.org legal blog. 

EU minors data:  The European Commission publishes guidelines on the protection of minors under the Digital Services Act. These guidelines aim to ensure a safe online experience for children and young people by fostering online platforms accessible to minors (excluding micro and small enterprises). It suggests measures such as setting minors’ accounts to private by default so their personal information, data, and social media content is hidden from those they aren’t connected with to reduce the risk of unsolicited contact by strangers, also – effective age assurance methods, prohibiting the downloading or screenshotting of minors’ content, introducing measures to improve moderation and reporting tools, and much more. 

Data-driven pricing

The Future of Privacy Forum reports that US state lawmakers (eg, a new New York bill) are seeking to regulate various pricing strategies that fall under the umbrella of “data-driven pricing” (often algotithm-based): practices that process user data to continuously inform decisions about the prices and products offered to consumers. They fall under one of the following categories:

• Reward or loyalty program: A company offers a discount, reward, or other incentive to repeat customers who sign up for the program. 
• Dynamic pricing: Rapidly changing the price of a particular product or service based on real-time analysis of market conditions and consumer behavior.
• Consumer segmentation or profiling: A profile is created for a customer based on their personal data, including behavior and/or characteristics, and they are placed within a particular audience segment. 
• Search or product ranking: Altering the order in which search results or products appear, to give more prominence to certain results, based on general consumer data or specific customer behavioral data. 

Age-verification in shops

The French CNIL also considers that the use of “augmented” cameras to estimate the age of customers of tobacco shops in order to control the sale of prohibited products to minors is neither necessary nor proportionate. Currently deployed devices are enabled by default and scan the faces of all people in their field of vision. They then indicate, by a green or red light, whether or not the estimated age of the people exceeds a predetermined age (18 years old, 21 years old or other). The law requires tobacconists to check that their customers are of legal age before selling tobacco or alcohol. However, these devices can only estimate the age of people, without certainty, and they carry a risk of error, like any artificial intelligence system. 

To fulfil their age control obligations, tobacconists must therefore resort to other solutions, such as verification of an identity document or any official document containing the person’s date of birth.

Prohibited AI practices facing privacy enforcement

The Spanish privacy regulator AEPD stated that it can now act against prohibited AI systems that process personal data, regardless of the entry into force of the AI Act.  A series of its sections will come into force as of August 2, 2025 even though the Spanish draft AI law has not yet been approved and the AEPD has not yet been formally assigned as a market surveillance authority. However, the agency’s status as the competent authority for personal data protection remains unchanged. Therefore, although this is not a direct application of the AI Act, the regulator may supervise and act against processing of personal data carried out using prohibited systems. 

In other news

Insurance agency data leak: The personal data protection agency in Croatia has imposed eight new administrative fines totaling 350,500 euros. In particular, following an anonymous report that personal data of more than a million vehicle owners had been “leaked” from the state register the regulator conducted supervisory procedures at several related entities – the Croatian Insurance Bureau, the Croatian Vehicle Center, the Ministry of the Interior of the Republic of Croatia, as well as other legal entities that were associated with the incident.

It was established that the leaked data submitted to the regulator on a USB stick – vehicle owner data, vehicle data, insurance data and data on reduction (bonuses/minimums) matched the database of the Croatian Insurance Bureau. As the data controller, they did not take appropriate organisational and technical measures to protect the personal data of the respondents. Additionally, they did not separately prescribe maximum retention periods for the personal data of the respondents contained in the register. 

Biometric identification fine: The Spanish AEPD fined sports centre operator SIDECU 160,000 euros for offences including illegal biometric data processing; the amount was eventually lowered to 96,000 euros, according to Data Guidance. Without offering any other options, SIDECU used a face recognition technology as the only way to enter its sports facilities, which violated GDPR Art. 9. In violation of Art. 13, they also did not properly notify members about data processing and did not conduct a data protection impact assessment as mandated by Art. 35. SIDECU was given ten working days to halt the processing.

Political party fine

The Romanian data protection regulator fined the Alliance for the Unity of Romanians Party, AUR, (a right-wing populist political party in Romania and Moldova) approx 25,000 euros following a data leak. One of the notified security breaches targeted the aur.mobi application used and managed by the party, whose vulnerability was exploited by a third party by accessing the application’s source code. Due to a configuration error, at the time of the incident, the following categories of personal data of its users, (supporters/members – individuals who provided personal data in the operator’s application), could be viewed within the application: 

• first and last name, 
• telephone number, e-mail address, residence address, personal id number, 
• date of birth, nationality, citizenship, gender, religion, 
• profession, occupation, field of activity, experience in other fields, studies (institution, specialisation, start and end dates), 
• political experience (party, position, start date, end date), 
• administrative experience (institution, position, start date, end date), 
• foreign languages spoken (language, level).

The investigation found that personal data were processed by the controller for the purpose of informing data subjects about an AUR campaign and for statistical purposes, and that the processed data are not adequate, relevant and limited to what is necessary in relation to the declared purposes.

DPO’s conflict of interest

In Estonia, a county court overturned the decision of the Data Protection Inspectorate, which imposed a fine of 85,000 euros on Asper Biogene for violating data protection requirements. The inspectorate accused Asper of two significant violations in the misdemeanor proceedings. Firstly, the company appointed a sole board member as a data protection specialist, who lacked both the necessary independence and competence to perform this role.  Secondly, Asper Biogene had not implemented sufficient security measures, which allowed unauthorized persons to access the company’s database during a cyber attack in 2023. A large volume of data was downloaded, including special categories. 

The county court agreed that that a member of the board, who manages the company’s activities and decides on the purposes and means of data processing, cannot at the same time independently perform the duties of a data protection specialist. However, the court found that the violation was committed through negligence and took into account the fact that the company had later appointed a competent specialist and implemented additional security measures. The court decided that the fault of the person subject to the proceedings is minor and there is no public interest in the proceedings. The regulator does not agree with these findings and is prepearing an appeal. 

In case you missed it 

Swimming pool surveillance: It’s the height of Summer, and concerns about theft, break-ins, and swimming accidents are increasing. Facilities are therefore increasingly turning to video surveillance and AI. However, not everything that is technically possible is compatible with data protection, explains North Rhine-Westphalia data protection regulator. 

In one example, burglaries in swimming pools regularly occur outside of business hours, so recording must therefore be limited to these times. To prevent unauthorized access during normal business hours, only the entrance area or access barrier may be recorded. Locker break-ins also frequently occur. In these cases, video surveillance may be permitted in a limited capacity. However, changing areas must never be included. Areas subject to video surveillance should be specially marked, for example, by color-coded flooring.

At the same time, operators are increasingly turning to artificial intelligence to prevent swimming accidents. However, their use should not replace existing supervisory measures, but can at best complement them, because AI systems still have a significant error rate.

Traveling with data privacy in mind: Online activity onboard trains requires a few simple precautions to travel with peace of mind, states the French CNIL. A password written on a piece of paper stuck to your computer, a screen visible to other passengers or an unlocked computer when you leave your seat are small seemingly innocuous mistakes that can expose your personal data, your private and professional life and compromise the security of your devices. The essential safeguards can include:

• Always lock your devices when you’re away.
• Decrease the visibility of your ecran to other passengers and use a privacy filter.
• Pay attention while using public Wi-Fi.
• Do not memorise your credentials or other data in the browser.
• Protect your passwords with dedicated tools.
• Stay vigilant against phishing attempts, etc.

The post Data protection digest 3-17 July 2025: AI-generated voice and visuals’ potential to violate people’s rights and freedoms appeared first on TechGDPR.

According to the Norwegian regulator Datatilsynet, Meta will start training its AI service on photos, posts and comments from Facebook and Instagram users in the EEA at the end of May 2025. The purpose of the training is to develop and improve Meta’s generative AI services, based on users’ content and interactions with Meta’s AI services. The training will only include content that is publicly published. Furthermore, Meta will only use photos and posts published by users over the age of 18 to train the AI ​​model. The training includes both historical and future information that is shared publicly. If you do not want your posts and photos to be used to develop Meta’s AI, you can object. If you have both a Facebook and Instagram account, or multiple accounts, the protest applies to all accounts if they are added to the same ‘Account Center’. You do not need to justify your protest. Meta has stated that they accept all objections. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR supervision in Germany to be eased?

According to a DLA Piper analysis, the future German government plans to centralise the country’s data protection supervisory authority structure and to ease the regulatory burden for small and medium-sized companies. Responsibilities and competencies for the private sector in all 16 states are to be bundled into one Federal Commissioner for Data Protection and Information Security (BfDI).

Therefore, there would be no need to report data security breaches to multiple state supervisory authorities where impacted data subjects reside, and data controllers and processors would only need to collaborate with one national supervisory authority. The German plan coincides with the recent announcement of the Commission’s plans to amend or simplify some obligations for small and medium-sized companies, among others, under the GDPR. 

More legal updates

Cloud computing and data sharing in the EU: Before the Data Act starts being applied from 12 September 2025, the Commission is providing guidlines on non-binding Model Contractual Terms (MCTs) for data sharing, and Standard Contractual Clauses (SCCs) for cloud computing contracts. These models (B2B) intend to help especially small and medium-sized companies and other organisations which may lack the resources to draft and negotiate fair contractual clauses.  The Commission also seeks feedback on the preparatory work for the Cloud and AI Development Act and the single EU-wide cloud policy for public administrations and public procurement. The Commission would like to gather different stakeholders’ views on the EU’s capacity in cloud and edge computing infrastructure, especially in light of increasing data volumes and demand for computing resources, both fueled by the rise of computer-intensive AI services. Submissions are open from 9 April to 4 June. 

EU cybersecurity: To strengthen the EU’s resilience against rising cyber threats, the Commission seeks input to evaluate and revise the 2019 Cybersecurity Act. This initiative reflects the Commission’s ongoing commitment to simplifying the rules and facilitate their implementation. Interested parties, including Member State competent authorities, cybersecurity authorities, industry and trade associations, researchers and academia, consumer organisations, and citizens, are invited to give their views on the Have Your Say portal until 20 June. In parallel, the Commission seeks contributions to enhance cybersecurity for hospitals and healthcare providers, as well as for the implementation of the European Digital Health Space, following the publication of the Action Plan in January. This includes citizens, healthcare professionals, healthcare authorities, patients, compliance and data privacy professionals, cybersecurity professionals, organisations, and academia, among others, to share their views. The deadline for contributions is 30 June.

EDPB on blockchain technology

The EDPB has adopted long-awaited guidelines on the processing of personal data through blockchain technologies.  A blockchain is a distributed digital ledger system that can confirm transactions and establish who owns a digital asset  (such as cryptocurrency) at any given time. Blockchains can also support the secure handling and transfer of data, ensuring its integrity and traceability.  Depending on the purpose of processing for which blockchain technology is used, different categories of personal data may be processed. 

The guidelines highlight, among others, the need for Data Protection by Design and by Default and adequate organisational and technical measures.  As a general rule, storing personal data on a blockchain should be avoided if this conflicts with the GDPR (eg, in fulfilling the rights of data subjects regarding data rectification and erasure). The guidlines provide examples of different techniques for data minimisation and for handling and storing personal data. 

Consent management

The Consent Management Ordinance in Germany comes into effect. Effective from April 1, it regulates obligations for trusted consent management service providers. It mandates certain recognised services to store user settings and allows voluntary integration by digital service providers. In addition, it protects data portability rights of users and restricts consent management services from processing personal data beyond the purpose for which it was originally collected and stored. 

Data breach statistics

The Estonian data protection regulator estimates that in the first quarter of 2025, the number of breach reports compared to the same period in 2024 increased by 48%. In January, February and March, organisations notified the agency of a total of 65 data breaches. In 30 cases, the breach involved the public sector or an agency they manage. The most common causes since the start of the year are negligence and human error, technical errors in information systems, and unlawful access to personal data caused by cyberattacks. In particular:

• There were cases where employees abused the access rights granted to them to perform their duties. Requests to view personal data are made both out of curiosity and to distribute it on various social networks or leak it to the press.
• An employee who left an educational institution, being the sole administrator of the school’s Facebook group, refused to transfer the group’s administration rights to the school. He changed the group’s name and smeared his former employer there.
• A popular e-learning environment used in schools was attacked by a cyberattack, in which an attacker, likely using user rights obtained from previous data leaks, (not related to the learning environment), attempted to hijack the accounts of users of the e-learning environment. The environment was not required to use multi-factor authentication.

More from supervisory authorities

AI Privacy Risks and Mitigation: To help developers and users of large language model-based systems handle privacy issues, the EDPB provides a new practical guide. The paper offers organisational and technical measures to maintain data protection following GDPR Art. 25 – Data protection by design and by default, and Art. 32 – Security of processing. The guideline, however, is not meant to replace a Data Protection Impact Assessment (DPIA), following GDPR Art. 35. Instead, by addressing privacy issues unique to LLM systems, it enhances the DPIA process. 

Mobile apps: The French CNIL published a modified version of its recommendations to better protect privacy in mobile applications, adopted in 2024, (in French). It is aimed at professionals working in the mobile application sector in the role of data controllers and processors, namely: a) app publishers; b) app developers; c) software development kit (SDK) providers; d) operating system providers; e) app store providers. This recommendation covers all types of applications, which can be: 

• “native”, (developed in the programming language specific to the operating system in which they are executed); 
• “hybrid”, (developed with languages ​​and technologies from web programming, then transformed into an application using specific tools;
• “progressive web” PWA (dynamic web pages which are presented to the user in the form of apps).

AI public sandbox:  The CNIL has also published the results of its “sandbox” personalised support programme for players who wish to be advised on how to deploy an innovative project: 

• France Travail’s tool, (French unemployment agency), helps its advisors to offer a personalised training course adapted to the needs of job seekers. 
• Nantes Metropole’s Ekonom’IA project: raising awareness among residents about their water consumption levels through an AI program; and 
• The RATP’s, (Paris transport operation company), PRIV-IA project: studying algorithmic processing of images from new video capture technologies (so-called Time-of-flight cameras). 

Emotion recognition under the AI Act

A recent analysis by DLA Piper examines two real-world uses of emotion in AI work environments to highlight the effects of the recently passed EU AI Act. The first case study uses emotion analysis on sales conversations. The global company’s chief revenue officer, who is situated in the US, is trying to implement new software that would enable staff members worldwide to get consistent sales training by comparing the calls made by top performers with those of the lowest performers. 

In the second case study, a busy consulting business wants to use a remote application and onboarding process to broaden its pool of candidates to include people who want to apply for wholly remote positions. The company is eager to implement software that enables interview scheduling through a platform with cutting-edge AI-powered capabilities. One element of the system analyses applicants’ speech tones, facial expressions, and other non-verbal indicators.

In other news

Brute force attack: The UK’s Information Commissioner’s Office has issued DDP Law firm a 60,000 pound fine following a cyber-attack which resulted in highly sensitive and confidential personal information being published on the dark web. The brute force incidents were targeted at an administrator account for a legacy case management system. It was only available online sporadically. At the time of the incident DPP had multi-factor authentication for the purposes of connecting to its network via a VPN. However, the administrator account  did not have MFA due to its role as a service-based account. 

Search services: Sweden’s IMY has received a large number of complaints against search services that publish personal data about the population of Sweden. Many of these complaints concern search services that publish information about violations of the law, such as criminal convictions. IMY is now initiating inspections of two of these search services: Lexbase.se and krimfup.se. In a legal opinion from 2024, the IMY ruled that the authority is competent to review search services that have a so-called certificate of publication. There was also a recent decision from the Supreme Court that it is not compatible with EU law to release large numbers of criminal convictions online . 

Unwanted insurance: The Romanian data protection agency fined the operator Banca Transilvania SA the equivalent of 5,000 euros. Following a complaint from a natural person, the data subject claimed that their data had been processed without consent, within the framework of an insurance policy mandated by the operator Banca Transilvania. It was found that the petitioner, although he terminated his real estate loan contract, was erroneously issued a new insurance policy against natural disasters, accessory to the terminated real estate loan contract.

Employee email accounts

The Maltese regulator IDPC published a set of FAQs on the management of employee email accounts once an employee leaves an organisation. While employers have a legitimate interest to maintain business continuity following an employee’s departure from the organisation, the employer’s operational concerns must be balanced against the data protection rights of outgoing employees and any other individuals involved, as set out in the GDPR. This includes handling work email accounts in a manner that is proportionate, transparent, and respects the confidentiality of any personal correspondence that may be in the account. The most common real life cases include:

• Can an employer set up automatic email forwarding following an employee’s departure?
• Can an employer set up an automatic reply message following an employee’s departure?
• As an employer, what are some general practical steps I can take to manage employee email accounts in a manner that complies with the GDPR?

In case you missed it 

AI assistants: Privacy International questions whether we can trust the developers of AI assistants to protect our privacy and security. AI Assistants need to access apps, data and device services to deliver on their promise to operate as agents capable of doing work for us. This is a significant change from the existing voice assistants: the messaging app Signal will ask to access your contacts to identify people with a Signal account you haven’t talked to; similarly, a navigation app will require access to your phone’s location services and hardware to guide you. 

What makes an AI Assistant different from apps is the level of access they constantly require to function. Prioritising automation as one of the main goals/features of AI assistants means that developers will be tempted to allow processing of your data with the lowest amount of friction possible.  

Opt out from Tesla processing your data: Lastly, a piece from The Guardian examines how Tesla owners may safeguard their data and privacy. Any connected car must track and gather a lot of information about you in order to use any of its capabilities. A detailed picture of your life and movements may be created using these data – sent via GPS trackers, sensors, and other devices. The Guardian studied Tesla’s privacy policy, talked to privacy experts, and even asked the company’s AI chatbot how to share as little data as possible with Tesla. There are some safety measures you can and, in many situations, ought to take if you own a Tesla. However, adjusting these settings so that you share the least possible amount of data with Tesla will shut off access to many of your car’s functions.

The post Data protection digest 3 – 17 Apr 2025: Meta AI training restarts in Europe, virtual assistants vs data privacy appeared first on TechGDPR.

The Economic Impact of AI

BITKOM, Germany’s digital association, conducted a survey revealing a significant finding: approximately half of all companies surveyed in the EU have already abandoned new, innovative projects. This is due to ambiguities in the interpretation of the GDPR. Fear of potential penalties and legal ramifications could further discourage companies from investing in new AI technologies.

The new AI act, which is still on the legislative agenda of the EU, will largely determine the competitiveness of the AI industry. The act holds the power to shape the EU’s AI industry for the next decade. However, the unprecedented challenge for the EU’s fast-paced tech industry is that of the different member state laws and regulations that prevent innovation. Privacy concerns of EU citizens are also another important topic that directly threatens AI innovation. The EU’s new AI Act envisions an AI regulatory sandbox to establish a sustainable competitive environment for AI technologies while safeguarding citizens’ fundamental rights.

High-risk AI system is also defined in Article 6(1) as: “The AI system is intended to be used as a safety component of a product, or is itself a product, covered by Union harmonization legislation” or “the product whose safety component is the AI system, or the AI system itself as a product, is required to undergo a third-party AI conformity assessment with a view to the placing on the market or putting into service of that product pursuant to Union harmonization legislation.“

AI regulatory sandboxes make it easier for innovators to conduct experiments with high-risk AI systems and test their products with fewer legal procedures. AI regulatory sandboxes also offer legal flexibility, but not absolute immunity.

Looking across all types of AI failures, the most frequent problem is privacy risks. High-risk AI systems have the potential to inflict greater harm upon the fundamental rights of citizens.

Figure: Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’. (1)

The Role of the EU in AI Regulation

To effectively address the legal implications arising from AI failures, special attention needs to be given to the rules that shape the direction of the regulatory sandbox. These rules include: processing data for public interest, monitoring performance, risk mitigation, secure data environment, data transmission restriction, data subject impact reduction, technical documentation, record-keeping, and transparency for experimenters. These rules, designed to protect the privacy of data subjects, are in line with the General Data Protection Regulation (EU) 2016/679 (GDPR).

Article 54(1)(c) of the AI Act requires effective monitoring mechanisms to identify risks to data subjects’ fundamental rights in sandbox experimentation. If any issue arises that infringes upon the privacy of data subjects, the risks must be mitigated, and, if necessary, the processing halted altogether. Organization must maintain records of decisions and efforts carried out to halt data processing to demonstrate compliance. Each high-risk AI experimentation differs by nature, so a case-by-case examination is necessary. The balancing test between the participants’ interests in privacy and the experimenter’s interests may not practically be determined beforehand or for each experiment. The recommended best practice, also a GDPR Article 25 privacy-by-design requirement, is thus to involve privacy experts in designing the experiments.

Regulatory Sandbox for AI

AI regulatory sandboxes defined in the Article 53(1) of the new AI Act as: “a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan.”

For the experiments being conducted, participants in the AI regulatory sandbox remain liable, and as stated in Article 53(2) of the AI Act, “Member States shall ensure that national data protection authorities and other national authorities are associated with the operation of the AI regulatory sandbox.” Additionally, the corrective powers of the competent supervisory authorities in relation to the data subject rights shall remain unaffected.

The AI Act also introduces practices, such as implementing quality management systems, maintaining technical documentation, and establishing post-market documentation plans, specifically designed for high-risk AI systems. However, the overarching goal is to ensure that these practices harmoniously implement privacy concerns to protect the fundamental rights. As stated in the ICO’s “Regulatory Sandbox Final Report,” practices such as using synthetic data for innovation can also help to reduce the risk to privacy. However, this information is still generated from real data and must be carefully analyzed.

The use of personal data for high-risk AI systems is challenging, but necessary in some cases, such as public health and safety. AI regulatory sandboxes facilitate this possibility, particularly when it serves the public interest in these matters. Nevertheless, supervisory authorities have the authority to halt the experiments if they deem it necessary. The new guidelines from the data protection supervisory authorities and the future cooperation of the European Artificial Intelligence Board are expected to reveal how the AI industry will be shaped within the EU’s Single Data Market policy.

(1) Floridi, L. et al. (2022) ‘Capai – A procedure for conducting conformity assessment of AI systems in line with the EU Artificial Intelligence Act’, SSRN Electronic Journal, p. 57

The post Strategic Compliance in the EU: Balancing Competition, GDPR and AI Regulation appeared first on TechGDPR.

Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Official guidance: secure multiparty computation, public procurement, risk analysis, DPIAs

The Spanish privacy regulator AEPD has published a tech-savvy blog post on Privacy by Design: Secure Multiparty Computation. It is possible to create federated data spaces, which avoid the communication and exposure of data to third parties, and at the same time provide access to the necessary information to multiple stakeholders, optimizing networks and processes, allowing, in addition, implement controlled data reuse policies. All this is independent of the additional data protection measures by design and by default that can be added, together with a governance model, for the guarantee of rights in the source data. 

One such enabling technology is Secure Multiparty Computation, (SMPC). This is a cryptographic protocol that, through additive secret sharing, allows you to segment secret data into different parts, so that, when the data is shared, the original data cannot be revealed by any of the sources. For example, if three companies wish to collaborate to carry out a study of the sector to which they belong and thus jointly benefit from the results obtained. However, legal, strategic, and technical constraints might make this collaboration impossible.

In order to help the professionals concerned identify their responsibilities in different contexts of public procurement, the French regulator CNIL clarifies, (in French), the elements to be taken into account and the legal consequences to be drawn from the qualification of “(joint) controller”, and  “subcontractor“. Administrations often entrust another body, (economic operator), with the mission of meeting needs in terms of works, supplies, or services, for example, the management of extracurricular services, water, transport, or parking. To perform these public contracts they are required to collect and use personal data which may concern staff or users of the public service: this data processing must comply with the GDPR. The designation of actors as “controller”, “subcontractor” or “joint controller” must occur as early as possible and be carried out with regard to factual elements and each contractual context. This establishes who will have to guarantee compliance with the main principles of the GDPR, in particular:

• the existence of an explicit and legitimate objective, (purpose), for each use of data;
• collection of relevant and non-excessive data;
• data security;
• a limited data retention period;
• proper consideration of people’s rights.

Dealing with risks. The Bavarian data protection commissioner explains how this works in data protection law. A new guide, (in German), helps to detect and manage risks in the processing of personal data even more easily. The paper attaches particular importance to the idea of ​​scaling: risk analyses do not always have to be complex. Depending on the occasion, different “expansion stages” are possible. This is illustrated using several case  studies. The new orientation guide and an information package, (with a set of forms that guide the implementation of risk analyses and are intended to support proper documentation), can be downloaded free of charge from here and here.

The Latvian data protection authority DVI also explains how to conduct a Data Protection Impact Assessment. A DPIA is the process by which a data controller can carry out an inventory, analysis, and assessment of the possible consequences, (in terms of severity and likelihood), of different risks, individuals’ rights, and freedoms. Carrying out a DPIA is not a one-off exercise, but a set of data processing assessments that need to be carried out on a regular basis. Additionally, organisations should not expect data processing to be constant, (even if no changes are made), as externalities also pose risks to continuous data processing. They should consider, for example, the following aspects:

• internal processes and planned activities with personal data;
• how the internal exchange of data takes place and whether the current exchange mechanisms are considered secure;
• the location of the data and access to how the data is transferred – on a computer, in folders, physically, etc.;
• employees’ knowledge of how to handle personal data in compliance with data protection requirements;
• internal documentation;
• whether data protection system rules have been developed, taking into account possible risks, (eg, unauthorized access, deletion, etc.).

The following questions will also help to assess the above aspects of processing:

• Does the protection of the organisation’s data system correspond to the risk posed by the data processed in it?
• Are the personal data processed and grouped more carefully, taking into account potential risks and high-risk?
• What devices are connected to the local network, (do the devices themselves and their connections pose a security risk)?
• What software is used in the organization’s information systems?
• Are computers equipped with security systems, passwords?
• Are employees’ access to processed personal data recorded?
• What more could be done to achieve higher security standards? 

Legal processes: no united position on the AI Act, UK data protection reform

Members of the European Parliament have submitted hundreds of amendments to the upcoming AI Act, setting the tone for future discussions, according to the Euractiv news website. Reportedly, one of the most controversial topics is the definition of artificial intelligence itself. Another hot issue is the burden of obligations, not excluding data protection issues, for AI creators, introducing different requirements for new, former, and original providers of AI technology. At the same time Green MEPs made major proposals on prohibited practices, extending this category to biometric categorisation, emotion recognition, and any automated monitoring of human behaviour. Finally, conservative lawmakers want to exclude systems designed to assess creditworthiness from the high-risk list. Read more about the opposing proposals for the AI act from the EP’s left and right political groups in the original publication.

In a pre-emptive strike ahead of the publication of the Data Protection Reform Bill in the UK, Privacy International publishes its response here.  It states that the right to privacy and data protection is linked to some of the most important political and existential questions of our time. At the core of the proposal is the suggestion that data protection is a burden on companies. It appears to be driven by the commercial interests of a few companies who may benefit from weaker rights protection, the result being the proposed loss of many important protections for people. The PI report looks at such privacy issues as:

• How can exploitation of the vulnerable be prevented? 
• How does the UK treat immigrants who bring key skills and prosperity to the country? 
• What safeguards are there against potential corruption of the democratic process by new technologies and their use by political parties and third parties?

In PI’s opinion, the UK proposal is a backward step. For example, innovation, (eg. in AI), relies on people sharing data; in order for people to share their personal information, they need to feel confident about doing so. 

Investigations and enforcement actions: public bodies and IT incidents, unauthorized access, absence of legal purpose, DPOs, insufficient testing of software updates

The French regulator CNIL  issued notice to twenty-two municipalities to appoint a data protection officer. The GDPR makes the appointment of a data protection officer mandatory in certain cases, in particular when the processing of personal data is carried out by a public authority or a public body, (Art. 37 of the GDPR). This obligation, therefore, concerns all local authorities, regardless of their size. In the case of local authorities, the delegate can be an internal agent or subcontractor shared between several municipalities. The 22 municipalities, in metropolitan France and overseas, have a period of 4 months to comply by appointing a data protection officer, under the conditions set by the GDPR, (expertise, independence, sufficient resources, etc.). If they do not comply with the formal notice, the CNIL may use its powers to pronounce sanctions – which can include fines and public reprimand.

The data protection officer, explains CNIL, plays an essential role in the compliance of data processing implemented by public authorities. They are the main point of contact for agents and citizens on all subjects relating to data protection: a) internally, they answer all questions regarding data protection and ensure that you are familiar with the GDPR “first steps”, (in the event of a computer attack, design of a new digital project, etc.), b) with regard to stakeholders, they oversee the organization of the processing of requests to exercise rights and any requests for clarification from the CNIL in the event of an audit.

Meanwhile the Italian privacy regulator ‘Garante’ fined Inail, (a financially independent public body which manages compulsory insurance against accidents at work and occupational diseases on behalf of the state), 50,000 euros. An investigation revealed that at least three IT incidents resulted in unauthorized access to the data of some workers, in particular details on health and injuries suffered. The application “Workers Virtual Desk” managed by the authority allowed some users to accidentally consult the accident and occupational disease files of other workers. In one case, however, the accident occurred following the execution of an outdated version of the “Workers Virtual Desk”, due to human error.

‘Garante’ emphasized that a body with such significant institutional skills, which processes  particularly delicate data, including vulnerable data subjects, is required to adopt, in line with the principle of accountability required by the GDPR, technical and organizational standards that ensure the confidentiality of the data processed on a permanent basis, as well as the integrity of the related systems and services. The regulator’s judgement took into account the full cooperation offered by the public administration during the investigation and the small number of people involved in the identified data breaches.

In Norway the regulator Datatilsynet notified NAV, (Norwegian Labour and Welfare Administration), of a fine of approx. 495,000 euros for making CVs available on the service arbeidplassen.no without legal purpose. In order to receive services and benefits, job seekers have had to provide a quantity of information, including a CV. NAV has also set as a condition that the CV must be made available to employers on arbeidplassen.no, a condition NAV itself discovered that they have no authority to impose.  NAV took immediate action, closing employers access to jobseekers CVs and notifying those affected. 

Denmark’s data protection authority expressed serious criticism of the University of Southern Denmark’s insufficient testing of software updates. The university uses an HR system where employees can be assigned a grade to access applications. In connection with a software update, however, the system’s rights management was reset, which meant that all employees had access to the applications. This gave 7011 employees potential access to applications from a total of 417 applicants. Out of these, only some 400 employees had a conditional need to be able to access personal information in the HR system. Furthermore, the university did not keep a log of access to the applicants material and therefore could not identify what had been accessed.

Big Tech: voice recognition systems, UK’s Labour party lost database, the end of Google Assistant

According to Wired, voice recognition systems—such as Siri and Alexa become better at understanding people through their voices. Machines can learn a lot more: inferring your age, gender, ethnicity, socio-economic status, health conditions. Researchers have even been able to generate images of faces based on the information contained in individuals’ voice data, says the publication. And as the market grows, privacy-focused researchers are increasingly searching for ways to protect people from having their voice data used against them:

• Simple voice-changing hardware allows anyone to quickly change the sound of their voice. 
• More advanced speech-to-text-to-speech systems can transcribe what you’re saying and then reverse the process and say it in a new voice.
• Distributed and federated learning—where your data doesn’t leave your device but machine learning models still learn to recognize speech by sharing their training with a bigger system.
• Encrypted infrastructure to protect people’s voices from snooping, and
• Voice anonymisation, (eg, altering the pitch, replacing segments of speech with information from other voices, and synthesizing the final output).

Britain’s Labour party is facing several class-action suits for failing to inform members after its database, hosted by a third party, was hacked with ransomware in 2021. The third party in question, the digital agency Tangent, was responsible for handling party membership data, and was reportedly targeted by an unknown ransomware gang that held the information hostage. Tangent refused to pay the ransom, leading the hackers to corrupt the database, rendering it inaccessible: “Labour claims that its own systems have not been affected by the breach, although its membership webpage has been down since it happened and, as a result, the party doesn’t have a complete or up-to-date membership list beyond December 2021”, according to the Bylinetimes newspaper.

Google wants to end location reminder capabilities on mobile and smart devices that use Google Assistant, Gizmodo and IAPP News report. The feature reminds users to do tasks when they arrive at specific locations. In just one example an investigation by Canada’s privacy regulator showed that people who downloaded the app for a popular coffee chain had their movements tracked every few minutes, even when the app wasn’t in use. Investigators said the app collected info to infer where users lived, worked, and traveled. The tech giant points to its privacy policy to claim it only collects data based on users’ settings, and that the app will only collect data when the app is active. However, third party apps can also share private information with Google when going through Google Assistant, based on user settings, says Gizmodo.

The post Weekly digest 30 May – 6 June 2022:  secure multiparty computation, public procurement, voiceprints & privacy appeared first on TechGDPR.

Official guidance: business and human rights in the activities of tech companies, relaxed covid measures, regulators’ annual analytics

Privacy International, (PI), submitted its input to the forthcoming report by the UN High Commissioner for Human Rights, on the practical application of the UN Guiding Principles on Business and Human Rights to the activities of technology companies. In summary, the PI report highlights the systemic lack of accountability of this industry, national authorities’ slow or nonexistent enforcement of privacy laws against its exploitative practices, and its relations with governments. Among many things, it:

• asserts the need for tech companies to provide transparency over their technologies and to make their algorithms auditable, and for states to mandate such transparency when these technologies are used to deliver public functions; 
• reasserts that contracts between public authorities and tech companies must point to redress mechanisms for complaints handling and enforcement of sanctions for abuses or violations of human rights;
• calls for public authorities to conduct individual human rights risk and impact assessments, as well as data protection impact assessments, during any surveillance technology procurement process, in addition to companies conducting human rights due diligence, on any prospective state client’s end-use of their technology;
• asserts that public authorities should not systematically use surveillance and data processing systems deployed for private purposes and/or data derived from these systems, etc.

As COVID-19 measures relaxed across the UK, the ICO has set out some key things organisations need to consider around the use of personal information. You should check government guidance for where you live. Guidance varies between England, Northern Ireland, Scotland, and Wales. In general, the organisations should ask themselves a few questions: a) How will still collecting extra personal information help keep our workplace safe? b) Do we still need the information previously collected? c) Could we achieve your desired result without collecting personal information? Also, data protection is one of a number of factors to consider when thinking about collecting this information. Organisations should also take into account:

• employment law and your contracts with employees,
• health and safety requirements, and
• equalities and human rights, including privacy rights.

The ICO had previously outlined some practical methods for destroying documents and guidance on storage limitations for further information. 

Meanwhile, the EDPS published its analytical annual report 2021. It highlights the EDPS’ achievements regarding EU institutions’ compliance with the data protection framework. The report also underscores the EDPS’ increasing role in advocating for the respect of privacy and data protection in EU legislation. The EDPS increased the use of its corrective powers, (eg, the decision to order Europol to delete datasets with no established links to criminal activity). This year was also unprecedented in terms of EDPS advice given to the EU legislator, (with 88 opinions, including formal comments, issued in 2021, compared to 27 in 2020). The EDPS also continued its active participation in the EDPB’s work, and furthered its work on raising awareness about personal data breaches to assist EU institutions in preventing and handling them. You can consult the full report here.

For those, who can read Hungarian, the country’s data protection regulator NAIH similarly prepared its annual activities wrap up for 2021. It looks at a) the authority’s experience over the first ten years, b) statistical characteristics of cases, c) data protection officers tutorials, d) law enforcement, national defence, and national security data-related procedures, e) important court decisions, f) data protection issues in business secrets, g) minors’ data protection, and much more.

Legal processes and redress: lawful data scraping, law firm nonliability for data breach

A decision in the US Ninth Circuit Court of Appeals offers an insight into the conflicting positions between Europe and America on data protection and offers relief for data scrapers who feared a shutdown of their industry. A case pitting business networker LinkedIn against hiQ Labs, a “people analytics” company, sought to prevent the latter from taking data from LinkedIn for its own business purposes. It was successfully argued that the information was publicly available, so no criminal act had taken place. Another point raised was that finding in LinkedIn’s favour would mean big tech companies would have a monopoly on ‘big data’ in the future. It may mean problems ahead for key articles of the GDPR, as privacy policy, competition and criminal law are all pulling in different directions.

A federal jury in Kansas City cleared a law firm, (Warden Grier), of liability to one of its clients, (Hiscox Insurance), after suffering a data breach, Hogan Lovells blog reports. The plaintiff claimed that the defendant failed to meet its standard of care by not sufficiently analyzing its breached server, leaving the plaintiff responsible for approximately 1.3 mln dollars in data analysis and related legal bills. Warden Grier’s counsel argued to the jury that Hiscox was confusing the roles of “service providers” and “data owners.”  Here, Warden Grier argued it was a “service provider” under applicable data breach laws and industry norms, and thus its role was to provide Hiscox with access to impact data, which it had done. Read the full article here. 

Data breaches: the leak of health data

The French regulator CNIL issued a 1.5 mln euros fine against the company DEDALUS BIOLOGY. A massive data leak concerning nearly 500,000 people was revealed publicly. The surname, first name, social security number, name of the prescribing doctor, date of the examination but also and above all medical information, (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data), of these people has thus been disseminated on the internet. In its decision the CNIL stated:

• As part of the migration from software to another tool, requested by two laboratories using the services of DEDALUS BIOLOGY, the latter extracted a larger volume of data than required.
• The company has therefore processed data beyond the instructions given by the data controllers.

Many technical and organisational shortcomings in terms of security were upheld against the company in the context of the operations of migrating the software:

• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• lack of authentication required from the Internet to access the public area of ​​the server;
• use of user accounts shared between several employees on the private zone of the server;
• absence of supervision procedure and security alert escalation on the server. The full decision in French can be read here. 

Crypto-asset industry: EU crypto firms appeal against new draft rules

According to Reuters, more than 40 crypto business leaders have asked the EU not to require crypto firms to disclose transaction details and dial down attempts to bring to heel rapidly growing decentralized finance platforms, (the above draft legislation explained in one of our previous digests).  In a letter sent to EU finance ministers, crypto businesses asked policymakers to ensure their regulations did not go beyond rules already in place under the global Financial Action Task Force, which set standards for combating money laundering. In their opinion, this would reduce crypto holders’ privacy and safety. In addition, the letter also asked that the EU excludes decentralized projects, which include decentralised finance, (DeFi), from the requirements to register as legal entities. It also said that certain decentralized “stablecoins” should not be subject to the wider MiCA regulation.

Artificial Intelligence: ISO new guide and EP recommendations on AI Act

The ISO published guidance for members of the governing body of an organisation to enable and govern the use of Artificial Intelligence, in order to ensure its effective, efficient, and acceptable use. The document also provides guidance to a wider community, including executive managers; external businesses or technical specialists, such as legal or accounting specialists, retail or industrial associations, professional bodies; public authorities and policymakers; internal and external service providers (including consultants); assessors and auditors. The guide is applicable:

• to the governance of current and future uses of AI as well as the implications of such use for the organization itself;
• to any organisation, including public and private companies, government entities, and not-for-profit organizations;
• to an organisation of any size irrespective of their dependence on data or information technologies.

Similarly, the European Parliament’s Committee on the Internal Market and Consumer Protection, and Committee on Civil Liberties, Justice and Home Affairs released a joint report with their recommendations for the proposed Artificial Intelligence Act. Proposed amendments from the committee include a ban on predictive policing, a public AI technology registration requirement and further alignment with the GDPR, IAPP News reports. Advocacy group ‘Access Now’ has already examined the recommendations from the committees. According to them, the draft report contains significant improvements for the protection of fundamental rights. These include the rights of people affected by AI systems to lodge a complaint or seek judicial remedies, for public authorities to register their use of high-risk AI systems in a public database, and numerous improvements to procedures and enforcement. At the same time, the recommendations “have missed an important opportunity to protect people’s rights by completely banning remote biometric identification in publicly accessible spaces.”

Big Tech: GPS data, Google’s “Deny All button”, Pegasus spyware, new Microsoft Purview

Data Broker Otonomo is facing a California class-action lawsuit for allegedly collecting and selling GPS data secretly from 50 mln vehicle owners worldwide, IAPP News reports. The company, originally founded in Israel, claims it has systems to protect customer privacy, but investigative journalists in 2021 discovered Otonomo data could reveal customers’ home addresses, where they worked, and where they drove to. At that time legal opinion was the company could face problems down the road. The company has deals with several car manufacturers to include their systems onboard, but the lead plaintiff says he was never informed of this nor was his consent sought.

Beginning with YouTube France, but due to be rolled out across Google Europe-wide, the giant search engine is updating its cookie consent banner, which a few months ago was hit with a hefty 150 million-euro fine by French data regulator the CNIL. The familiar ‘Accept All’ and ‘Customise’ buttons will be joined by a ‘Deny all’ button disabling cookies altogether. Multiple clicks over several pages were previously needed to opt-out of tracking, in violation of the principle that opting out should be as simple for users as opting in.

More high-profile scrutiny of NSO group’s Pegasus spyware is on the way, as the European Parliament launched an inquiry committee into the Israeli company’s potential use of the software on EU member states’ governments, or its use by those governments. Pegasus software was last week reportedly discovered on UK government computer networks, infecting files even within the Prime Minister’s office, and in Spain, it was found infecting pro-Catalonian independence networks.

Microsoft has bundled its Azure Purview and Microsoft 365 Compliance data governance and risk management services into a new package with enhanced and new features to beef up data security and privacy. Christened Microsoft Purview, the new platform should simplify life for administrators, and the integration of functions allows for new capabilities Microsoft says it will extend with time. A key feature will allow admins to apply sensitivity labels to data consistently, across platforms and data types. Labels will now travel with data and be recognised by all services it extends to, says Microsoft.

The post Weekly digest April 18 – 24, 2022: business and human rights in the activities of tech companies appeared first on TechGDPR.

Official guidance: workplace conversations, use of the cloud

The Latvian data protection authority suggested when an employee could secretly record a conversation in the workplace to protect their interests, IAPP News reports. The regulator concluded that employees can secretly audio record their employer if it is the only way to collect evidence of illegality; (eg, mobbing, bossing, illegal activities at the workplace). However, some data protection regulations are applicable because a person’s recorded voice still constitutes personal data. It suggests:

• submit recordings as evidence to the state labor Inspectorate, the police, or a court;
• avoid publishing it to social networks or otherwise make a voice recording publicly available, including distribution within a team;
• when audio is transferred to law enforcement, the recording cannot be excessive, unrelated segments must be deleted;
• the information disclosed in a secret recording must also outweigh an individual’s right to data protection. 

The Danish data protection authority Datatilsynet has published guidance on the use of the Cloud, (available in English). The guide contains 14 practical examples with explanations. It is targeted primarily at organizations, (data controllers), that would like to start using one or more cloud service(s) and attempts to address the relevant elements of data protection law. However, many of the issues addressed in this guidance apply equally to most other IT service delivery models. A large number of cloud services are usually provided as standardized services where each organization as a customer has limited possibilities to tailor the service in question. Parts of the guide are therefore simultaneously addressed to cloud service providers, (CSP), who can learn more about how they can provide their services in accordance with data protection law. The main steps for data protection when using cloud services include: a) know your services, (data protection and security risk assessments), b) know your supplier, (screening, data processing agreements), and c) audit the CSP and sub-processors.

The guide also evaluates transfers to third countries. In this context, companies should be aware that if their European CSP as a processor complies with a request from law enforcement authorities in a third country, it is considered a personal data breach on part of the controller as unauthorized disclosure of personal data to the concerned law enforcement authority will have occurred. However, this question of an appropriate level of security of processing is limited only to cases where the use of the CSP does not otherwise involve any intended transfers of personal data to third countries, including in relation to the provider’s servicing of its infrastructure, the provider’s provision of support of your cloud service, the provider’s access to its infrastructure for the purposes of capacity planning, etc.

Legal processes and redress: EU sanctions & whistleblowing, employee’s image rights, rules on AI

The European Commission launched a whistleblower tool to facilitate reporting of possible sanctions violations. This is a secure online platform, which whistleblowers from around the world can use to anonymously report EU sanctions violations. This information can relate to:

• facts concerning sanctions violations, their circumstances, and the individuals, companies, and third countries involved, 
• facts that are not publicly known but are known to you and can cover past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions.

The EU has more than 40 sanctions regimes in place and their effectiveness relies on their proper implementation and enforcement regarding:

• arms embargoes,
• restrictions on admission, (travel bans), 
• asset freezes,
• other economic measures such as restrictions on imports and exports. 

The Commission is committed to protecting the identity of whistleblowers who take personal risks to report sanctions violations. If it considers that the whistleblower information it received is credible, it will share the anonymized report and any additional information gathered during the internal inquiry into the case with the national competent authorities in the relevant Member State(s). Access to the whistleblower tool is available here. 

An employee can obtain damages simply after the employer delayed to removing, upon request, a group photo including him from the company’s website, L&EGlobal blog post reports. In its recent decision, the French Court of Cassation ruled that “the mere fact that an employee’s image rights have been infringed when he or she objects to the publication of his or her image gives rise to a right to compensation, without the employee having to prove any prejudice.” Other findings of the case were: 

• every citizen, every employee, has a right to the protection of his or her image, (Art. 9 of the French Civil Code);
• The employee’s agreement must be obtained before any photo-taking, reproduction, or use, whatever the final medium of this image, (intranet, company newspaper, internet site, promotional video, etc.);
• The agreement must be in writing and as precise as possible, indicating the purpose, the medium used, and its duration;
• The employee’s silence does not constitute tacit consent.

The Irish Council for Civil Liberties, the ICCL, informed the European Commission and co-legislators of two errors in the proposal for harmonized rules on Artificial Intelligence in the EU, Data Guidance reports. In particular:

• A technically inaccurate reference to “validation and testing data sets” accidentally puts most machine learning techniques out of scope, (eg, important AI techniques such as unsupervised and reinforcement learning do not rely on validation and testing data sets).
• The text incorrectly relies on accuracy metrics, which cannot on their own yield adequate reporting about AI systems’ performance, (eg, AI systems based on unsupervised learning and reinforcement learning use other performance metrics, not accuracy. One of the performance metrics used in reinforcement learning is its reliability).

The two errors are unintended and can easily be corrected. However failing to correct these errors will put health, safety, and fundamental rights at risk, (eg, for cancer diagnosis, it is important that the AI system has fewer false negatives than false positives, as false negatives can be fatal while false positives cause inconvenience). The technical errors are available here, and the AI Act proposal is here.

Investigations and enforcement actions: ex-employees unauthorized access, Clearview AI ban in Italy, video surveillance footage on social media

The EDPB continues to analyze some important recent data breaches within the EU at the request of national regulators. This week it looked at the ‘Santander Bank Polska’ case and levied an administrative fine of 120,000 euros. The controller reported a data breach when it was established that a former employee of the bank, despite the termination of their employment contract, had unauthorized access to the controller’s profile, (on the Electronic Services Platform of the Social Insurance Institution), containing the bank employees’ data. The Polish regulator concluded that a breach of data confidentiality occurred, which simultaneously involved a high risk to the rights or freedoms of the data subjects. Here are some findings from the case:

• The bank posted a message on the internal communication platform, but it was general and not referred to a specified case. 
• It was addressed only to those employed at the time of notification, which could leave many data subjects unaware. 
• There was a high risk to the rights or freedoms of the data subjects and the controller should have communicated the incident to them, (all employees of the bank who were employed during the period when the former employee of the controller had unauthorized access to the data on the platform).

Meanwhile, the Italian supervisory authority ‘Garante’ imposed a fine amounting to 20 mln euros on Clearview AI Inc for multiple violations of the GDPR. The regulator launched its own proceedings following press reports in connection with facial recognition products which were offered by Clearview AI. Moreover, in 2021 ‘Garante’ received complaints and alerts from organizations that are active in the field of protecting the privacy and the fundamental rights of individuals against Clearview. The personal data held by the company, including biometric and geolocation information, was processed unlawfully without an appropriate legal basis. The company also infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. 

‘Garante’ imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory, and the designation of a representative in the EU. It’s the strongest enforcement yet from a European privacy regulator, following prohibiting decisions by UK’s ICO and France’s CNIL last year. However, whether Italy will be able to collect the penalty from Clearview, a US-based entity, is one rather salient question, TechCrunch analysis suggests.

The Croatian supervisory authority AZOP fined a retail chain company 90,000 euros for failure to take appropriate technical and organizational, (TOMs), measures for the processing of personal data, Data Guidance reports. AZOP received a report on alleged violations of personal data from the company, stating that the employees of the company, without authorization and contrary to internal acts and instructions, recorded video surveillance footage with their mobile devices and published it on social networks and in the media. AZOP found that:

• the company did not take adequate actions to prevent its employees from taking video surveillance images using their mobile devices;
• the company took certain organizational measures, such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after an incident;
• the company did not regularly monitor the implementation of TOM aimed at ensuring the confidentiality, integrity, and availability of personal data;
• the company failed to regularly test, evaluate, and determine the effectiveness of TOMS to ensure the security of video surveillance. 

Big Tech: TikTok child privacy class action, cybersecurity firms booming, Twitter Tor version

A class-action lawsuit against TikTok originally initiated by a 12-year-old girl has been granted permission to proceed by the UK High Court. At its heart is the claim the Chinese social networking giant processes children’s personal data unlawfully. The suit seeks damages in the name of millions of children, potentially exposing TikTok to billions in fines. TikTok contests the case and insists it has high-security standards across its platform.

With software security expected to be a booming market, more than doubling in value to 350 billion dollars by 2026, Alphabet Inc’s Google has snapped up Mendiant Inc. for 5.4 billion. The cybersecurity firm has become a reference for companies investigating cyberattacks, and Microsoft was also in the running to buy the company. Analysts say all the big cloud firms will be looking to buy cybersecurity companies, as cyberattacks have spiked with home working, and the Russia – Ukraine war also driving the market for security software.

In what has been described as a tectonic shift at Twitter the company is launching a Tor onion version of its site, with the clear aim of ensuring privacy and avoiding censorship. Software engineer Alec Muffett said, “It’s a commitment from the platform to dealing with people who use Tor in an equitable fashion.” The Tor network will now also feature as a supported browser on Twitter. Unlike accessing Twitter via Tor, the new service is designed specifically for it and adds layers of protection.

The post Weekly digest March 7 – 13, 2022: can employees secretly record workplace conversations? appeared first on TechGDPR.