Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

EU-US Data Privacy Framework

Effective Immediately: On 10 July, the European Commission’s decision on the adequacy of the level of data protection in the US within the new data privacy framework entered into force. If an American-based business is on the approved list, you can transfer personal data to it as if it were a European (EEA) business. You still have to follow the other rules in the GDPR, for example having a legal basis for processing or a data processing agreement to share personal data with others.

Self-certification: The new data privacy framework enables US organisations to make self-certification submissions and, as applicable, the UK and/or the Swiss extensions and to enable participating organisations to make their annual re-certification submissions, (the self-certified organisations under the invalidated Privacy Shield framework must comply with the updated principles, but they do not need to make a separate submission).

Transfer Impact Assessment: Data transfer to the US by the use of EU standard contractual clauses or binding corporate rules are still possible, providing that a Transfer Impact Assessment is made. In this case, state security services’ ability to access and use transferred personal data is limited and recognised in the Commission’s adequacy decision.

Redress mechanism: The new framework gives European residents a legal remedy and allows them rectification of data collected in an illegal manner. In practice, reportedly, data subjects can file a data breach notification with their national data protection authority, which will be transmitted to the US. The national authority will ensure that the person concerned receives information related to the procedure and the final decision, (either that no breach of US law has been identified or that a breach has been identified and that it has been remedied.) Individuals also will be able to appeal a complaint if needed.

Criticism: Although the new data privacy framework marks a significant step forward, it was criticised by the EDPB and the Parliament as not sufficiently addressing the temporary bulk collection, retention, and dissemination of data by the US intelligence services, the scope of exemptions, the onward transfers, the exercisability of the data subject rights, and the practical functioning of the redress mechanism. Privacy advocacy group NOYB is also ready to newly challenge the framework in court by the end of 2023 or the beginning of 2024. 

Legal processes and redress

Procedural rules: The European Commission proposes a new law to streamline cooperation between data protection authorities when enforcing the GDPR in cross-border cases. For example, it will introduce an obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case. For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. And for businesses, it will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The new law also recognises the importance and the legality of amicable settlement of complaint-based cases. 

“Stop”, “revoke”, “end”, and “opt-out”: The US Federal Communications Commission proposed guidelines that would allow customers to cancel consent to calls and text messages sent using automated technology “in any reasonable way”, allaboutadvertisinglaw.com reports. This contains texts such as “stop,” “revoke,” “end,” and “opt-out.” Callers and texters would be unable to limit the ways in which customers might cancel consent. Consumers can revoke via text, voicemail, or email to any phone number or email address where they would expect to contact the sender. A request must be fulfilled within 24 hours of being received. The government is also investigating and soliciting feedback on the present exemptions.  

CCPA/CPRA:  Businesses that planned to comply with the amended California Consumer Privacy Act this month will now have until spring 2024. After the California Chamber of Commerce demanded businesses have one year from the adoption of final regulations before enforcement could begin, a state court judge made a last-minute decision to postpone enforcement. 

Minors safety online: On 28 June, the Louisiana Secure Online Child Interaction and Age Limitation Act was signed by the Governor. Notably the act will require social media companies to withhold certain functions from accounts held by Louisiana residents who are minors, including prohibiting direct messaging with unfamiliar accounts and not displaying advertising and suggested groups, products, posts, services or users to the minor. Further, accounts held by minors will not show up in search results of other accounts unless they were already linked through “friending”.

Official guidance

APIs: The French privacy regulator CNIL published technical recommendations on data sharing by Application Programming Interfaces, (in French). All types of sharing of personal data by API, whether open or restricted, and all types of organisations, public or private, are covered by these recommendations. Three categories of actors in API data sharing are defined: data holders, API managers and data reusers. Recommendations are given to each category to guide them towards measures to achieve the desired level of security, but also measures likely to facilitate compliance with data protection principles, (exercise of rights, information obligation). However, it is up to organisations to evaluate their level of risk and apply the appropriate measures.

Google Search: The Danish data protection authority has recently published an advisory on how to have a search result about you deleted from a search engine, (eg, Google or Bing). If you wish to have a search result removed, you must first contact the search engine. This is done most easily through the complaint form. You must specify exactly which search result is in question and why you want the search result in question removed. A number of grounds to the right to erasure are laid down in Art. 17 of the GDPR. If the search engine does not want to remove the search result in question, you still have the option of complaining to the data protection authority, which then assesses whether it is appropriate to investigate the matter.

Research projects: The Danish data protection authority also published new guidance on GDPR-goverened role allocation in research projects, (in Danish). It mainly consists of numerous examples of data controllers, data processors and joint data controllers that can arise in practice. In many cases, legal and professional obligations as well as professional standards could mean that the actor in question is prevented from being able to follow a detailed instruction from a business partner. For example, doctors who test a new surgical method as part of a research project will continue to be bound by their medical oath and are obliged to carry out the surgery in the most responsible manner, possibly without providing information or following an instruction that is relevant and necessary according to the trial protocol. Similarly, a laboratory remains subject to professional standards for the analysis of, for example, blood samples. Read the full instructions here. 

Lessons learned from reprimands: Looking back at the reprimands issued by the UK Information Comissioner’s Office in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

• Avoid inappropriate disclosure of personal information by having policies in place and training your staff, (redacting documents properly, correct disposal, avoid accidental on-screen display of personal information).
• Respond to information access requests on time, (organisations must respond within one month of receipt of the request. However, this could be extended by up to two months if the request is complex).
• Deployment of any new apps should take a Data Protection by Design and Default approach from the very start.

Case law

Meta and consent: The CJEU decided that competition authorities can rule on GDPR compliance in the undertakings. In the test case, the German cartel office in 2019 ordered Meta to stop collecting users’ data without their consent, calling the practice an abuse of market power. According to Art. 6 of the GDPR, there are six legal bases for processing personal data, one of which is consent, but Meta decided to use only the other five legal bases. The need for the performance of the contract with the user may justify the practice only if the processing is objectively indispensable. The CJEU expressed doubts as to whether personalised content and use of the Meta group’s own services, like Meta Pixel, fulfil this criteria. For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company such as Meta holds a dominant position in the market as people have less choice over what platform they can use.

Big Tech

Google’s Privacy Sandbox: Since 2021, different features have been tested as part of Chrome Beta’s Origin Trials. As a result of these tests, and starting 13 March, some of the users of the standard version of Chrome were asked to enable three new targeting and ad measurement tools – the Privacy Sandbox. As part of the Chrome browser, it consists of a set of Google interfaces, (APIs), accessible by site publishers. These interfaces allow the continuation of targeted advertising, avoiding the technical constraints that could emerge with the end of third-party cookies. Google Chrome users included in the experimental phase are randomly selected and are informed by a specific screen when their browser is launched, asking for their consent to participate. A refusal will not affect navigation: it is still possible for users who have agreed to activate these features to reconsider their choice within the Chrome settings in the “Privacy and Security” tab and then “Privacy Sandbox”.

The post Data protection digest 3 – 16 July 2023: can the new EU-US data privacy framework respect the GDPR to the letter? appeared first on TechGDPR.