The French data protection regulator CNIL has studied the economic benefits of the presence of a Data Protection Officer within companies. Statistical analysis shows that it is often profitable, especially for companies taking a positive approach to GDPR compliance. The two most represented sectors were research, IT and consulting, and banking, insurance and mutual insurance companies. There are different types of benefits related to the DPO function – leverage to win calls for tenders, avoidance of sanctions, avoidance of data leaks and rationalisation of data management. Here are some examples:

• The DPO is the point of contact for the supervisory authority and the persons whose data is processed. As such, they can take charge of organising the processing of people’s requests to exercise their rights so that a complete response is provided within the set deadlines.
• The DPO contributes to a better knowledge of the company’s information assets. In doing so, their action helps to facilitate the use of data by centralising information and avoiding duplicates or data silos. This makes it easier for teams to access relevant data, which improves the efficiency of internal processes and decision-making.
• A DPO ensures the main GDPR principles of purpose limitation, data minimisation, and limitation of retention, which leads to operational savings in terms of storage space (as well as fewer entry points for cybercriminals).
• Finally, DPOs advise companies on the security measures to be put in place and participate in privacy impact assessments. They can carry out checks and audits and alert managers when security flaws are found.

Stay up to date! Sign up to receive our fortnightly digest via email.

There is also a return on investment in the sense that DPOs who have more time to dedicate to their function have better conditions to ensure the company’s compliance, which reduces the likelihood of being sanctioned. However, these benefits are not received by all companies with DPOs. They are better realised by large companies and by those that are most invested in GDPR compliance and consider compliance as a lever and less as a constraint. The adoption of certain good practices can make it possible to generate economic gains for the DPO function: 

• Involving DPOs in certain executive committee meetings allows them to articulate compliance with the company’s overall strategy. 
• Integrate GDPR compliance with the CSR strategy and the ISS strategy to promote consistent planning and operations. 
• Try to quantify the economic benefits linked to the role of the DPO in the company, informally or through internal consultations.
• Increase other business lines’ understanding of the importance of compliance concerns in the organisation’s strategy, acknowledge a DPO as a value creator, and coordinate their efforts with those of other departments.

EU-UK data transfers

According to a draft document released by the European Commission on 22 July, the UK maintains an adequate level of protection for EU-UK data transfers under the new Data Use and Access Act 2025 (DUAA), aligning with the EU GDPR and the Law Enforcement Directive. While the scope of the DUAA, which amends the UK GDPR and the DPA 2018, goes well beyond the protection of personal data, it provides for limited changes to several aspects of the data protection regime:

a) the rules on data processing for purposes of scientific research, b) the legal bases for data processing, c) the rules relating to the purpose limitation principle, and d) the conditions for automated decision-making.  In addition, the DUAA makes amendments to the governance structure of the ICO. Once implemented, these measures will replace the ICO with a new entity, the Information Commission. The role and functions of the regulator will remain unchanged in the UK. The Act also introduces new enforcement powers for the regulator. 

More legal updates

UK children’s data: On 25 July, the Protection of Children Code of Practice for regulated search services came into force, as required under the Online Safety Act 2023. The code imposes specific duties on search service providers to implement measures addressing content that is harmful to children, including requirements for governance and accountability arrangements, search moderation systems, content reporting mechanisms, complaints procedures, user support functionalities, and publicly available safety statements, digitalpolicyalert.org reports. 

EU AI Act provisions: Provisions of the EU AI Act on general-purpose AI models entered into force on 2 August. These mean clearer information about how AI models are trained, better enforcement of copyright protections and more responsible AI development. The Commission has also confirmed that the GPAI Code of Practice, developed by independent experts, is an adequate voluntary tool for providers of GPAI models. Providers who sign and adhere to the Code will benefit from a reduced regulatory burden and increased legal certainty. Providers must comply with transparency and copyright obligations when placing GPAI models on the EU market. Models already on the market must ensure compliance by 2 August 2027.

AI Act implementation in Germany: EU member states were required to designate competent market surveillance authorities to oversee the AI Act by 2 August. This deadline has been missed by Germany, according to the Hamburg Data Protection Commissioner HmbBfDI. The regulator is therefore appealing to the federal government to promptly designate the AI market surveillance authorities stipulated by the AI Regulation, which, at least in some areas, also include the data protection supervisory authorities. Due to the delay, companies and authorities now lack a reliable contact person for questions about the AI regulation. This is also a disadvantage for Germany as a centre of AI innovation.

Web filtering

A web filtering gateway, often referred to as a web proxy, is a device or service used to control and monitor internet access by filtering web content according to predefined policies. Its main role is to block access to certain websites or categories of content for security and compliance reasons.

Web filtering gateways can help organisations meet their data security obligations (Art. 32 of the GDPR). However, they are based on data processing that must also be ensured to comply with the GDPR. To that end, the French data protection regulator CNIL opened to public consultation a draft guideline (in French) to promote such cybersecurity solutions that comply with the GDPR, both in their use and in their design.  The draft document targets data controllers, who, as employers, deploy a filtering web gateway (URL filtering and detection and blocking of malicious payloads) to secure internet browsing on their information system. This applies to the browsing of employees, agents, service providers or external visitors. It does not deal with the use of web filtering gateways by data controllers providing internet access via a public Wi-Fi, as is the case with retailers, media libraries or other public or private organisations. 

More from supervisory authorities

Human intervention in automated decisions: The Dutch data protection authority AP has developed guidelines for meaningful human intervention in algorithmic decision-making for organisations (in Dutch only). Art. 22 of the GDPR prohibits a decision based solely on automated processing that produces legal effects for data subjects or significantly affects them in another way.  For example, if an employee is hindered, or a credit application is assessed under time pressure or an unclear automated system, this can impact the outcome of any decision. The recommendations have been written as practically as possible to best address the questions organisations have.  

Profiling online: The UK ICO prepared a draft of guidelines on Profiling Tools for Online Safety. This guidance applies to any organisations that carry out profiling, as defined in the UK GDPR, as part of their trust and safety processes. It is aimed at user-to-user services that are using, or considering using, profiling to meet their obligations under the Online Safety Act 2023. But it also applies to any organisations using, or considering using, these tools for broader trust and safety reasons. 

However, due to the Data Use and Access Act (DUAA) coming into law on 19 June 2025, this guidance is under review and may be subject to change. 

Data to train AI models

The European Commission presents a template for General-Purpose AI model providers to summarise the data used to train their model (under Art. 53 of the EU AI Act). General-purpose AI models are trained with large quantities of data, but there is only limited information available regarding the origin of this data. The public summary will provide a comprehensive overview of the data used to train a model, list the main data collections and explain other sources used. This template will also assist parties with legitimate interests, such as copyright holders, in exercising their rights under Union law, test particularly powerful models with systemic risk for vulnerabilities and risks, report serious security incidents, etc. 

The template is part of a broader initiative linked to the EU-wide rules for general-purpose AI models kicking in on 2 August 2025. It complements the guidelines on the scope of the rules for general-purpose AI models, published on 18 July, and the General-Purpose AI Code of Practice released on 10 July. Also, France’s CNIL offers a guide on how best model makers should ensure their systems comply (in French). It also suggests solutions for companies to avoid using personal data when training their models.

Public disclosure of personal data

The UK ICO released guidelines for public bodies managing Freedom of Information requests and organisations answering Subject Access Requests, which can involve a lot of personal data. It includes simple checklists and how-to videos, covering topics such as:  

• Deciding on an appropriate format for disclosure to the public 
• Finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters 
• Converting documents to simpler formats to reveal hidden data  
• Avoiding using ineffective techniques to keep information secure 
• Using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)  
• Reviewing the circumstances of a breach to prevent a recurrence 
• Removing and redacting personal information effectively 

Data protection complaints increase

In the first half of 2025, significantly more people complained to the Lower Saxony State Commissioner for Data Protection about possible data protection violations than in the same period of the previous year. The authority recorded 1,689 data protection complaints from January to June 2025, compared to 1,186 in the same period of the previous year. This represents a sharp increase of approximately 42 per cent. The authority also noted significant increases in complaints from the health, social services, and municipal sectors, as well as from the real estate industry, credit reporting agencies, and the financial sector. One reason for the high number of data breaches and complaints is the increasing digitalisation of business and administration – more personal data flows, and the risk of data protection violations also increases. 

Similarly, the Lithuanian regulator VDAI counted that in the first half of 2025, most data breaches occurred due to human error, as well as due to actions that cannot be protected from by normally applied technical and organisational measures and other reasons (IT system errors, improperly performed programming work, etc.). Also, it was found that a third of data security breaches occurred due to cyber incidents (data encryption and ransomware attacks, unauthorised access to IT systems, social engineering attacks, login data and Brute Force attacks, and SQL injection and system disruption). 

In other news

Temporary password fine: In Croatia, the personal data protection agency imposed an administrative fine of 320,000 euros on HEP-Toplinarstvo (an Electric utility company). The agency received a report from a respondent that when requesting a change of a forgotten password on the HEP District Heating “My Account” portal, the user was sent a temporary password by e-mail, which was actually the last password set by the user. Also, all the passwords of users of the “My Account” portal (almost 16,000 of them) were stored in the controller’s database in readable form. This meant that the controller knowingly chose a solution that did not include basic data security measures, such as generating a temporary password or using data encryption methods, did not take into account the risks to the security of personal data, nor did they conduct an assessment of the risks of processing users’ data. 

McDonald’s fine: The Polish UODO has fined McDonald’s Polska approximately 3,9 mln euros after a personal data breach. The shared file in the public directory contained data on McDonald’s employees and its franchisees: first and last names, passport numbers, McDonald’s restaurant number, work start date and time, work end date and time, number of hours worked, position, days off, type of day, and type of work. 

McDonald’s entrusted the processing of personal data of its restaurant chain’s employees to an external company to manage work schedules. The controller did not have the authority to manage the resources and configuration of the IT system containing the employee schedule module. Only the processor had such authority. At the same time, the provisions of the personal data processing agreement, particularly those related to audits and inspections, were not implemented. The controller failed to exercise proper oversight over the entrusted personal data.

In case you missed it 

Agentic AI: The move to AI assistants and agents risks a sea change in privacy and security, states Privacy International. These services’ usefulness increases with the quantity and quality of the data they have access to, and the temptation will be to lower the friction of data controls to allow the processing of personal data. In one example, ChatGPT’s agent uses ‘connectors’ to interface with third-party applications, such as cloud data stores, calendars, email accounts, etc.

This allows ChatGPT’s agent to search data on those services, conduct deeper analysis, and sync data. This seems analogous to Anthropic’s ‘Model Context Protocol’, which provides context data from applications to LLMs. Consequently, Privacy International is worried that:

• the AI tools would generate new datasets on you that create new risks
• could access and share your data at unprecedented levels, and
• will store this data beyond your reach, across their services and in the cloud.

Bias in AI systems: The Federal Office for Information Security in Germany issued a white paper on Bias in Artificial Intelligence (in German). The term “bias” describes the resulting unequal treatment of individuals or organisations. This can have various causes. The document outlines bias identification and mitigation as a continuous process. It describes 11 different forms of bias, such as historical bias and automation bias. Along with 13 mitigation strategies that include pre-processing to post-processing methods, it highlights bias as a cybersecurity issue that compromises availability, confidentiality, and integrity.

The post Data protection digest 18 Jul – 1 Aug 2025: DPO as a value creator and return on investment for companies appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

CJEU decisions

Automated decision-making: The EU top court identified data processing practices by credit information agencies that contradict the GDPR. While the so-called ‘scoring’ of individuals is permitted only under certain conditions, the prolonged retention of information relating to the granting of a discharge from remaining debts is contrary to the GDPR, (the case refers to SCHUFA, a private company providing credit information for clients in Germany). 

As regards the ‘scoring’ of individuals, the court holds it as an automated individual decision prohibited in principle by the GDPR, in so far as SCHUFA’s clients, such as banks, attribute to it a determining role in the granting of credit. The court also considers that it is contrary to the GDPR for private agencies to keep such data for longer than the public insolvency register. The discharge from remaining debts is intended to allow the data subject to re-enter economic life and is therefore of existential importance to that person. 

Non-material damage: Another decision by the CJEU concludes that the fear of possible misuse of personal data is capable of constituting non-material damage. Nonetheless, courts cannot conclude that the protective measures put in place by the data controller were ineffective if cybercriminals gain unauthorised access to or disclose personal data. The courts must assess the security measures concretely, by taking into account the risks associated with the processing concerned and by assessing whether the nature, content and implementation of those measures are appropriate to those risks. Finally, the controller may be required to compensate the data subjects who have suffered damage, unless they can prove that they are not responsible for that damage. 

EU’s AI act

Agreement reached: On 8 December, the legislative trilogue on the draft AI Act ended and the provisional agreement was reached. AI systems are going to be regulated according to how much risk they pose to society and fundamental rights, including a list of high-risk and prohibited practices, supported by various monetary fine levels. Limited exceptions will be available for law enforcement purposes. General-purpose AI systems will be also subject to transparency obligations, with additional codes of practice imposed on the most powerful models. 

Allocation of GDPR-governed roles: Meanwhile, the German Data Protection Conference demands that the intended AI Act properly allocate responsibilities along the entire AI value chain. This is the only way to protect the fundamental rights of those affected whose data is processed by AI, states the regulator body. Any legal uncertainty in this area would harm citizens, especially small and medium-sized companies, because they must bear the brunt of legal responsibility. The upcoming AI regulation should therefore specify for all those involved – including manufacturers and providers – which requirements they must meet.

EU regulatory updates

Workforce monitoring: The Council and the Parliament have reached a provisional agreement on a proposed directive to improve working conditions for platform workers. In particular, it will help ensure that those workers who have wrongly been classified as self-employed have easier access to their rights as employees under EU law. The proposal also established the first EU rules on the use of algorithm systems in the workplace. 

Digital labour platforms regularly use algorithms for human resources management. As a result, platform workers are often faced with a lack of transparency on how decisions are taken and how personal data is used. Under the new rules, algorithms would be monitored by qualified staff, who enjoy special protection from adverse treatment. The new law also prevents the processing of certain personal data using automated monitoring or decision-making including:

• emotional or psychological state,
• private conversations,
• actual or potential trade union activity,
• racial or ethnic origin, migration status, political, religious beliefs or health status,
• biometric data, other than data used for authentication.

Youth data protection: The Dutch data protection authority objects to a bill that leads to large-scale data collection in youth care. The proposal should enable research into the availability of youth care within municipalities. This includes child protection, assistance to young people with psychological problems and the probation service. However, it needs to be sufficiently clear why a lot of sensitive information from young people and their parents, healthcare providers and municipalities must be shared in such research. The availability of youth care could be investigated in a way that is much less invasive, (eg, random research, distribution of waiting times or development of new statistics). 

European Health Data Space

Pros: Both the Parliament and the Council have agreed on their positions on the European Health Data Space (EHDS). The new legislation would make exchanging and accessing health data at the EU level easier. The proposed regulation aims to improve individuals’ access to and control over their electronic health data, while also enabling certain data to be reused for research and innovation purposes, and to foster a single market for digital health services and products. The new rules aim to make it possible for a Spanish tourist to pick up a prescription in a German pharmacy, or for doctors to access the health information of a Belgian patient undergoing treatment in Italy.

Cons: However, several civil groups and experts have already warned about the privacy shortcomings of the cross-border exchange of electronic health data. The Irish Council for Civil Liberties recommends that the EHDS should specify the legal basis consistent with the GDPR and be specific about the allowed purposes of secondary use of electronic health data. It should also further narrow the categories of health data allowed for secondary use to reduce risks to fundamental rights. Another international consortium of experts believes the proposal significantly reduces transparency requirements, in contrast to the GDPR, as it:

• introduces waivers related to the provision of individual-level information to data subjects;
• disfavors consent as a legal basis for data sharing;
• builds up large datasets which may be extensively used for secondary purposes, that 
• increases the risk of re-identification. 

US privacy updates

FISA 702 short extension: US lawmakers reached a deal to temporarily extend major federal surveillance programs until mid-April, while talks on the future reform of the intelligence powers continue. Section 702 permits the government to conduct warrantless surveillance on any foreign national to gather “foreign intelligence information.” However, communications between Americans and the people under monitoring result in the collection of their data as well. Privacy campaigners warn that reauthorization of the intelligence powers must come with safeguards against abuse.

Opt-out preference signals: Meanwhile the California Privacy Protection Agency has approved a legislative proposal that requires browser vendors to include a feature that allows users to exercise their California privacy rights through opt-out preference signals. Through an opt-out preference signal, a consumer can opt out of the sale and sharing of their personal information with all businesses they interact with online without having to make individualised requests with each business. To date, only a limited number of browsers offer native support for opt-out preference signals: Mozilla Firefox, DuckDuckGo, and Brave. Google Chrome, Microsoft Edge, and Apple Safari—which make up over 90% of the market share—have declined to offer these signals, although these companies are also heavily reliant on advertising business models.

Data subject rights

Right to delete: Every time personal data is processed, the question arises as to how long the data controller may store this data. Art. 5 of the GDPR as a starting point provides principles of purpose limitation, data minimisation and storage limitation. In addition, the data subjects whose personal data has been processed have a right to deletion under Art. 17 of the GDPR, with which they can request the deletion of their data under certain conditions. There are also legal retention and deletion obligations that the person responsible must comply with. The Liechtenstein data protection agency has put together information on its website (in German), that sheds light on the topic both from the side of the data subject and from the side of the person responsible for data processing. 

Employment guidance

The UK Information Commissioner’s Office produced an online resource with topic-specific guidance on employment practices and data protection, with two new pieces of guidance now out for public consultation: a) keeping employment records, b) recruitment and selection. Data protection law applies whenever you process your workers’ personal information. The law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between your need to keep employment records and workers’ right to private lives, explains the regulator. 

Additionally, the labour market supply chain can be complex, with end-to-end recruitment processes often involving several organisations. The use of novel technologies in recruitment processes means that organisations are processing increasingly large amounts of information about people – candidates, prospective candidates, employees, contractors, volunteers or gig and platform workers, referees, emergency contacts, and dependants.

UK-US data transfers

The ICO also offers a guide on how to comply with restricted transfers of personal data to the US using Art. 46 of the UK GDPR transfer mechanism. There are a range of reasons why you may wish to use it, including:

• if your US recipient is not certified to the UK Extension to the EU-US data protection framework or the restricted transfer is not covered under your recipient’s certification;
• none of the eight exceptions set out in Art. 49 of the UK GDPR apply to your restricted transfer;
• you are making the restricted transfer under UK Binding Corporate Rules, or
• you or your US recipient uses the Addendum or the International Data Transfer Agreement as the preferred standard transfer mechanism.

You can make restricted transfers to recipients in the US using Art. 46 only if you have first completed a transfer risk assessment. This includes the latest analysis of US laws related to access and use of personal information by US agencies for national security and law enforcement, the circumstances of each transfer, and the commercial practices of you and your recipient. The requirement to complete a transfer risk assessment applies regardless of which mechanism you use or why. 

Investigations

DPO for public services: The Luxemburg data protection regulator CNPD concluded an investigation into the appointment of data protection officers by municipalities. According to article 37.1.a) of the GDPR, any data controller or subcontractor must designate a DPO if “the processing is carried out by a public authority or body, except for courts acting in their judicial capacity”. 4 out of 6 municipalities at the time of the opening of the investigation, (in 2022), either appointed a DPO or communicated the latter’s contact details to the CNPD. No further corrective measures have been taken, as the municipalities have regularised their situation over the course of the investigations.

Enforcement decisions

Google Workspace at school: Meanwhile in Sweden, a penalty fee was issued against a municipality that did not assess the impact of using Google Workspace in 24 of the municipality’s schools since autumn 2020. Among other things, the platform was used for students’ feedback on school assignments. The personal data of nearly 6,000 students and 1,300 employees was processed, without a proper impact assessment conducted, (Art. 35 of the GDPR). In particular, when the student system was put into use, it was supported by an older assessment from 2014, by another municipality, carried out about the use of Google solutions in education, and it was considered satisfactory. 

Employee data requests: The Italian privacy regulator fined Autostrade per l’Italia and Amazon Italia Transport 100,000 and 40,000 euros respectively, for not having given timely and reasoned feedback, not even denial or deferral, to requests for access to their data presented by some employees and former employees. In the first case, the group requested information on the calculation of their pay slips. When asked for explanations by the regulator, the company had not responded so as not to compromise its right to defence in court, as several legal proceedings were underway between the company and the workers regarding the methods of calculating severance pay. 

In the case of Amazon, the authority followed the complaint of a former employee about the company’s failure to respond to a request for data relating to his employment relationship. The company had not responded to the request because it was drawn up in a very broad and generic manner. In both cases, the regulator concluded that the data controller should have responded at least with the reasons not to proceed with the request or ask for more details as in the case with Amazon.

Reprimands

Failed TOMs: Meanwhile in the UK Finham Park Multi Academy Trust was reprimanded in respect of Art. 5 and 32 of the GDPR. An unauthorised third party utilised compromised credentials to access and encrypt Finham Park’s systems. 1843 data subjects were affected by the incident, and the ICO’s investigation found Finham Park did not have adequate account lockout or password policies in place. 

The regulator also reprimanded Bank of Ireland UK for mistakes made on more than 3,000 customers’ credit profiles. It sent incorrect outstanding balances on 3,284 customers’ loan accounts to credit reference agencies, organisations that help lenders decide whether to approve financial products. This inaccurate data could have potentially led to these customers being unfairly refused credit for mortgages, credit cards or loans, or granted too much credit on products they were potentially unable to afford.

Data security

IoB and data protection: In its latest TechSonar report the EDPS explains privacy concerns behind the so-called ‘Internet of Behaviours’ (IoB). It is described as a “network in which behavioural patterns would have an IoB address in the same way that each device has an IP address in the Internet of Things, (IoT)”.  An example could be the use of patients’ and employees’ location data in hospitals during the COVID-19 pandemic to identify the behaviours that spread or mitigate the virus. 

General IoB relies on the collection and processing of data from different IoT devices, such as wearables, smart cameras or Bluetooth and Wi-Fi sensors. Thus, it suffers from transparency and control issues because it often lacks appropriate means to inform its users. Their data collection is seamless and the means to exert control over the processing are limited, states the report. 

Password storage: The Italian data protection regulator and the national cybersecurity agency offer new Password Retention Guidelines, (in Italian). Too often identity theft is caused by the use of computer authentication credentials stored in databases that are not adequately protected with cryptographic functions. Stolen data then is used to illicitly enter entertainment sites, social media and e-commerce portals. They can also allow fraudulent access to forums and websites for paid and financial services. The guidelines are aimed at:

• data controllers or data processors that store the passwords of their users on their systems, which refer to a large number of interested parties, (eg, digital identity providers, email service managers, banks, insurance companies, telephone operators, healthcare facilities),
• subjects who access databases of particular importance or size, (eg, public administration employees), or to 
• types of users who usually process sensitive or judicial data, (eg, healthcare professionals, lawyers, magistrates).

Big Data

Data breach notification for telecoms: The US Federal Communications Commission adopted rules to modify 16-year-old data breach notification rules to ensure that providers of telecommunications, interconnected Voice over Internet Protocol, and telecommunications relay services adequately safeguard sensitive customer information. They often collect large quantities of sensitive customer data, including telephone numbers a person has called and mobile phone location data showing the places they have been. The new rules cover certain personally identifiable information that carriers and providers hold concerning their customers and expand the definition of “breach” to include inadvertent access, use, or disclosure of customer information. It will also eliminate the mandatory waiting period to notify customers, after notification to the commission and law enforcement agencies.

Apple push notification data:  Apple says it now requires a judge’s order to hand over information about its customers’ push notifications to US  law enforcement, putting the iPhone maker’s policy in line with rival Google, Reuters reports. Users of smartphones receive push notifications informing them of fresh messages, breaking news, etc. The servers of Apple and Google handle almost all of these alerts. The practice placed the corporations in a unique position to help the government monitoring of users’ usage of certain applications. 

Google location data: Meanwhile Google offers updates on its Location History and new controls coming soon to Maps. For example, when you first turn on Location History, the auto-delete control will be set to three months by default, which means that any data older than that will be automatically deleted. Previously this option was set to 18 months. Also, for users who have chosen to turn Location History on, the timeline will be saved only on their device. Just like before, users can delete all or part of the information at any time or disable the setting entirely.

The post Data protection digest 2 – 17 Dec 2023: scoring of individuals, EU data consolidation, and the ‘Internet of Behaviours’ appeared first on TechGDPR.