Stay up to date! Sign on to receive our fortnightly digest via email.

DORA application deadline

As the Digital Operational Resilience Act will apply from 17 January 2025, the European supervisors have called on financial entities and third-party providers to advance their preparations on the information and communication technology requirements. There are also important interfaces between DORA and the GDPR, in data protection experts’ opinion. Both regulations aim at ensuring data integrity, confidentiality and availability, such as notification of security incidents, risk management, technical and organisational measures, controls and audits. Furthermore, an integrated strategy that considers both data protection and IT security is needed to comply with both regulations. 

Third-country authorities and GDPR certification

The EDPB published guidelines on GDPR Art.48 about data transfers to third-country authorities. The sharing of data with the public authorities in other countries can help collect evidence in the case of a crime, check financial transactions, or approve new medications. The board clarifies how organisations, private and public, can best assess under which conditions they can lawfully respond to such requests. The Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors across Europe. GDPR certification helps organisations demonstrate their compliance with the law and helps people trust the product, service, process or system for which organisations process their data.

More legal updates

US restricted transfers: The Department of Justice has suggested restrictions on cross-border transfers of sensitive personal data to “countries of concern”. The regulation would, among other things, restrict data brokerage transactions that pose significant national security threats to China, Russia, Iran, North Korea, Cuba, and Venezuela, and limit some vendor, employment, and investment arrangements with nations of concern unless they fulfil specified security standards. 

Those adversaries can be interested in biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals’ political affiliations and leanings, hobbies, and interests. In this way, countries of concern can exploit their access to US government-related data or Americans’ bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, and political figures. 

Oregon and several other US states have recently advanced their privacy laws. For instance, the Oregon Consumer Privacy Act applies to all for-profit businesses immediately and to applicable charitable organisations as of 1 July 2025. It provides residents with an opt-out option to a business selling, profiling, and using targeted advertising with their personal information, obtaining a copy, editing any inaccuracies and deleting the personal and sensitive data a business has collected about them.

On January 1, 2025, five more states’ consumer privacy rights laws will take effect – Iowa, Delaware, New Hampshire, Nebraska, and New Jersey. 

Customer expectations about their data

The assessment of customer expectations regarding the processing of their data is an essential element in ensuring the lawfulness and transparency of data processing states the Latvian regulator. Reasonable expectations are what a customer, given their specific relationship with the organisation, types of data and available information, can naturally expect from the processing of their data. A practical approach to assessing expectations would be conducting surveys, interviews and focus group discussions, as well as consulting industry standards and previous experience. 

Internal procedures and training

Developing appropriate internal procedures and regular training also helps ensure employees know how to act in supporting the company’s compliance efforts. This may be especially useful when a business expands rapidly, hires new employees, and the number of clients also increases. If non-compliance is detected which could result in a violation of customer data processing and protection, the company, with the help of its data protection specialist, has to prepare an action plan, which may include:

• conducting internal audits, 
• reporting immediately to the responsible person, 
• reviewing and improving legal bases and purposes of processing,
• reviewing related documentation,
• corrective measures such as informing data subjects, etc. 

More from supervisory authorities

Machine learning and training data: America’s NIST continues its series of posts about privacy-preserving federated learning, (PPFL). Unlike traditional centralised learning, PPFL solutions prevent the organisation training the model from looking at the training data. Model training is, however, only a small part of the machine learning workflow. In practice, data scientists spend a lot of time on data preparation and cleaning, handling missing values, feature construction and selection. Challenges may result from poor-quality or maliciously crafted data to intentionally reduce the quality of the trained model. 

To know more about AI model training the Spanish regulator AEPD has recently discussed a use case: a single-neuron network determines whether a person is overweight vs a network, which allows for more complex classifications but equally can lead to ‘hallucinations’. From a data protection perspective, the question is to choose the one that is most appropriate to the context and purpose of the processing operation. For example, the chosen structure  requires such a quantity of data samples and such diversity that it is not possible to obtain them, or that it is not proportional or legitimate to collect them. In this way, the purpose could not be achieved from the design stage. 

Software developers: Italian regulator Garante approved the Code of Conduct which concerns the processing of personal data carried out by companies developing and producing management software. Such software, intended for companies, associations, professionals and public administrations, is used to fulfil tax and social security, welfare and management obligations, drafting financial statements, personnel management and corporate obligations, with a significant impact on aspects relating to the protection of personal data. 

Sky Italia telemarketing fine

The Italian regulator also fined Sky Italia over 840 thousand euros for numerous violations found during telemarketing activities and sending commercial communications. The company carried out marketing activities, by telephone and via SMS, in the absence of adequate checks on the obligations regarding information and consent. Sky did not consult the registration of the users contacted in the public register of oppositions before each promotional campaign.

Some of the users had been contacted based on consent acquired even before the GDPR came into full effect. The documentation of consents acquired from data supply companies also appeared unsuitable to unequivocally demonstrate the will of the interested parties, as Sky stored the details of the consents in editable Excel files. Furthermore, Sky relied on the consent to marketing automatically provided by users during registration on the website and mandatory to use the service offered.

More enforcement decisions

The Irish Data Protection Commission fines Meta 251 million euros. Investigations were launched following a personal data breach, which was reported by Meta in September 2018. It impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included the user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, groups of which a user was a member, and children’s personal data. The breach arose from the exploitation by unauthorized third parties of user tokens on Facebook.

CCTV: The Swedish data protection authority fined Granit Bostad Beritsholm AB due to unauthorized camera surveillance in an apartment building.  Previously there were cameras at three main entrances, at elevators and apartment doors, as well as in the basement corridor next to the storage room, laundry room and sauna. There were also several cameras in the garage, bicycle storage, garbage room, and at the back of the property.

The company now has to cease the camera surveillance of all places on the property except the garage. The camera signs must contain information about the company’s identity and contact information.

Prison sentence: A motor insurance worker, who led a team dealing with accident claims, has been handed a suspended prison sentence after an investigation by the UK Information Commissioner. The company reported to the regulator that it suspected an employee was unlawfully accessing its systems. The insurers became suspicious due to the higher-than-normal number of claims being processed. An internal investigation found he had featured in 160 of the claims, despite his role not involving the access of claims. The search of the suspect’s home also found he was sending personal data he had accessed by mobile phone to another person. 

AI impact assessment

The Future of Privacy Forum has prepared a detailed guide on how organisations can conduct AI impact assessments. Organisations typically take four common steps: a) initiating an AI impact assessment; b) gathering model and system information; c) assessing risks and benefits; and d) identifying and testing risk management strategies. There is also a trend within organisations to perform multiple assessments at different points in the AI lifecycle, as well as integrate AI impact assessments into existing risk management processes, including those around privacy.

Real-Time Bidding

America’s FTC announced a new enforcement action in which it alleged that the data broker Mobilewalla collected and retained sensitive location information from consumers, often without their consent, and shared those details with third parties to target advertisements. Most of the advertisements we see online often involve a process called “real-time bidding”, (RTB), where publishers, websites, apps, or other digital mediums with ad space to sell, auction off their empty ad space on exchange platforms, and advertisers can bid for that placement.

Big Tech

LinkedIn suspended AI training in Canada: The Privacy Commissioner welcomed the commitment from LinkedIn to pause training of AI models using the personal information from Canadian member accounts. While LinkedIn indicated that it believed that it had implemented its AI model in a privacy-protective manner, the company agreed to engage in discussions with the regulator to ensure that its practices are compliant with Canada’s federal private-sector privacy law. Recently LinkedIn also suspended AI training using UK and EU data. 

The European Data Protection Supervisor is examining the Commission’s compliance regarding the use of Microsoft 365. The Commission could have infringed several provisions of the data protection law for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU/EEA. In its decision of March 2024, the EDPS ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors, located in countries outside Europe not covered by an adequacy decision. There is also an ongoing court proceeding in the matter. 

AI development: The UK Information Commissioner is urging Generative AI developers to tell people how they’re using their data. This could involve providing accessible and specific information that enables people and publishers to understand what personal data has been collected. Without better transparency, it will be hard for people to exercise their information rights and for developers to use legitimate interests as their lawful basis. The Commissioner also encourages AI firms to get advice from the regulator through the Regulatory Sandbox and Innovation Advice services, as well as from other regulators through the DRCF AI & Digital Hub. 

The post Data protection digest 1 – 15 Dec 2024: DORA application deadline, new Meta fine, AI impact assessment appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs and personal data

The Hamburg Data Protection Commissioner discusses whether Large Language Models store personal data. It distinguishes between an LLM as an AI model, (eg, GPT-4), and as a component of an AI system, (eg, ChatGPT). The mere storage of an LLM does not constitute processing. Thus, data subject rights cannot relate to the model itself. Claims for information, deletion or correction can rather relate to the input and output of an AI system of the responsible provider or operator. 

To the extent that personal data is processed in an LLM-supported AI system, the processing operations must comply with the requirements of the GDPR. This applies in particular to the output of such a system. Similarly, any training that may violate data protection regulations does not affect the legality of using such a model in an AI system. See the full discussion paper here.

The most recent clarifications by the French CNIL on the deployment of Generative AI systems and the official EU AI Compliance Checker might be useful for your organisation. The latter also recommends that you obtain expert legal advice before using AI solutions.

Privacy notice

The UK Information Commissioner encourages people to check how an app plans to use their personal information before they sign up. It is far too easy to just click “agree” when installing a new app. But signing up often involves handing over large amounts of your sensitive personal information, especially with apps that support our health. An organisation that values your privacy will make its privacy notice easy to understand and set out how it will use your personal information, with whom it will be shared, what are the security measures, and whether your data will be deleted when you stop using it. 

CCTV

The operation of CCTV in gym facilities, on the one hand, should aim to ensure the protection of the facilities in question while on the other hand, it should respect the right of customers and employees to protect their privacy, reiterates the Cyprus data protection authority. CCTV can be permitted at a gym entrance/exit, parking space, reception, (only the cashier), and general perimeter of the gym property. 

It is not allowed in the areas where persons exercise, kitchens, restrooms/ changing rooms, and offices. Audio recording is not allowed under any circumstances. Video material must be accessible only from a device which is located within the premises of the gym and to which only the director and/or an authorised person has access. Access to said material, from a personal device and on an ongoing basis, is not permitted. 

More official guidance

EU-US DPF: The EDPB has published the EU-US Data Privacy Framework FAQ for European individuals and businesses: how to benefit from it, how to lodge a complaint and how this complaint should be handled by the EU and US authorities. It also includes what to do before transferring personal data to a DPF-certified company in the US, (data controllers or processors), and self-certification of US subsidiaries of EU/EEA businesses.

DPIA: Industry professionals and interested parties are invited by the Latvian data protection authority DVI to share their thoughts and provide real-world examples of the Data Protection Impact Assessment. It is a procedure by which, through risk inventory, analysis, and evaluation of prospective outcomes, (identifying severity and likelihood), the organisation can identify potential dangers to natural persons that may occur from planned data processing. The DPIA also includes the identification of measures to prevent possible risks. The draft guidance can be read here, (in Latvian).

AI projects sandbox: The Danish data protection authority has selected two AI projects for examination in its sandbox project. One wants to develop an AI insurance assistant for structuring and summarising accident claims, (to determine the degree of injury more quickly than today). The other one is a public-private innovation to develop a solution that will ease the documentation burden for employees in health and care. 

Social media monitoring

According to Privacy International, social media monitoring, or SOCMINT, is becoming more common and standardised but is still mostly uncontrolled and inconsistent. One of the most vivid examples is fraud investigations by the UK Department for Work and Pensions. Alongside covert surveillance tactics, the department’s staff guide has an entire section on “Open Source Instructions” on the use of publicly available information.

However, such invisible monitoring goes against or beyond individuals’ reasonable expectations and their possibility to anticipate intrusive examination. 

GDPR in practice

The Fundamental Rights Agency recently published the report “GDPR in practice – the experience of data protection authorities”. All the improvement areas directly or indirectly target the availability of human, financial and technical resources. In particular,  underfunded and understaffed authorities are obliged to prioritise complaints handling over other regulatory tasks that the GDPR has entrusted to them – such as promoting awareness and providing advice, undertaking their own investigations and external cooperation. 

SDM 3.0

The German Data Protection Conference published the updated Standard Data Protection Model – a method for data protection advice and testing based on uniform objectives, Data Guidance reports. In particular, the model transfers the legal requirements into technical and organisational measures required by the GDPR, which are detailed in the catalogue of reference measures. The SDM is aimed at both the supervisory authorities and those responsible for processing personal data. 

EHDS

In the next couple of years, patients, healthcare providers, and authorised researchers within the EU will start using the European Health Data Space, for which a DLA Piper legal blog provides the standards on the electronic health record system. Interoperability and the logging component are two essential components of the software that make up this records system. Further requirements for conformity can be read in the original analysis.  

More legal updates

Dark patterns: The Canadian Privacy Commissioner with other counterparts conducted a review of over 1000 websites and apps, and found that nearly all had at least one deceptive design element that potentially violated privacy requirements. This includes complex and confusing language, interface Interference, nagging, obstruction, and forced action, (tricking users into disclosing more personal information to access a service than is necessary). When two or more deceptive design patterns are used together, they can become more effective.  

HBNR: Starting in July, the amendments to the US Health Breach Notification Rule went into effect. These now underscore health apps and similar technologies not covered by Health Insurance Portability and Accountability. HBNR requires vendors of personal health records and related entities to notify individuals, the Federal Trade Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to notify such vendors and related entities. 

Rhode Island became the nineteenth US state overall and the seventh state in 2024 to enact a comprehensive privacy law, The Future of Privacy Forum sums up. The law will take effect starting in 2026. The law includes familiar terminology and core obligations, such as controller/processor responsibilities, rights of access, correction, deletion, portability, express consent for processing sensitive data, and disclosure requirements, but lacks data minimisation requirements or an obligation for controllers to recognize universal opt-out mechanisms. 

Enforcement decisions

Smart cameras in Turin: The Italian regulator Garante sent a request for information to the Municipality of Turin on a new video surveillance system that, reportedly, would also use AI. It would allow municipal police to understand in real-time whether it is necessary to intervene in an emergency or for safety reasons. The Municipality was given 15 days to clarify the advanced features of the camera, and also send a copy of the technical documentation, and the purposes and legal basis of the processing of personal data.

Personal details on the intranet: The Finnish regulator ruled that a company, (a bus operator), did not have the right to publish 300 employees’ personal phone numbers on the intranet. The company argued it is important for drivers to communicate with each other while working. On their work phones they can only call predefined numbers, and sending text messages is blocked. The regulator argued that using a work number between drivers should be a prior communication method. In addition, employees’ data may only be processed by persons whose job duties demand it, such as supervisors or HR. 

Local government data: The UK Information Commissioner issued the London Borough of Hackney council with a reprimand following a cyberattack in 2020 that led to hackers gaining access to and encrypting 440,000 files. The data included residents’ racial or ethnic origin, religious beliefs, sexual orientation, health, economic data, criminal offences, and other data including basic personal identifiers such as addresses. Hackers also deleted 10% of the council’s backup. The systems were disrupted for many months with, in some instances, services not being back to normal until 2022. 

Drugstore visitors’ tracking

The Dutch data protection authority, (AP), has imposed a fine of 600,000 euros on the parent company behind drugstore Kruidvat. The company, (AS Watson BV), tracked millions of visitors of Kruidvat.nl, without their knowledge or permission, and was able to create personal profiles noting which pages they visited, which products they added to their shopping cart and bought, and which recommendations they clicked on.  In the cookie banner on Kruidvat.nl, the boxes to agree to the placement of tracking software were checked by default. Visitors who wanted to refuse them had to go through several steps. 

More data on the use of third-party tracking technologies in the health and care sector can be read here. 

Background checks: The province of British Columbia and the Privacy Commissioner of Canada have joined forces to investigate Certn Inc., a business that provides landlords with tenant screening services. They will look at whether Certn complies with the requirements of both the federal Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act of British Columbia, (where the company is based). In particular, it will look at whether the data it gathers, uses, and discloses for tenant screening is sufficiently accurate, complete, and up to date. 

Data security

Differential privacy: The latest US NIST cybersecurity insights discuss protecting trained models in Privacy-Preserving Federated Learning. The techniques must be combined with an approach for output privacy, which limits how much can be learned about individuals in the training data after the model has been trained. 

Differential privacy is the most robust known type of output privacy. To protect against privacy threats, techniques for differentially private machine learning incorporate random ‘noise’ into the model during training. The training data cannot be later recovered from the model because the random noise prevents the machine from remembering details from the training set.

Global IT outage: A Reuters analysis briefly explains the latest cyber outage when CrowdStrike’s software update caused Microsoft Windows to crash. Companies such as CrowdStrike employ cloud-based solutions for virus scanning, early warning systems for possible cyberattacks, and barriers against hackers accessing company networks without authorisation. This time, a conflict appeared between CrowdStrike code and the Windows operating system’s code, which is why certain PCs crashed even after they were rebooted. 

Big Data

Chromebooks: The Danish data protection authority has assessed that 52 municipalities are now complying with its order from January to stop passing on the personal data of school children for unauthorised purposes to Google. There have been adaptations to the contract that ensure that personal data will only be processed following the instructions of the municipalities. The Danish regulator has also asked for the EDPB’s opinion on a final assessment of the data processing chain in the municipalities’ use of Google’s products, (including for maintenance of infrastructure from the supplier’s side).

Oracle reaches 115 mln privacy settlement in the US. The digital files of hundreds of millions of people reportedly containing where they browsed online, where they did their banking, bought gas, dined out, shopped and used their credit cards were allegedly sold by Oracle directly to marketers. The company also agreed in future not to gather user-generated information from URLs of previously visited websites, or text that users enter in online forms other than on Oracle’s websites. 

The post Data protection digest 5-19 Jul 2024: LLMs and personal data, social media monitoring, differential privacy appeared first on TechGDPR.

Legal processes and redress

Electronic evidence: The European Parliament voted to adopt new rules on the exchange of electronic evidence by law enforcement authorities to make cross-border investigations more effective. It will allow national authorities to request evidence directly from service providers in other member states, (“production orders”), or ask that data be stored for up to 60 days. Evidence can consist of content data, (text, voice, images, video or sound), traffic data, (timestamps, protocol and compression details, and information about recipients), or subscriber data. Currently, the exchange depends on various bilateral and international agreements on mutual legal assistance, resulting in a fragmented landscape and, often, lengthy procedures. However, authorities can refuse the requests when they have concerns about media freedom or fundamental rights violations in the requesting member state. 

From MiCA to MiCAR: The Market in Crypto Assets Regulation has been published in the Official Journal of the EU and will apply in all EU Member States through 2024. The new rules cover issuers of utility tokens, asset-referenced tokens and so-called ‘stablecoins’. It also covers service providers such as trading venues and the wallets where crypto-assets are held. It ensures that crypto transfers, as is the case with any other financial operation, can always be traced and suspicious transactions blocked. Information on the source of the asset and its beneficiary will have to “travel” with the transaction and be stored on both sides of the transfer.

In addition to the MiCAR, the EU financial digital package contains a Digital Operational Resilience Act, (DORA), that covers crypto-asset service providers as well, and a proposal on distributed ledger technology, (DLT) pilot regime for wholesale uses.

Draft AI Act: The European Parliament also adopted its negotiating position on the Artificial Intelligence Act, and is ready to discuss the final form of the law with the Council and the Commission. MEPs have enlarged the list of AI systems with an unacceptable level of risk to people’s safety and would therefore be prohibited to include: 

• “real-time” remote biometric identification systems in publicly accessible spaces;
• “post” remote biometric identification systems, with the only exception for serious crime law enforcement;
• biometric categorisation systems using sensitive data, (gender, race, ethnicity, etc.);
• predictive policing systems, (based on profiling, location or past criminal behaviour);
• emotion recognition systems in law enforcement, border management, the workplace, and educational institutions; and
• untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases. 

MEPs added exemptions for research activities and AI components provided under open-source licenses. The so-called regulatory sandboxes, or real-life environments will be established by public authorities to test AI before it is deployed, along with an individual’s  right to complain and receive information.

CJEU Opinion

Data subject rights: A CJEU Advocate General’s opinion states that a data subject must have available judicial recourse against an independent supervisory authority where they exercise their rights through that authority. In the related case, an individual was refused by the Belgian National Security Authority a ‘security clearance certificate’ because he had participated in various demonstrations in the past. He asked the national supervisory body for police information, (“OCIP”), to identify the controllers responsible for the data processing at issue and to order them to provide him with access to all the information concerning him. The OCIP replied that it had carried out all necessary checks without providing any further details. Unsatisfied with that answer, the individual brought an action against the OCIP. 

The opinion clarifies that in the above case, the level of information provided by the supervisory authority to the data subject on the outcome of the check may not always be restricted to the minimum information that all necessary verifications have been carried out, but may vary depending on the circumstances of the case applying the principle of proportionality. Read more legal reasoning on the case in the original opinion. 

Official guidance

UK Children’s Code: The latest evaluation report shows that a fifth of UK children are familiar with the code and a third are aware of data privacy due to the implementation of the Children’s Code, (a statutory code of practice since 2020). The code applies to any ISS provider, (including ed-tech products and services), that processes the data of children in the UK, including some organisations that are not based in the UK. For the supervision and enforcement phase, there were initial resource challenges around the integration of Children’s code activities into ‘business as usual’. Also, there could have been greater external expectation management around supervision and enforcement activities, as these were only possible once the transition period ended. Key skill gaps identified included technology professionals lacking awareness of:

• how ISS providers operate as well as supporting technology (eg; age assurance technology);
• the importance of communication and engagement policies, as without them  knowledge and experience embedded within the organisation is lost when a project or phase finishes. Read the full report here.  

Input data for triage algorithms: The Spanish data protection authority examined the performance of a running algorithm that could be compromised by inaccurate input data. Their analysis looked at the triage algorithms of the emergency health system, which must optimize resources in order to save lives. The authority suggests assessment of the algorithm used in the triage processing should just be a part of the wider assessment, including factors such as data gathering operations, data checking, human involvement and the way in which decisions are executed, reviewed and contested. 

A lack of definition of the input data could lead to errors or biases that are not part of the algorithm itself. Thus, the accuracy principle should be implemented for the input data, the output data, and even in the intermediate data of the whole processing activity. The precise definition of every input data, (gathered both directly and indirectly), and its semantics, must be set up “by design” and properly documented. Even more importantly, the value range, (“yes/no”, “0 to 10” or “high/medium/low”), should be defined and assessed in the context of the processing. 

Explainable AI: The latest analysis by the EDPS states that modern AI models often work as opaque decision-making engines, truly black boxes reaching conclusions with little transparency or explanation on how a given result is obtained. Explainable AI, or XAI, focuses on developing AI systems that can not only provide accurate predictions and decisions. Individuals using XAI would be able to understand the reasoning behind an automated decision and to take the appropriate, and informed, course of action. Obtaining clear information about the behaviour of AI also has an impact on the ability of its users, such as data controllers and processors, to evaluate the risks that this tool may pose to individuals’ rights to data protection and privacy.  

DSARs: Guernsey’s data protection authority has published new guidance on ‘data subject access requests, (for data controllers and individuals). One of the most commonly-used rights is the right of access, also sometimes referred to as a ‘subject access request’, or ‘data subject access request’. This is where individuals ask what personal data a controller holds about them and why. An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit or assess performance at work, (except where this information is a trade secret). In short, a DSAR is when an individual asks you:

• what do you know about me?
• what do you think about me?
• what do you think you know about me?
• what are you doing with all this information? 

Another guidance for individuals who may wish to make a DSAR contains information about how to make one, what you should receive back, and what to do if you’re not happy with what you receive.

CCTV: Another comprehensive guidance from the Guernsey regulator looks at CCTV use by data controllers, (with exceptions for household, journalistic, and artistic activities). It is based on seven principles that require you to do the following: 

• Be clear about how personal information is used, for what purpose and on what legal basis.
• Use personal information only for specific, explicit and legitimate purposes.
• Collect no more information than is needed.
• Make sure personal information is accurate and kept up to date. 
• Keep information for no longer than necessary. 
• Keep information secure. 
• Be responsible and accountable for how personal information is used.

Loyalty programs: What rules should an entrepreneur follow when creating customer loyalty programs? A loyalty program is an additional service and the initial legal basis, which is the performance of the contract, is not applicable. The customer must give their consent to the processing of their personal data for one or more specific purposes. If the entrepreneur includes customer data transfer to other partners as part of the loyalty program, then the customer must not only be informed about it but also their consent must be obtained. 

There should be no direct or indirect pressure on the client. The entrepreneur must also take into account that the customer has the right to withdraw their consent to the processing and demand it cease, along with the deletion of all their personal data that is no longer necessary for the performance of the contract.

Enforcement decisions

Wildcat telemarketing and confiscated databases: The Italian data protection authority confiscated databases, for the first time, at two call centre companies allegedly conducting illegal and unregulated telemarketing activities. The operation was conducted by the finance branch of the Special Privacy Protection and Technological Fraud Unit in collaboration with the military. Four companies were fined between 200,000 and 800,000 euros in the operation. The sanctioned companies, through the acquisition of specific illegally-produced lists, contacted tens of thousands of subjects without their having ever given the necessary consent for the processing of their data for marketing purposes, proposing offers from various energy companies.

Clairvoyance consultations: The French privacy regulator has imposed a 150,000 euro fine against KG COM. It collected data excessively, including sensitive data, without prior and explicit consent, and did not sufficiently ensure data security. KG COM operates several websites offering clairvoyance consultations via an online dialogue interface, (chat), or by telephone. The investigation found that: 

• it systematically recorded all telephone calls between teleoperators and prospects;
• it kept health data relating to sexual orientation without obtaining consent; 
• it kept customers’ banking data beyond the time strictly necessary to carry out the transaction, (while the legal basis for the retention of bank data for anti-fraud purposes is a legitimate interest, this does not apply to retention for subsequent purchases, for which the company should have obtained consent);
• it systematically recorded all conversations for the purposes of service quality  control, proof of contract subscription and potential judicial requisitions;
• it implemented insufficiently strong passwords for user accounts and failed to secure access to them by using HTTP instead of HTTPS;
• it also used a mechanism to encrypt banking data that was vulnerable.

Spotify fine: The Swedish privacy authority has reviewed how Spotify handles customers’ right to access their personal data, and sanctioned the company to the tune of around 5 mln euros. Spotify has divided the customers’ personal data into different layers. One layer contains the customer’s contact and payment details, which artists the customer follows and the listening history for a certain period of time. If the customer wants more detailed information, for example, all technical log files relating to the customer, it has also been possible to request these from another layer. 

The regulator believes that although Spotify releases personal data the company processes when individuals request it,  the company does not inform customers clearly enough about how this data is used by the company. Often the individual receiving sufficient information is a prerequisite for exercising other rights; for example, the right to have incorrect information corrected or removed. 

Audits

College group: The UK Information Commissioner’s Office has conducted a consensual audit of the Chichester College Group concerning its data protection measures. Various areas requiring improvement were found, as the college group does not have a complete and fully documented information governance, (IG), policy and framework:

• the flow of information between the senior management team, the data protection office, the audit and risk committee and other key IG committees and groups have not been finalised,
• implementation of a process that ensures information risks need to be fully documented and managed throughout the organisation,
• there is no ongoing compliance monitoring of staff who are involved in the processing of personal information,
• the group must ensure that an appropriate written contract is in place with each of its data processors,
• a central record of data processor contracts and a data processor procurement, due diligence and compliance process need to be finalised,
• the group must ensure that an appropriate written contract is in place with each of its data processors.

Data security

Mobile applications: Users of mobile applications, before installing or starting to use mobile applications, should familiarize themselves with the privacy notices and rules of use of such applications, as well as carefully evaluate the requested collection of personal data or the permissions granted, states the Lithuanian data protection authority. The mentioned information must be available, (on the website that offers the app and on the app itself), to the user even before entering their personal data, granting permissions or creating accounts. Before using mobile applications, it is important to assess what goals are being pursued. For example, when using applications for direct communication, it is possible to restrict access to photos, and the device’s camera.

It is important to note that access to mobile applications may be restricted during application installation or at any other time chosen by the user. For example, restricting access to location data is also relevant if the location functionality is not needed by the user at that time. Similarly, it is advisable not to grant permission to the contacts saved on the user’s mobile device for social networking, dating, and messaging mobile applications, but to add specific persons selected by the user to such an application separately.

2FA: The Office of the Privacy Commissioner in New Zealand recommended all firms use two-factor authentication to secure the information they store. Any firm should exercise caution by implementing 2FA wherever applicable, as this would be a particularly valuable mitigating argument when defending against regulatory fines and other legal ramifications that may result from a data breach. In this scenario, what is appropriate is determined by the organization’s size as well as the scope and sensitivity of the personal information it has.

Big Tech

MOVEit cyberattack: According to the Guardian, British Airways, Boots, the BBC, Ofcom, Transport of London and others are probing the potential theft of personal information from employees following a cyber-attack. It targeted MOVEit software used by Zellis, a payroll provider. Zellis stated that a “small” number of its clients were affected by a vulnerability in the company’s file transfer technology. Microsoft’s threat intelligence team blamed the MOVEit assaults on a group known as Lace Tempest. Names, surnames, employee numbers, dates of birth, email addresses, first lines of home addresses, and national insurance numbers might have been among the information compromised in the hack. 

Airdrop and Bluetooth restrictions in China: Meanwhile, China is developing new guidelines to govern file-sharing systems such as Airdrop and Bluetooth. Service providers would be required to prevent the spread of harmful and unlawful material, maintain records, and report their discoveries. The Chinese Cyberspace Administration has produced draft regulations on “close-range mesh network services” and initiated a month-long public consultation. When conducting inspections, service providers would also be required to offer data and technical support to the authorities, including internet regulators and police. Users must also register their true names. Furthermore, features and technologies that have the potential to mobilise public opinion must be subjected to a security evaluation before they may be implemented.

The post Data protection digest 2 – 16 June 2023: rules on electronic evidence, explainable AI, and wildcat telemarketing appeared first on TechGDPR.

Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Legal processes: DSA and DMA, China’s data exporters, ransom payments, CASPs

Last week, the European Parliament adopted the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. The DSA sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society. The new obligations include:

• New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection.
• Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces.
• Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content, (so-called recommender systems); users will be able to challenge content moderation decisions.
• Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. So-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.
• Very large online platforms and search engines, (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission, (preventing systemic risks, independent audits). They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

At the same time, the DMA sets obligations for large online platforms acting as “gatekeepers”, (platforms whose dominant online position make them hard for consumers to avoid), on the digital market to ensure a fairer business environment and more services for consumers. To prevent unfair business practices, those designated as gatekeepers will have to:

• allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
• allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

• Rank their own services or products more favourably, (self-preferencing), than other third parties on their platforms;
• Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
• Process users’ personal data for targeted advertising, unless consent is explicitly granted.

Once formally adopted by the Council in July, (DMA), and September, (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication. Their application will start through 2023-2024. 

Meanwhile, China’s cyberspace regulator, (CAC), clarified that rules requiring data exports to undergo security reviews would be effective from Sept. 1, the first time it has given a start date for a new regulatory framework that will affect hundreds, if not thousands, of Chinese companies, Reuters reports. The measures, according to Data Guidance’s report, provide the cases in which a data exporter must submit a data exit security assessment to the CAC through the provincial cybersecurity and informatisation department where:

• the data processor provides important data overseas;
• the data processor is a critical information infrastructure operator and the data processor processes the personal information of more than 1 million people;
• the data processor processes the personal information of 100,000 people or the sensitive information of 10,000 people since 1 January of the previous year; or
• other situations required to declare data export security assessments as provided by the CAC.

The data export security assessment adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment. In addition, the measures outline that a data processor’s pre-assessment should focus on, among other things, the responsibilities and obligations that overseas recipients are subject to, the risk of data being tampered, destroyed, or leaked, and whether data export related contracts fully stipulate the responsibility and obligation of data security protections. The full legal text, (in Chinese), is available here. 

The UK National Cyber Security Centre, (NCSC), and Information Commissioner’s Office, (ICO), say it is incorrect for organisations to assume paying ransoms is a) the right thing to do and they do not need to engage with the ICO as a regulator, or b) will gain benefit from it by way of reduced enforcement. Thus both organisations in a joint statement advise solicitors not to advise clients to pay ransomware demands should they fall victim to a cyber-attack. Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The European Parliament and Council negotiators also reached a provisional deal on a new bill aiming to ensure that crypto transfers, (like bitcoins and electronic money tokens), can always be traced and suspicious transactions blocked. The legislation is part of the new EU anti-money laundering package and will be aligned with the Markets in Crypto-assets rules, (MiCA). The agreement extends the so-called “travel rule”, already existing in traditional finance, to cover transfers in crypto assets. This rule requires that: 

• Information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. 
• Crypto-assets service providers, (CASPs), will be obliged to provide this information to competent authorities if an investigation is conducted into money laundering and terrorist financing.
• There are no minimum thresholds nor exemptions for low-value transfers, as originally proposed. Regarding protecting personal data, including a name and an address required by the travel rule, negotiators agreed that if there is no guarantee that privacy is upheld by the receiving end, such data should not be sent.
• Before making the crypto-assets available to beneficiaries, providers will have to verify that the source of the asset is not subject to restrictive measures or sanctions, and there are no risks of money laundering or terrorism financing.

The rules would also cover transactions from so-called un-hosted wallets, (a crypto-asset wallet address that is in the custody of a private user,) when they interact with hosted wallets managed by CASPs. In case a customer sends or receives more than 1000 euros to or from their own un-hosted wallet, the CASP will need to verify whether the un-hosted wallet is effectively owned or controlled by this customer. The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf.

Official guidance: employees location, insurance applications, local authorities, commercial interest vs. consent

The Finnish data protection ombudsman asked service providers in the public sector for a report on use of the location data function in computers used by employees in the municipal sector. The background for the report was a notification of a data security breach filed by a hospital district, when settings that allowed the collection of location data were switched on in employees’ Windows 10 workstations and remote work laptops, although there was no intention to collect the data. As a result, the regulator found that:

• The hospital district did not have a need required by law for processing employees’ location data.
• The hospital district did not appropriately review what data it intended to collect. 
• Since the employees’ location data were unnecessary for the employer and collected unintentionally, these data should not have been processed. In order to ensure data protection by default, the hospital district should have reviewed the basic settings of the system and noticed that the location function was switched on before deploying the workstations. 
• Since the location function was switched on, employees’ personal data were delivered to Microsoft as well.

The regulator ordered the erasure of any historical data, location logs and other personal data created during use of the location data function. 

The Finnish ombudsman has also investigated the procedures of insurance companies when they request the health information of insurance applicants and insured persons from health care providers in order to determine the insurance company’s responsibility. Deficiencies were found, especially in the appropriate demarcation of the information requested from the health care provider and in the legality of processing. The insurance companies justified the processing of the policy applicant’s health data on the grounds of data protection, according to which the insurance institution can process client or claimant’s health data that is necessary to determine the liability of the insurance institution.

The regulator states that the provision of the data protection law in question only applies to the processing of the data of the insured and the claimant. Insurance companies cannot process the insurance applicant’s health information or request personal information from the health care provider during the insurance application phase, based on the regulations, because the contract has not yet been concluded. It is possible to process health data under certain conditions if the person has given valid consent. However, it requires that the person is told precisely what information is collected about them and for what purposes it is used. Asking for consent in a general way without detailing the information and purposes of use therefore does not meet the requirements of the data protection regulation.

The French data protection regulator CNIL published a guide on the obligations and responsibilities of local authorities with regard to data protection. The study was conducted at the end of 2021. Focusing on communities smaller than 3,500 inhabitants, which represent 91% of municipalities in France, this study aimed to understand digital usage, identify risks/obstacles and data needs. It appeared that the majority of respondents are not aware of the legal framework in force, with the exception of the GDPR. The provisions relating to competences and responsibilities in the field of digital security are little or not known to local elected officials and territorial agents, who consider cybersecurity regulations to be particularly complex.

The purpose of this guide is to inform local elected officials and territorial agents about the obligations related to: a) the protection of personal data; b) the implementation of local teleservices; c) hosting of health data. This guide also recalls the different types of legal liability to which local authorities and their public institutions are exposed in the event of cyberattacks and damage related to: administrative responsibility, civil liability, criminal liability.

The European Commission says that the Dutch data protection authority AP is hindering free enterprise in the EU by interpreting privacy legislation too strictly. The legal battle refers to the dispute between the AP and streaming service VoetbalTV. The service broadcasted video images of amateur matches via the internet for, among others, players, trainers and fans. More than 150 clubs used it, until the AP imposed a fine of 575,000 euros on the service in  2019. Football TV then went bankrupt.

According to the AP, the profit motive of the company could never constitute a ‘legitimate interest’ for the broadcasting of the images without the individual consent of players and the public. According to Brussels, the Dutch supervisory authority did not strike the right balance between the right to data protection on the one hand and the freedom of undertaking on the other. Additionally, in 2020, a Dutch court reportedly ruled that VoetbalTV did not have to pay the fine, as personal data may sometimes also be processed when there is only a commercial interest. The AP had appealed against this decision.

Investigations and enforcement actions: website security, data protection requests, employment certificate, cookies, account deletion, health data

As part of one of its priority themes, “the cybersecurity of the French web”, the CNIL has carried out a series of online checks of twenty-one websites of French public sector bodies, (municipalities, university hospitals, ministries, etc.), and the private sector, (e-commerce platforms, IT solution providers, etc.). The verifications carried out by the CNIL therefore focused mainly on technical and organisational flaws: 

• unsecured access, (HTTP), to websites, (many actors), implemented obsolete versions of the TLS protocol to ensure the security of data in transit, used certificates and non-compliant cryptographic suites for exchanges with the servers of controlled sites;
• lack of devices to trace abnormal connections to servers;
• use of insufficiently robust passwords and procedures to renew them that do not sufficiently secure their transmission and retention.

The bodies on notice have a period of three months to take any measure to ensure an appropriate level of security.

The Finnish company Otavamedia was penalised for shortcomings in the implementation of data protection rights. Between 2018 and 2021, eleven cases concerning Otavamedia were brought to the office of the data protection commissioner. Among other things, the complainants had not received an answer to their requests or inquiries regarding data protection rights. According to the report provided by Otavamedia, some of the data protection requests had not been implemented due to a technical problem with the e-mail control in connection with the change of digital service providers. During the error situation, the messages that arrived in the e-mail box reserved for data protection matters were not forwarded to the customer service staff. The situation was discovered only after the data protection authority’s request for clarification. 

Otavamedia should have taken care to test the e-mail box, as it is the main electronic contact channel of data subjects in data protection matters. Additionally, the registrants had the opportunity to make requests to Otavamedia regarding their own information using a printable form. The person’s signature was required on the form for identification purposes. The regulator considers that with this method of operation, Otavamedia collected an unnecessarily large amount of data for identification purposes. Otavamedia does not process signature information in other contexts, which is why it was not possible, for example, to compare signatures with previously held information.

In the first half of 2022, the Czech office for personal data protection UOOU monitored compliance with the GDPR in connection with the setting of the processing of cookie files by various operators of web portals and pages, based on both complaints received and the monitoring plan. Among the main shortcomings detected by the regulator are: 

• Use of non-technical cookies without consent.
• A disproportionately long period of validity of cookies in relation to their purpose.
• Absence of the choice for expressing disagreement with the non-technical cookies in the first layer of the cookie bar.
• Wrong categorisation of cookies.
• Absence of information about specific cookies used.
• The difference in the visibility of the consent and non-consent buttons for the use of non-technical cookies.
• Information about cookies in a foreign language.
• The cookie bar makes it difficult or impossible to read the website.

The Polish supervisory authority UODO was notified of potential inaccuracies related to the processing of personal data by a manufacturing company, (Esselmann Technika Pojazdowa). The company made an informed decision not to notify a breach involving an important document of one of its employees to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. In the course of explanatory actions by the regulator the loss of a document from the personal file of a company employee – an employment certificate – was revealed. The certificate of employment contains a lot of important information about the person, including:

• the period(s) of employment;
• the procedure and legal basis for the termination or expiry of the employment relationship;
• parental and child care leave taken;
• information on the amount of remuneration and qualifications obtained – at the employee’s request;
• information on enforcement seizure of remuneration.

Taking the above into account, the Polish regulator imposed a fine of approx 3,500 euros.

The Irish data protection authority DPC published its recent decision concerning Twitter International Company. In 2019, the complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of could have a substantial effect, and that the type of processing meets the definition of cross border processing. As a result, the DPC ordered Twitter, pursuant to Article 58 of the GDPR, to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. 

Data relating to health enjoys enhanced protection and, subject to the exceptions provided for by the law, dissemination is prohibited. Administrative transparency cannot violate people’s privacy. For these reasons, the Italian privacy regulator ‘Garante’ sanctioned the Roma local health authority 46,000 euros. It had published in clear text on its website all the names and data relating to the health of the subjects who had requested civic access in 2017 and 2018. In most cases, the documents concerned the health records of the persons concerned, including medical records, disability assessments, tests, technical reports, etc. The first serious violation detected by the Authority, which took action ex officio, was therefore the dissemination of data on the health of the subjects concerned, information relating to both their physical and mental state, including the provision of health care services.

Data security: cybersecurity threat landscape

The European Union Agency for Cybersecurity provided simple steps to map the cybersecurity threat landscape. The methodology aims at promoting consistent and transparent threat intelligence sharing across the EU, (including but not limited to public bodies, policy makers, cybersecurity experts, industry, vendors, solution providers, SMEs). The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, the methods and tools used as well as the stakeholders involved. Building on the existing modus operandi, this methodology provides directions on the following:

• defining components and contents of each of the different types of CTL;
• assessing the target audience for each type of CTL to be performed;
• how data sources are collected;
• how data is analysed;
• how data is to be disseminated;
• how feedback is to be collected and analysed.

The methodology consists of six main steps with predicted feedback and associated to each of these steps: direction, collection, processing, analysis and production, dissemination, feedback. You can download the the full methodology guide here.

Big Tech: Apple’s new lockdown mode, Chinese CCTV in UK

Apple’s latest iOS 16 security tool can defend against a state-sponsored cyberattack on your iPhone, cnet.com reports. In short, new Lockdown Mode increases security capabilities on iOS 16, iPadOS 16, and macOS Ventura by limiting certain functions that may be vulnerable to attack: 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enrol into mobile device management, (MDM), while Lockdown Mode is turned on.

Meanwhile, a cross party group of UK MPs have called for a ban on two Chinese surveillance camera brands widely used in Britain, according to Yahoo News. The AI-enabled cameras are capable of facial detection, gender recognition and behavioural analysis and offer advanced features such as identifying fights or if someone is wearing a face mask. The two brands — Hikvision and Dahua — are widely used by government bodies in the UK, by 73% of councils across the UK, 57% of secondary schools in England, and six out of 10 NHS Trusts. Reportedly, Hikvision and Dahua are now banned from trading in the US over security concerns and evidence of their widespread use in so-called “re-education” camps in China. The MP’s call for action also includes “an independent national review of the scale, capabilities, ethics and rights impact of modern CCTV in the UK”.

The post Weekly digest 4 – 10 July 2022: DSA and DMA adopted, setting standards on EU digital service providers appeared first on TechGDPR.

Official guidance: new SCCs, facial recognition technology, DPOs, children’s data

The European Commission has published questions and answers for the two sets of Standard Contractual Clauses, approved last year for data transfers within and outside of the bloc. These Q&As are based on feedback received from various stakeholders on their experience with using the new sets of SCCs in the first months after their adoption. Here are some of them: 

• Are there specific requirements for the signature of the SCCs by the parties?
• Can the text of the SCCs be changed? 
• Is it possible to add additional clauses to the SCCs or incorporate the SCCs into a broader commercial contract?
• How does the docking clause work in practice? Are there any formal requirements for allowing new parties to accede?
• In which form should instructions by the controller be given to the processor? 
• What happens if the controller objects to changes of sub-processors, in the case a general authorisation to the engagement of sub-processors was given?
• Are there any requirements for filling in the annexes? How detailed should the information be? 
• Are any specific steps needed to comply with the Schrems II judgment when using the new SCCs? Is it still necessary to take into account the guidance of the EDPB?
• Does the data importer have to inform individuals about requests for disclosure received from a public authority? What if the data importer is prohibited from providing this information under its national law?
• Can the SCCs be used to transfer personal data to an international organisation? 

To find answers to these and many other questions, and useful examples, consult the full document by the EC.

The European Data Protection Board welcomes comments on the Guidelines 05/2022 on the use of facial recognition technology in the area of law enforcement. More and more law enforcement authorities apply or intend to apply facial recognition technology, (FRT). It may be used to authenticate or to identify a person and can be applied to videos, (eg, CCTV), or photographs. It may be used for various purposes, including searching for persons on police watch lists or monitoring a person’s movements in the public space. FRT is built on the processing of biometric data, therefore, it encompasses the processing of special categories of personal data. Often, FRT uses components of artificial intelligence or machine learning. While this enables large-scale data processing, it also induces the risk of discrimination and false results. FRT may be used in controlled 1:1 situations, but also in huge crowds and important transport hubs. You can download the guidance and leave your comments here. 

The French Ministry of Labour has published the results of the annual study of the profession of data protection officer, carried out with the support of the data protection regulator CNIL. This survey shows the diversification of profiles and the growing importance of the profession of DPO, the appointment of which is compulsory in certain cases. The main findings are as follows:

• a positive professional experience: 58% are satisfied with the exercise of their function and 87% are convinced of the usefulness of their function. They also want to continue their missions with a strong motivation at 67%;
• a diversification of profiles: 47% come from areas of expertise other than law and IT, (+12 points since 2019), for example, administrative and financial profiles or those related to quality or compliance audits;
• decreasing training: 1/3 have not taken any IT and GDPR training since 2016, (+ 7 points), even though more and more of them are neither lawyers nor IT specialists.

This last observation will be studied in particular by the CNIL, which recalls the obligation of data controllers and subcontractors who have appointed a DPO to provide them with the resources necessary to maintain specialized knowledge, (Art. 38.2 of the GDPR). Read the full study, in French, here.

The Irish data protection authority DPC has produced three short guides for children on data protection and their rights under the GDPR. These guides are aimed mainly at children aged 13 and over, as this is the age at which children can begin signing up for many forms of social media on their own. Each of these short guides introduces children to a different data protection right and how to use it. These guides can be read together or separately: 

• Your Data Protection Rights – full guide – is available by clicking here.
• Why are data protection rights important? – click here.
• Knowing what’s happening to your data – click here.
• Getting a copy of your data – click here.
• Getting your data deleted – click here.
• Saying ‘no’ to other people using your data – click here.

Legal processes: concept of personal data

InsidePrivacy.com blog post looked at the recent decision by the EU General Court on whether information not identifying an individual by name constitutes “personal data” under the GDPR. The case concerns an online press release published by the European Anti-Fraud Office, (OLAF), announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  

The press release included information about the scientist, her gender, the fact that she is young, her occupation, and her nationality. It also included a reference to the scientist’s father and the place where he works, as well as the approximate amount of the grant supplied to the scientist, the granting body, the nature of the entity hosting the project, and its geographical location. The release did not include the scientist’s name, the subject matter of the research, or the project’s name. 

The scientist alleged that someone reading it could use the above-mentioned information to identify her using “means reasonably likely to be used” and even explained how this could be done. However, the court decided that the scientist had not sufficiently proven this allegation. Further, the court held that the information the journalists used to identify the scientist, which fell outside the press release, cannot be attributable to OLAF.  For the court to hold OLAF responsible, the scientist would have had to demonstrate that her identification was a result of the press release and did not result from external or additional information. 

Investigations and enforcement actions: Clearview AI, Uber, unlawful use of an email address, not handling an access request, dummy CCTV cameras

The Information Commissioner’s Office, (ICO), has fined Clearview AI Inc 7,552,800 pounds for using images of people in the UK, and elsewhere, that were collected from the web and social media to create a global online database that could be used for facial recognition. The ICO has also issued an enforcement notice, ordering the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet and to delete the data of UK residents from its systems. The ICO found that Clearview:

• Has collected more than 20 billion images of people’s faces and data from publicly available information on the internet and social media platforms all over the world to create an online database. People were not informed that their images were being collected or used in this way.
• The company provides a service that allows customers, including the police, to upload an image of a person to the company’s app, which is then checked for a match against all the images in the database.
• The app then provides a list of images that have similar characteristics with the photo provided by the customer, with a link to the websites from where those images came from.
• Given the high number of UK internet and social media users, the Clearview database is likely to include a substantial amount of data from UK residents which has been gathered without their knowledge.

Although Clearview no longer offers its services to UK organisations, the company has customers in other countries, so the company is still using the personal data of UK residents. The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner, which focused on Clearview’s use of people’s images, data scraping from the internet and the use of biometric data for facial recognition. The French regulator CNIL is reportedly also considering a similar fine in the near future. 

Meanwhile, the Italian privacy regulator ‘Garante’ sanctioned Uber for a total of 4,240,000 euros. Uber BV, with a registered office in Amsterdam, and Uber Technologies Inc, with a registered office in San Francisco, are both, (as joint controllers), held responsible for the violations committed affecting over 1.5 million Italian users, including drivers and passengers:

• Unsuitable, unclear, and incomplete presentation meant it was not easy to understand the information given to users.
• Data processing without consent.
• Profiling users, (on the basis of the so-called “fraud risk”, assigning them a qualitative judgment eg; ‘low’), and a numerical parameter, (from 1 to 100).
• Failure to notify the authority was discovered by the ‘Garante’ during inspections carried out at Uber Italy following a data breach made public in 2017. 

The security incident, which occurred before the full application of the GDPR, involved the data of about 57 million users around the world and was sanctioned by the Dutch and UK privacy authorities on the basis of their respective national regulations. The personal information processed by Uber concerned personal and contact data, (name, surname, telephone number, and e-mail), app access credentials, location data, (those that appeared at the time of registration), relationships with other users, (sharing trips, introducing friends, profiling information).

The Icelandic supervisory authority fined HEI medical travel agency for unlawful use of an e-mail address and for not handling an access request. The regulator found out that an employee at HEI had obtained the complainant´s, and several other doctors´ email addresses, by logging into the internal website of the Icelandic Medical Association, with the access of a doctor who was related to the employee. HEI used the mailing list to send a targeted email to doctors, including the complainant. In determining the fine, (approx. 10,700 euros), the regulator considered that even though HEI had considered itself authorized to use the list, there was nothing in the case that proved that the company had ascertained the lawfulness of the processing. Finally, the multinational had not complied with the obligation to notify the Authority of the processing of data for geolocation purposes. 

Meanwhile, the Norwegian regulator Datatilsynet imposed a fine on an unnamed company for automatic forwarding of employee emails, Data Guidance reports. Due to disagreements, the employee’s access to email and computer systems was closed and all emails sent to the employee’s email box were automatically forwarded to an email address managed by the general manager, and the forwarding of emails took place for approximately six weeks. The purpose was to take care of customer relationships, but during the period the general manager handled both work-related and private emails that were sent to the employee’s email box. The regulator found that the employer did not have a legal basis for the automatic forwarding of the employee’s emails under the GDPR, and noted that this is also in conflict with the applicable rules on the employer’s access to email boxes and other electronic material. 

Finally, the Czech office for personal data protection UOOU published its decision on a complaint, in which it decided that the installation of dummy cameras in a workplace did not violate the GDPR, following an investigation. The UOOU detailed it had received a complaint about the installation of a camera system to monitor and control employees. In this context, the UOOU found that the camera system was not functioning but was in fact a dummy camera and thus did not fall within the remit of the GDPR. However, the regulator suggested that the matter should be referred to the competent employment inspectorate for investigation as it may constitute a violation of employment law regulations.

Data security: data leaks doubled due to cyber-attacks

The Dutch data protection authority AP again measured an explosive increase in the number of reports of data leaks caused by cyber-attacks. This number almost doubled in 2021 compared to the previous year. In total, the AP received almost 25,000 data breach reports last year. Of this, 9% was caused by cyber-attacks. Last year it was 5%. The AP also noticed that in the case of ransomware, affected organisations first restore the systems, and only much later inform the people. As a result, the damage can become even greater, because the victims can only protect themselves against the consequences much later. 

The AP also saw that organisations that have paid a ransom to get their data back after a ransomware attack often do not inform victims about the data breach. They state that by paying a ransom to the hackers, personal data was prevented from being distributed further because hackers have made commitments about this. However, paying a ransom does not guarantee that the hackers will actually remove the data and never sell it on. Finally, during cyber attacks, data is often stolen that organizations have collected unnecessarily or have kept for too long. 

As a result, “even if only names and e-mail addresses have been stolen, these data can be used in combination with previously leaked information to gain access to user accounts at, for example, banks or webshops. Criminals can also abuse this type of data to carry out new spam and phishing attacks in a very targeted manner”.

Big Tech: Clearview AI increased sales, Twitter settlement over targeted ads and user data

Facial recognition firm Clearview AI is expanding sales of its facial recognition software to companies, having previously mainly served the police, according to Reuters. Meanwhile, a number of EU regulators accused Clearview of breaking privacy laws by collecting online images without consent, and the company this month settled with US rights activists over similar allegations. Clearview AI uses publicly available photos on social media platforms to train its tool, which the company says is of high accuracy. The new private-sector offering matches people to ID photos and other data that clients collect with subjects’ permission. It is meant to verify identities for access to physical or digital spaces. Reportedly, a company selling visitor management systems to schools had signed up for Clearview services as well. 

Meanwhile, the US Department of Justice reached an agreement with Twitter that includes a fine of 140 million euros and an order for the social network to better respect the privacy of personal data. Authorities accuse the platform of deceiving its users from 2013 to 2019 by hiding that it was using their personal data to help companies send them targeted advertising. During that period, more than 140 million Twitter users gave phone numbers or email addresses to the US-based service to help secure accounts with two-factor authentication, regulators said. “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” the FTC chair Lina Khan stated. Twitter also falsely said it complied with the EU-US and Swiss-US Privacy Shield Frameworks at the time, which barred companies from using data in ways that consumers do not consent to.

The post Weekly digest May 23-29, 2022: All you need to know about new sets of SCCs in Q&A appeared first on TechGDPR.