Legal processes and redress: US signals intelligence redress mechanism, Google search results removal, California consumer privacy rights, Australia Privacy Act review

The US Office of the Director of National Intelligence, (ODNI), published a directive for implementing the signals intelligence redress mechanism created under the proposed EU-US Data Privacy Framework. It is necessary for the implementation of the US adequacy decision which received a green light from the European Commission just before the end of 2022. The directive governs the handling of redress complaints regarding certain signals intelligence activities and outlines the process by which qualifying complaints may be transmitted by an appropriate public authority in a qualifying state. Additionally, the directive outlines the role of the ODNI Civil Liberties Protection Officer with a given complaint: 

• investigate, review, and, as necessary, order appropriate remediation for a covered violation regarding qualifying complaints; 
• communicate the conclusion of such investigation to the complainant through the appropriate public authority; and
• provide the necessary support to the US Data Protection Review Court.

In Sweden, the Supreme administrative court rejected the appeal in a case between Google and the Swedish privacy regulator IMY. This means that the judgment gains legal force and that Google must pay a 4.5 million euro fine. In 2020, the IMY charged Google for violating the right to have search results removed. When Google delisted search results the site owner was notified of the webpage and data subject concerned via Search Console, previously Webmaster Tools. But informing the site owner meant that the personal data was used beyond its original purpose, and the information notice was misleading users and restraining them from exercising their right to request removal. 

California consumer privacy rights expanded on 1 January, (but will be enforced in July).  In 2020, California voters approved Proposition 24, known as CPRA, amending some of the older CCPA’s consumer protections and therefore expanding business’ obligations. For example, previously employees, job applicants, owners, directors, officers, and contractors were excluded from the definition of “consumer,” and they had limited data subject access rights. These rights include the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information. The new law establishes annual privacy risk assessments and cybersecurity audits. Civil lawsuits will also be allowed against companies that fail to take appropriate measures, with potential damages between 100 and 750 dollars per consumer, per incident. 

Australian Attorney-General Mark Dreyfus confirmed that the Privacy Act Review has been completed and a final report received by his department. The announcement came shortly after a wave of spectacular data breaches in the Australian corporate sector. The new privacy regime could include a broader definition of personal data, expanded information obligations for organisations, opt-in consent for users, the right to erasure, and increased penalties for serious or repeated data breaches. 

Official guidance: special categories of data, global cookie review, data brokerage, age-appropriate design tests

The Latvia data protection agency DVI issued a reminder of the rules for the legal processing of special categories of personal data. For special categories of personal data, in order to ensure their legal processing, in addition to complying with the general data protection conditions, it is necessary to observe that by default they are prohibited from processing unless there are exceptional permissions or justifications:

• a person’s consent, (eg, to receive commercial notices about price discounts for specific goods or services in a pharmacy);
• social protection rights, (eg, when terminating the employment of a unionised employee, the employer must contact the trade union); 
• vital interests of a person, (eg, in cases where a person is unconscious and it is necessary to find out his blood group, allergies, etc.);
• non-profit activity for political, philosophical, religious, or trade union-related purposes, (the personal data is not disclosed outside the said organisation without the consent of the individual);
• data deliberately made public, (eg, the person has expressed on social networks that they are vegetarian);
• essential public interests, (eg, information about political party donors must be made public);
• preventive or occupational medicine, ( eg, assessment of the employee’s work capacity, health or social care, or treatment);
• public health, (eg, to limit the spread of COVID-19);
• archiving in the public interest, for scientific, historical or statistical purposes.

The French privacy regulator CNIL published guidelines on the commercial use of customer files – data brokerage. Data controllers need to pay attention to the types of data that can be transferred, (only data relating to active customers can be shared), and on obtaining consent from data subjects for the intended transfer, (eg, via an electronic form). The purchaser also must inform the data subjects of the transfer and the source of the data, (the name of the company that sold the customer files,) and obtain the data subjects’ consent if it wishes to use their data for electronic commercial prospecting.

Bird&Bird offers the latest Global Cookie Review – the legal and regulatory landscape relating to the expanding use of cookies and similar technologies, country by country. Such regulations often follow a path set by the EU GDPR and ePrivacy Directive. The report also contains Asia Pacific, Latin American, and South African overviews, where similar regulations are often lacking or can be even divergent on transparency and consent requirements. 

The UK Information Commissioner’s Office has published design tests to support designers of products or services that are likely to be accessed by children or young people. Each test provides a report detailing areas of good practice as well as ways to improve conformity with the Age-Appropriate Design Code. This includes “best interests of the child” standards like age authentication, safe default settings, parental controls, enforcement, and data protection impact assessments.

Investigations and enforcement actions: credit rating by mistake, “dormant” risk assessment, “defaulting” customers error, employees’ email metadata, mass grocery purchases monitoring, and workers’ fingerprinting

The Norwegian data protection authority has notified Recover of its decision to fine the company 20,000 euros. The matter concerns a credit rating performed without a legal basis. The background to the fine is a complaint from a private individual who was subjected to a credit assessment without any form of customer relationship or other connection to the above company. A credit rating is established after compiling personal data from many different sources including a person’s overall financial situation, any payment remarks, debt-to-income ratio, and whether the person has any mortgages/liens.

The Norwegian regulator also has given Statistics Norway notice of a decision that involves a ban on their planned collection of data on the Norwegian population’s grocery purchases. Through the collection of bank data and bank transaction data, the organisation planned to obtain information on what the population buys, and then link that to socio-economic data such as household type, income, and education level. The regulator believes that a legal basis, (societal benefit of consumption and diet statistics), is not clear and predictable enough for this planned processing of personal data. Even if the purpose is to produce anonymous statistics, intrusion into the individual’s privacy will occur. 

Italian regulator Garante fined Areti 1 million euros: thousands of users were mistakenly classified as “defaulting” customers and unable to switch to other suppliers. The misalignment of the company’s internal systems led to incorrect data migration to the integrated information database consulted by suppliers before signing a new contract. As a result, more than 47,000 Areti customers wanting to change energy supplier were denied an account activation and any potential savings deriving from market advantages, because they were incorrectly red-flagged. 

Additionally, Garante issued a fine to Lazio Regio of 100,000 euros for unlawful monitoring of employees’ email metadata. An internal audit was launched by the region on the suspicion of a possible unauthorised disclosure to third parties of information protected by official secrecy. Metadata was collected in advance and stored for 180 days: date, time, sender, recipient, subject, and size of email. This allowed the region to obtain information relating to employees’ private lives, such as their opinions or contacts. 

No workplace fingerprinting without specific requirements is the ruling from Garante, which fined a sports club 20,000 euros. The authority intervened following a report from a trade union, which complained about the introduction of the biometric system by the company, despite the union’s request to adopt less invasive means of authentication. The company had carried out, for almost four years, the fingerprinting of 132 employees, violating the principles of minimisation and proportionality. It also provided workers with very little information on the characteristics of biometric treatments. 

The Romanian data protection authority completed an investigation at leading retailer Kaufland and issued a fine of 3000 euros. A video recording containing images of a complainant in the parking lot of one of the stores by the commercial chain appeared on the web page of a local newspaper. It turned out that the store manager allowed an employee access to the monitoring room, who captured, with his personal mobile phone, images of the video recordings that were playing and sent them via WhatsApp to a third party. Later, the images were transmitted by posting them by an online publication. As a result, the image and registration number of the car were revealed, with two persons affected by this incident.

The EDPB published a summary on risk assessment and acting in accordance with established procedures. A controller, (in Poland), was notified of a personal data breach that occurred as a result of a break-in at an employee’s apartment and the theft of a laptop. The confidentiality of the personal data was at risk because the stolen computer was only password protected. The controller had kept adequate documentation since the beginning of the application of the GDPR and had performed a risk assessment, but it was only after the data breach occurred that the controller complied with the results of its own risk assessment by encrypting laptop hard drives.

Data security:  zero trust architecture, IoT onboarding, and lifecycle management

The US NIST’s National Cybersecurity Center of Excellence has published a draft practice guide on implementing a zero trust architecture and is seeking the public’s comments on its contents. As an enterprise’s data and resources have become distributed across the on-premises environment and multiple clouds, protecting them has become increasingly challenging. Many users need access from anywhere, at any time, from any device on-premises and in the cloud. Comments from industry participants are welcomed by or before 6 February. 

In parallel, the NIST is also seeking comments on draft guidance on Trusted IoT Onboarding and Lifecycle Management. Scalable mechanisms are needed to safely manage IoT devices throughout their lifecycles, beginning with secure ways to provision devices with their network credentials—a process known as trusted network-layer onboarding. In combination with additional device security capabilities such as device attestation, application-layer onboarding, secure lifecycle management, and device intent enforcement, this could improve the security of networks and IoT devices from unauthorised connections.

Big Tech: face recognition practices by PimEyes, Epic games’ COPPA violations, TikTok apps age rating

The Baden-Württemberg data protection authority announced proceedings against PimEyes, (Face recognition and reverse image search), Data Guidance reports. Recent media reports stated that PimEyes scans the face for individual characteristics on the internet and stores biometric data without proper legal basis, an identified data sharing model, or valid opt-out options. A data subject should be able to agree to the processing of personal data relating to them in an informed and unambiguous manner. In the case of automated retrieval of images on the Internet, these requirements cannot be met. Equally, private company PimEyes cannot undertake police investigative work in the public interest or interfere with the rights of data subjects. Read the original statement here. 

US Video Game Maker Epic will pay a more than half-billion dollar refund over allegations of children’s privacy law, (COPPA), violations, and tricking users into making unwanted charges for in-game items, (eg, costumes and dance moves). Epic’s Fortnite game has more than 400 million users worldwide. The company will be required to adopt strong privacy default settings for children and teens, (parental notice and consent requirements), ensuring that voice and text communications are turned off by default. This is the Federal Trade Commission’s largest refund award in a gaming case and the largest administrative order in its history. 

Finally, Virginia Attorney General joined 14 other state attorneys general to call on Apple and Google to take immediate action and correct their application store age ratings for TikTok. The change will help parents protect their children from being force-fed harmful content online. The current ratings of “T” for “Teen” in the Google Play App store and “12+” in Apple’s App Store falsely represent the objectionable content found and served to children on TikTok. While TikTok does have a “restricted mode” available, it is also aware that many of its users are under 13 and have lied about their age to create a profile.

The post Data protection & privacy digest 16 Dec – 2 Jan 2023: US signals intelligence redress mechanism, “dormant” privacy risk assessment, data brokerage appeared first on TechGDPR.

Legal processes and redress: consumer data class actions, digital content and services, CCPA & CPRA

The ECJ ruled that consumer protection associations may bring representative actions against infringements of personal data protection. Such class actions may be brought independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect, the judgement in Meta Platforms Ireland states. Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against Meta Platforms Ireland, alleging that it had infringed, in the context of making available to users free games provided by third parties, rules on the protection of personal data and rules on unfair commercial practices and consumer protection. Here are some of the main court findings:

• the GDPR does not preclude national legislation which allows a consumer protection association to bring legal proceedings, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation;
• a consumer protection association, such as the Federal Union, falls within the scope of the concept of a “body that has the standing to bring proceedings” for the purposes of the GDPR in that it pursues a public interest objective;
• the infringement of the rules on consumer protection and unfair commercial practices may be related to the infringement of a rule on the protection of personal data.

Meanwhile, new Belgian rules on consumer guarantees and digital content and services, entering into effect in June, were analysed by the CMS Law-Now blog. Belgium has reinforced the position of consumers buying physical and digital goods by placing a higher liability on resellers and producers. The guarantee provisions for digital content and digital services apply to a traditional sale in consideration of price, and now also extend to transactions where the consumer “pays” by providing access to their personal data.

Digital content is defined as “data which are produced and supplied in digital form”, while a digital service is either “a service that allows the consumer to create, process, store or access data in digital form”, or “a service that allows the sharing of or any other interaction with data in digital form uploaded or created by the consumer or other users of that service.” The seller must also provide security updates necessary to keep the goods in conformity for the period of time that the consumer can reasonably expect. This piece of EU-wide legislation has a number of data protection implications including core principles such as the requirements for data minimisation, data protection by design, and data protection by default. Read the legal text here.

JD Supra News&Insights has published an analysis on California consumer-focused privacy regulations – the existing California Consumer Privacy Act, (CCPA), and the new California Privacy Rights Act, (CPRA), which will go into effect in 2023. They are similar, but there are some key additions to the latest piece of legislation:

• Data inventories must now include B2B and employee data, (eg, the ability to opt-out of profiling, opt-out of targeted/cross-context advertising, opt-out of automated decision making, and to limit the use and disclosure of sensitive information). 
• Consumers have the right to correct their personal information. 
• Organisations must conduct regular Privacy Impact Assessments and annual cyber risk assessments. 
• Record retention requirements are more stringent and must be disclosed, (specific information on the 11 categories of personal data and the retention periods). 
• Front-end privacy notices will need to be updated to reflect new consumer rights, etc.

Official guidance: cross-border cooperation, oral contracts’ recordings, DPIAs

The EDPB has published its statement on enforcement cooperation. The document emphasises that data protection authorities reiterate their commitment to close cross-border cooperation and agree to further enhance it in the following manner:

• identifying cross border cases of strategic importance in different Member States, (cases affecting a large number of data subjects in the EEA, cases dealing with a structural or recurring problem in several member states, cases related to the intersection of data protection with other legal fields);
• exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level;
• the EDPB will propose a template for data subjects’ complaints, to be used by regulators on a voluntary basis;
• the EDPB will continue to improve its IT cooperation tools, with the support of the European Commission.

Finally, the EDPB states that in the coming years, it will be crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market (Data Act, DMA, DSA, AI Act, DGA). A clear distribution of competencies among the regulators will need to be ensured, as well as efficient cooperation. 

The French regulator CNIL issued guidance on ‘The recording of telephone conversations in order to establish proof of the formation of a contract’, (in French). An organisation wishing to record telephone conversations for evidentiary purposes must, as a data controller, demonstrate that it has no other means to prove that a contract has been concluded with the data subject. Thus, it is necessary to distinguish the contracts which can be concluded orally from those for which the agreement must necessarily be materialised by a written act. In short:

• For written contracts, registration is not necessary.
• For contracts that can be concluded orally, if conversations are recorded, the principle of data minimization must, in any event, be respected.
• Recordings cannot be permanent or systematic.
• Only conversations relating to the conclusion of a contract may be recorded.
• When people agree to enter into a contract by telephone, the recordings of the telephone conversations can be processed on the basis of the legal basis of the contract (Art. 6 of the GDPR). 
• The collection of banking data needs the implementation of a device to quickly interrupt or delete the recording of the telephone conversation when the consumer pronounces this data, except for statutory requirements.
• On registration, the professional must inform the persons concerned the whereabouts of all the recordings and their data subject rights. 
• This information should be provided in two stages: by means of an oral mention, at the beginning of the conversation,  and by a reference to a website, (and a “legal notices” tab for example), or a “legal notices” button on the telephone to obtain exhaustive information.

Moldova’s data protection authority the NCPDP published its approved list of processing operations that are subject to data protection impact assessment, Data Guidance reports. The data controller must conduct a DPIA of the highest quality, such as: 

• systematic and extensive evaluation of personal aspects or scoring, including the creation of profiles and forecasts; 
• automatic decision-making, including processing that produces legal effects or which affects in a similar way to a significant extent; 
• systematic monitoring, including processing, is used to observe, monitor, or control the data subject, (data collected through networks or large-scale systematic monitoring of an area accessible to the public);
• processing of the personal data of vulnerable persons, including children;
• large-scale processing of personal data, including special categories of data of at least 5,000 individuals; data presenting high risks for at least 10,000 individuals; and any other data of at least 50,000 individuals; and 
• video surveillance in public areas, stadiums, and markets.

Investigations and enforcement actions: lawful rejection of access rights, AI-based speech signal processing, contract change without consent

The Danish regulator Datatilsynet found a municipality’s rejection of a subject access request lawful, according to Data Guidance. Specifically, it found that a municipality’s assessment to reject a former employee’s request for access to personal data was lawful and in accordance with Art. 12 (5-b) and 15 of the GDPR. Here are some facts of the case:

• the request was made after the termination of the employment contract;
• it was to access all communications in which the employee was mentioned;
• a municipality had asked the complainant to specify their request as the desired material was extensive, which the complainant refused to do;
• the information requested, which included letters and emails that had been signed or sent by the complainant, could be considered personal data; 
• the information was mainly a description of the function the complainant performed during employment and thus is not, to a great extent, information ‘about’ the complainant. 

The Hungarian data protection authority NAIH published its annual report which presented its highest-ever privacy fine for unlawful use of AI, of 670,000 euros, Technology Legal Edge reports. A bank, citing as a data controller, automatically analysed the recorded audio of customer service calls. Here are the main findings of the case:

• It used the results of the analysis to determine which customers should be called back by analysing the emotional state of the caller.
• An AI-based speech signal processing software automatically analyzes the call based on a list of keywords and the caller’s emotional state. 
• The software then established a ranking of the calls serving as a recommendation as to which caller should be called back as a priority.
• The data controller based the processing on its legitimate interests to retain its clients and to enhance the efficiency of its internal operations.
• For years it had failed to provide to the data subjects proper notice and the right to object because it had determined that it was not able to do so. 
• The only lawful legal basis for the processing activity of emotions-based voice analysis can only be the freely given, informed consent of the data subjects.
• Though the bank had carried out a Data Protection Impact Assessment, and identified that the processing was of high risk to the data subjects, it had failed to present substantial solutions to address these risks.

Spain’s privacy regulator the AEPD fined a company 150,000 euros for lack of appropriate technical and organizational measures, (Art. 32 of the GDPR). A customer complained that their contract was changed without their consent. However, the company claimed that it had received a call from a person who claimed to live at the claimant’s address and was able to provide details necessary to pass verification, which thereby resulted in the changes to the contract. The regulator concluded  that security procedures which require data such as names, surnames, telephone numbers, and addresses might be available to third parties and used for fraudulent purposes. Finally, the AEPD noted that the contract was modified without the claimant’s consent in violation of Art. 6 of the GDPR, Data Guidance reports. 

Audits: video gaming and minors’ safety online

The UK privacy regulator the ICO has published an age-appropriate Design Code Audit Report for Fireproof Studios, (a gaming company). The scope of areas covered by this audit was determined following a risk-based analysis of Fireproof’s processing of children’s personal data. It was agreed that the audit would focus on the following areas:

• Governance, transparency, and rights  
• Diligence and Data Protection Impact Assessments 
• Minimisation and sharing, age assurance 
• Detrimental Use 
• Privacy settings and controls 
• Geolocation tracking 
• Profiling, cookies, nudge techniques  
• Connected Toys and Devices and AI Online Services

The overall opinion of the audit result is very high on all points:

• Fireproof does not process personal information in-game.
• It has limited the collection of personal data to when it is necessary to provide a customer support function to children and other users. 
• It has made deliberate design choices to not make use of dark nudge techniques, not to profile users, and to not include in-game content detrimental to children. 
• This has facilitated compliance with the Code’s standards and as a result children are afforded a high level of protection when interacting with Fireproof’s games.
• Fireproof process personal data when providing customer support. The information gathered for the purposes of providing support cannot be linked to any in-game information gathered by Fireproof, such as the length of the session.  

However, some room for improvement exists in identifying and documenting a lawful basis for processing and conditions for processing special category data, along with ensuring privacy information is updated to reflect the identified lawful basis and the rights available to children.

Big Tech: Google’s removal of PII, Amazon’s search algorithms, Microsoft’s reports on privacy and cyberwar in Ukraine

Google is extending its privacy policy, giving users for the first time the right to demand the removal of personally identifiable information, (PII), like phone numbers, secret login credentials, or e-mail addresses from search results that can be used in identity theft. Demanding PII removal from search results may take time however, as Google warns users on the removal request page, because of “…preventative measures being taken for our support specialists in light of COVID-19…”.

Amazon has refused to describe its product search system and algorithm inputs to Australian competition regulators. As part of an ongoing five-year review of big tech that last year saw Alphabet’s Google and Facebook fined, a report said Amazon and similar large marketplace platforms prioritised, in rankings and presentation, own-brand products over competitors.

Microsoft published its latest privacy report. The report summarises several trends since October 2021, including the desire of both individuals and organisations for greater control over their data; a surge in the development of comprehensive privacy laws in jurisdictions around the world; and increasing calls by governments and businesses to keep personal data resident in their jurisdictions.  MS gives its customers control over their data through the Microsoft privacy dashboard. Another new initiative by MS was Microsoft Priva, MS’s first product specifically designed to address privacy issues for large organisations.

Additionally, the latest blog post from Microsoft’s Corporate Vice President, Customer Security & Trust Tom Burt reviews the publication of the MS Digital Security Unit’s first report on the cyberwar in Ukraine. It details more than 237 operations, (some of them are ongoing and not fully traced yet), against Ukraine involving at least six pro-Russian nation-state attacks. Nearly 40 operations are classed as destructive, (eg, threatening critical infrastructure and civilian welfare), and there is a high level of correlation between these attacks and battlefield initiatives. 

Techniques have included phishing, wiper malware, use of unpatched vulnerabilities, and compromising upstream IT service providers. Attackers have often tweaked their malware from target to target to avoid detection. The report also includes specific recommendations for organizations that may be targeted by Russian actors as well as technical information for the cybersecurity community.

The post Weekly digest April 25 – May 1, 2022: class actions authorised in EU data protection cases appeared first on TechGDPR.