Official guidance: business and human rights in the activities of tech companies, relaxed covid measures, regulators’ annual analytics

Privacy International, (PI), submitted its input to the forthcoming report by the UN High Commissioner for Human Rights, on the practical application of the UN Guiding Principles on Business and Human Rights to the activities of technology companies. In summary, the PI report highlights the systemic lack of accountability of this industry, national authorities’ slow or nonexistent enforcement of privacy laws against its exploitative practices, and its relations with governments. Among many things, it:

• asserts the need for tech companies to provide transparency over their technologies and to make their algorithms auditable, and for states to mandate such transparency when these technologies are used to deliver public functions; 
• reasserts that contracts between public authorities and tech companies must point to redress mechanisms for complaints handling and enforcement of sanctions for abuses or violations of human rights;
• calls for public authorities to conduct individual human rights risk and impact assessments, as well as data protection impact assessments, during any surveillance technology procurement process, in addition to companies conducting human rights due diligence, on any prospective state client’s end-use of their technology;
• asserts that public authorities should not systematically use surveillance and data processing systems deployed for private purposes and/or data derived from these systems, etc.

As COVID-19 measures relaxed across the UK, the ICO has set out some key things organisations need to consider around the use of personal information. You should check government guidance for where you live. Guidance varies between England, Northern Ireland, Scotland, and Wales. In general, the organisations should ask themselves a few questions: a) How will still collecting extra personal information help keep our workplace safe? b) Do we still need the information previously collected? c) Could we achieve your desired result without collecting personal information? Also, data protection is one of a number of factors to consider when thinking about collecting this information. Organisations should also take into account:

• employment law and your contracts with employees,
• health and safety requirements, and
• equalities and human rights, including privacy rights.

The ICO had previously outlined some practical methods for destroying documents and guidance on storage limitations for further information. 

Meanwhile, the EDPS published its analytical annual report 2021. It highlights the EDPS’ achievements regarding EU institutions’ compliance with the data protection framework. The report also underscores the EDPS’ increasing role in advocating for the respect of privacy and data protection in EU legislation. The EDPS increased the use of its corrective powers, (eg, the decision to order Europol to delete datasets with no established links to criminal activity). This year was also unprecedented in terms of EDPS advice given to the EU legislator, (with 88 opinions, including formal comments, issued in 2021, compared to 27 in 2020). The EDPS also continued its active participation in the EDPB’s work, and furthered its work on raising awareness about personal data breaches to assist EU institutions in preventing and handling them. You can consult the full report here.

For those, who can read Hungarian, the country’s data protection regulator NAIH similarly prepared its annual activities wrap up for 2021. It looks at a) the authority’s experience over the first ten years, b) statistical characteristics of cases, c) data protection officers tutorials, d) law enforcement, national defence, and national security data-related procedures, e) important court decisions, f) data protection issues in business secrets, g) minors’ data protection, and much more.

Legal processes and redress: lawful data scraping, law firm nonliability for data breach

A decision in the US Ninth Circuit Court of Appeals offers an insight into the conflicting positions between Europe and America on data protection and offers relief for data scrapers who feared a shutdown of their industry. A case pitting business networker LinkedIn against hiQ Labs, a “people analytics” company, sought to prevent the latter from taking data from LinkedIn for its own business purposes. It was successfully argued that the information was publicly available, so no criminal act had taken place. Another point raised was that finding in LinkedIn’s favour would mean big tech companies would have a monopoly on ‘big data’ in the future. It may mean problems ahead for key articles of the GDPR, as privacy policy, competition and criminal law are all pulling in different directions.

A federal jury in Kansas City cleared a law firm, (Warden Grier), of liability to one of its clients, (Hiscox Insurance), after suffering a data breach, Hogan Lovells blog reports. The plaintiff claimed that the defendant failed to meet its standard of care by not sufficiently analyzing its breached server, leaving the plaintiff responsible for approximately 1.3 mln dollars in data analysis and related legal bills. Warden Grier’s counsel argued to the jury that Hiscox was confusing the roles of “service providers” and “data owners.”  Here, Warden Grier argued it was a “service provider” under applicable data breach laws and industry norms, and thus its role was to provide Hiscox with access to impact data, which it had done. Read the full article here. 

Data breaches: the leak of health data

The French regulator CNIL issued a 1.5 mln euros fine against the company DEDALUS BIOLOGY. A massive data leak concerning nearly 500,000 people was revealed publicly. The surname, first name, social security number, name of the prescribing doctor, date of the examination but also and above all medical information, (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data), of these people has thus been disseminated on the internet. In its decision the CNIL stated:

• As part of the migration from software to another tool, requested by two laboratories using the services of DEDALUS BIOLOGY, the latter extracted a larger volume of data than required.
• The company has therefore processed data beyond the instructions given by the data controllers.

Many technical and organisational shortcomings in terms of security were upheld against the company in the context of the operations of migrating the software:

• lack of specific procedure for data migration operations;
• lack of encryption of personal data stored on the problematic server;
• absence of automatic deletion of data after migration to the other software;
• lack of authentication required from the Internet to access the public area of ​​the server;
• use of user accounts shared between several employees on the private zone of the server;
• absence of supervision procedure and security alert escalation on the server. The full decision in French can be read here. 

Crypto-asset industry: EU crypto firms appeal against new draft rules

According to Reuters, more than 40 crypto business leaders have asked the EU not to require crypto firms to disclose transaction details and dial down attempts to bring to heel rapidly growing decentralized finance platforms, (the above draft legislation explained in one of our previous digests).  In a letter sent to EU finance ministers, crypto businesses asked policymakers to ensure their regulations did not go beyond rules already in place under the global Financial Action Task Force, which set standards for combating money laundering. In their opinion, this would reduce crypto holders’ privacy and safety. In addition, the letter also asked that the EU excludes decentralized projects, which include decentralised finance, (DeFi), from the requirements to register as legal entities. It also said that certain decentralized “stablecoins” should not be subject to the wider MiCA regulation.

Artificial Intelligence: ISO new guide and EP recommendations on AI Act

The ISO published guidance for members of the governing body of an organisation to enable and govern the use of Artificial Intelligence, in order to ensure its effective, efficient, and acceptable use. The document also provides guidance to a wider community, including executive managers; external businesses or technical specialists, such as legal or accounting specialists, retail or industrial associations, professional bodies; public authorities and policymakers; internal and external service providers (including consultants); assessors and auditors. The guide is applicable:

• to the governance of current and future uses of AI as well as the implications of such use for the organization itself;
• to any organisation, including public and private companies, government entities, and not-for-profit organizations;
• to an organisation of any size irrespective of their dependence on data or information technologies.

Similarly, the European Parliament’s Committee on the Internal Market and Consumer Protection, and Committee on Civil Liberties, Justice and Home Affairs released a joint report with their recommendations for the proposed Artificial Intelligence Act. Proposed amendments from the committee include a ban on predictive policing, a public AI technology registration requirement and further alignment with the GDPR, IAPP News reports. Advocacy group ‘Access Now’ has already examined the recommendations from the committees. According to them, the draft report contains significant improvements for the protection of fundamental rights. These include the rights of people affected by AI systems to lodge a complaint or seek judicial remedies, for public authorities to register their use of high-risk AI systems in a public database, and numerous improvements to procedures and enforcement. At the same time, the recommendations “have missed an important opportunity to protect people’s rights by completely banning remote biometric identification in publicly accessible spaces.”

Big Tech: GPS data, Google’s “Deny All button”, Pegasus spyware, new Microsoft Purview

Data Broker Otonomo is facing a California class-action lawsuit for allegedly collecting and selling GPS data secretly from 50 mln vehicle owners worldwide, IAPP News reports. The company, originally founded in Israel, claims it has systems to protect customer privacy, but investigative journalists in 2021 discovered Otonomo data could reveal customers’ home addresses, where they worked, and where they drove to. At that time legal opinion was the company could face problems down the road. The company has deals with several car manufacturers to include their systems onboard, but the lead plaintiff says he was never informed of this nor was his consent sought.

Beginning with YouTube France, but due to be rolled out across Google Europe-wide, the giant search engine is updating its cookie consent banner, which a few months ago was hit with a hefty 150 million-euro fine by French data regulator the CNIL. The familiar ‘Accept All’ and ‘Customise’ buttons will be joined by a ‘Deny all’ button disabling cookies altogether. Multiple clicks over several pages were previously needed to opt-out of tracking, in violation of the principle that opting out should be as simple for users as opting in.

More high-profile scrutiny of NSO group’s Pegasus spyware is on the way, as the European Parliament launched an inquiry committee into the Israeli company’s potential use of the software on EU member states’ governments, or its use by those governments. Pegasus software was last week reportedly discovered on UK government computer networks, infecting files even within the Prime Minister’s office, and in Spain, it was found infecting pro-Catalonian independence networks.

Microsoft has bundled its Azure Purview and Microsoft 365 Compliance data governance and risk management services into a new package with enhanced and new features to beef up data security and privacy. Christened Microsoft Purview, the new platform should simplify life for administrators, and the integration of functions allows for new capabilities Microsoft says it will extend with time. A key feature will allow admins to apply sensitivity labels to data consistently, across platforms and data types. Labels will now travel with data and be recognised by all services it extends to, says Microsoft.

The post Weekly digest April 18 – 24, 2022: business and human rights in the activities of tech companies appeared first on TechGDPR.

Legal processes: crypto-asset transfers, Belgian DPA’s independence

EU lawmakers backed tougher rules for tracing transfers of bitcoin and other cryptocurrencies, Reuters reports. Now the EP as a whole should vote on it during the plenary session in April. Companies that make crypto-asset transfers would need to collect details of senders and recipients to help authorities to prevent money laundering, terrorist financing, and other crimes. Under the new requirements agreed by MEPs:

• Providers would have to verify that the source of the asset is not subject to restrictive measures and that there are no risks of crime.
• All transfers will have to include information on the source of the asset and its beneficiary, information that is to be made available to the competent authorities. 
• The rules would also cover transactions from so-called unhosted wallets, (a crypto-asset wallet address that is in the custody of a private user). 
• No minimum thresholds and exemptions for low-value transfers.
• Technological solutions should ensure that the transfers can be individually identified. 

However, the rules would not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf. Currently, there are no rules in the EU allowing crypto-asset transfers to be traced or the provision of information on the originator/beneficiary.

The Belgian data protection authority, (DPA), is concerned about legal developments that could threaten its independence. These include a preliminary draft law to amend the current DPA law, and the lack of resources allocated to it. The opinion has been forwarded to the Court of Audit, the Council of State, the European Commission and the other European supervisors assembled in the EDPB. The draft law notably introduces:

• parliamentary interference in the internal organisation of the DPA and in the setting of its priorities,
• the renewal of the mandate of its members conditional on a positive evaluation by the House of Representatives. 

Finally, the GDPR requires that every supervisor has the necessary resources at their disposal to perform their tasks. However, the DPA’s requests for additional human and financial resources, substantiated by the Court of Audit and an external study, have so far been largely ignored. The DPA points out that the gap with its European counterparts is therefore widening. Read the full opinion here.

Data security: EU institutions, Russian technology risks

EU bodies must step up their cybersecurity preparedness, according to the European Court of Auditors’s special report. Significant cybersecurity incidents in EU institutions increased more than tenfold between 2018 and 2021. It can take weeks if not months to investigate and recover from them. One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines. So far there is no legal framework for information security and cybersecurity in EU bodies. They are not subject to the broadest EU legislation on cybersecurity, the 2016 NIS directive, or to its proposed revision, the NIS2 directive. There is also no comprehensive information on the amount spent by EU bodies on cybersecurity. To this end, the auditors recommend that binding cybersecurity rules should be introduced, and the amount of resources available to the CERT-EU and the ENISA should be increased.

The UK National Cyber Security Center, the NCSC, has updated its guidance on the use of Russian technology products and services following the invasion of Ukraine. The experts state they have not seen and do not expect the massive global cyber attacks that some had predicted. However, the NCSC has previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (eg, SolarWinds Orion software, and UK telecoms networks). Additionally, Russian law already contains legal obligations on companies to assist the Federal Security Service, and the pressure to do so may increase in a time of war, the NCSC believes. 

The NCSC advises certain organisations to specifically consider the risk of Russian-controlled parts of their supply chain, (public sector, high-profile organisations, services related to critical national infrastructure, etc), if you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia: “You may choose to remove Russian products and services proactively, wait until your contract expires, (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk”. Finally, the ongoing global sanctions could mean that Russian technology services, (and support for products), may have to be stopped at a moment’s notice. Read the NCSC guides to improve security for enterprises, and for individuals. 

Official guidance: DPO compliance provisions

The Polish data protection authority UODO refreshes its inspection report, (in Polish), on compliance provisions relating to designation, position and tasks of the DPO. In most cases, the verification of the reported cases did not provide grounds for the application of corrective powers for undertakings. Only in a few cases did the regulator find irregularities in the scope of a conflict of interest, or failure to consult the DPO on data processing operations. Several cases of violations related to the performance of a DPO‘s function required the UODO to take corrective actions, including the issuing of an order to appoint a DPO as well as an administrative fine. The regulator has also published 27 DPO-related self-audit questions to be directed to controllers and processors, both in the public and private sectors.

Investigations and enforcement actions: facial recognition system, agile development environment, Klarna bank fine

The Danish data protection agency has made a decision in a case concerning the use of a facial recognition system to control access to the company’s facilities. Based on the information provided by FysioDanmark Hillerød, (physiotherapeutic treatment), the regulator assessed that the system – which was based on the data subject’s consent – could be used. However, the regulator warned the company that it would probably be in breach of the GDPR if it used the system without the consent of customers. Furthermore, the agency warned that it would probably be in breach if the company did not ensure that the system was not used with persons who had not given their consent.

The Danish data protection agency also criticised a data controller who did not check whether personal data had been stored by mistake in IT environments. In the related case, an employee of the Danish Health and Medicines Authority, (HMA), in violation of internal guidelines and procedures, had stored a data set – containing pseudonymised personal information – in a development environment, (Microsoft Azure DevOps), where they were not allowed to be stored. The data set contained pseudonymised confidential data about citizens which could be “decoded” by trusted employees, regardless of whether they had a work-related need for it. The HMA did not discover it until a year later. 

The regulator found that the HMA had not complied with the rules on processing security. The agency emphasized that data controllers must generally establish controls – either manual or automatic, and it is not sufficient to have guidelines and procedures without regularly checking whether they are followed in practice. The regulator also emphasized that this was a so-called “agile development environment”, where there is a known risk that personal data will be stored by mistake.

Meanwhile, Sweden’s data protection authority fined Klarna bank approx 724,000 euros for several breaches of the GDPR, namely:

• it has continuously changed the information provided on how the company handles personal data;
• did not provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company’s services;
• provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies;
• did not provide information as to which countries outside the EU/EEA personal data were transferred to, or on where and how the individual could obtain information on the protection measures that applied to the transfer to third countries;
• provided insufficient information about the data subjects’ rights, including the right to delete data, the right to data portability and the right to object to how one’s personal data is processed.

Data breaches: “emergency data requests”

Hackers increasingly are using compromised US government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies, KrebsOnSecurity, (in-depth security news and investigation blog), warns. At issue are forged “emergency data requests,” (EDRs). Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDRs to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death. In the recent example, fraudulent EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. Also tracked were the activities of a teenage hacker from the UK who was reportedly arrested multiple times for sending fake EDRs.   

Big Tech: TikTok class action, Chrome’s Privacy Sandbox, interoperability vs end-to-end encryption

A case filed in 2019 against TikTok has finally been settled, the Chinese giant and its Musical.ly offshoot agreeing a 1,1 million dollar deal with the US District Court for the Northern District of Illinois. The case, a class action, claimed the plaintiffs’ rights under the Children’s Online Privacy Protection Act had been violated by TikTok and Musical.ly tracking, collecting, and disclosing personally identifiable data of users under 13 without parental consent.

Alphabet’s Chrome is rolling out the next stage of testing for its Privacy Sandbox, appealing to developers to get on board and send feedback, and offering support. APIs are key, and global testing of Topics, FLEDGE and Attribution Reporting APIs is immediately available on Chrome Canary. Industry associations are also being encouraged to contribute. Chrome will also be testing updated Privacy Sandbox settings and controls, allowing people more visibility and management of the use of their personal preferences.

Trouble ahead for Europe’s new Digital Markets Act predicts an analyst in The Guardian. In privacy terms there’ll be limits on large companies, (45 million users or 10,000 business users), combining personal data from various sources for targeted advertising, and most critically, an insistence that the largest messaging systems become “interoperable’. Resolving the major technical problems preventing this could see end-to-end encryption abandoned, which in security terms raises many issues and may actually facilitate abuse. 

Instead of a challenge some are seeing interoperability as an opportunity, like Twitter-financed Bluesky. It is developing a new operating standard for social media, based on an open protocol. New board member and Twitter co-founder Jack Dorsey says the idea could take years to become a reality, but would offer social media users greater control and choice. The company has made its first key hires and is developing a prototype.

The post Weekly digest March 28 – April 3, 2022: EU crypto-asset transfers to be traced and identified, with some exceptions appeared first on TechGDPR.