Upon termination of a processing agreement, the controller is obliged to monitor the deletion of personal data held by the processor. Such was a ruling by the Higher Regional Court of Dresden, Germany, closely looked at by a DLA Piper analysis. The plaintiff was a user of the online music streaming service run by the controller. A data breach at a former external, (non-EU), processor of the controller in 2022, involving the personal data of clients, set off the case (hackers offered this data for sale on the dark web). The controller-processor relationship came to an end several years before the data breach, in 2019. As per the terms of the data processing agreement, the controller had the option to either delete or return the data once processing was complete. However, the controller never exercised this right. 

Stay up to date! Sign up to receive our fortnightly digest via email.

Data subject rights under the DSA

On 21 April, the European Commission established internal regulations limiting certain data subjects’ rights, (information, access, rectification, erasure, and notification of breaches), under the Digital Services Act. It encompasses the personal data of suspects, victims, whistleblowers, informants, witnesses, and staff of undertakings, under the Commission’s supervisory, investigative, enforcement, and monitoring activities. The Commission must publish a data protection notice and inform affected individuals where appropriate. 

TikTok fine

The Irish privacy regulator DPC has fined TikTok 530 million euros after an inquiry into transfers of EEA users’ data to China, (enabling storage and access to it). The inquiry also examined whether providing information to users about such transfers met TikTok’s transparency requirements as required by the GDPR. TikTok first informed the DPC that it did not store EEA user data on servers located in China. However, later on, TikTok informed the DPC that it provided inaccurate information to the Inquiry. Whilst TikTok has informed the DPC that the data has now been deleted, the regulator is considering whether further regulatory action, in consultation with peer EU Data Protection Authorities, may be warranted.

COPPA Rule

On 22 April, the US Federal Trade Commission adopted final amendments to the Children’s Online Privacy Protection Rule to enhance content moderation and data protection for children under 13. The amendments will take effect on 23 June, with full compliance required by 22 April 2026. It introduces a new definition for “mixed audience website or online service.” It also requires operators to implement age screening methods that are neutral and to avoid collecting any personal information before determining the user’s age, with few exceptions.

In the meantime, the first US state, Arkansas, approved the Children and Teens’ Online Privacy Protection Act, which was modelled after the pending federal law known as COPPA 2.0. Consent requirements, data minimisation, targeted advertising restriction, data subject rights, and data security are all applicable to any for-profit operator of a website, online service, or app that targets children or teenagers or knows that it is gathering their data. 

More from supervisory authorities

The Data Act: The European Data Act will take effect on September 12. Manufacturers of internet-enabled devices will then be required to share the data sent by connected devices with third parties, explains the Hamburg data protection authority. Machines, household appliances, and vehicles connected to the internet generate large amounts of data every day. Those wishing to take advantage of the act should familiarise themselves with access rights. Those subject to the obligations of the act must prepare for access requests and develop strategies for protecting personal data and trade secrets. 

To that end, the regulator offers the manual “The Data Act as a Challenge for Data Protection” (in German). 

Multi-device consent: The French CNIL launches a public consultation on its draft recommendation (in French). The guidance concerns actors who plan to collect cross-device consent only when users are authenticated to an account. When a user accesses a website or a mobile app, they express their choices about the use of cookies or other trackers on a device connected to their account. These choices would be automatically applied to all devices connected to their account. This includes, but is not limited to, their smartphone, tablet, computer or connected TV, as well as the browser or app used.   

Children’s code: In the UK, Ofcom issued a draft Protection of Children Code of Practice for search services under the Online Safety Act 2023. Implementing the list of recommended measures set out in this Code will inevitably involve the processing of personal data. The Information Commissioner’s Office has already set out that it expects service providers to take a ‘data protection by design and by default’ approach when implementing online safety systems and processes. Over time, Ofcom might update the Codes to take account of technological developments.

Customer data

What should merchants consider when recording telephone conversations with customers? The Latvian data protection regulator explains. A voice recording becomes personal data when it can be linked to a specific person. Therefore, such data processing must be carried out under the requirements of the GDPR:

• An appropriate and as specific as possible purpose must be defined for such data processing, (eg, improve the quality of the advice or service provided and thus to communicate with customers, as well as possibly to promote sales).  
• The recordings may only be used to achieve the specified purpose and not for other, unrelated purposes.
• A balancing test must be carried out to determine whether such processing would unduly prejudice the customers’ rights to data protection.
• Conversation recordings may only be kept for as long as necessary to achieve the goal. 
• Access to records should be limited to authorised persons whose tasks are directly related to the purpose of processing the records.
• When recording telephone conversations with customers, the merchant must inform them at the beginning of the conversation about the recording.

In parallel, the Estonian data protection agency issued new practical guidance to help online stores protect their customers’ data (in Estonian). It provides advice on ensuring data security, preventing cyber threats, and managing risks for both new and experienced online retailers, highlighting, among other things, the importance of strong authentication, encryption and log management, as well as the need to carefully evaluate cooperation with third-party service providers, data breach response and employee training.

Synthetic data generation

The Spanish AEPD has published the Spanish translation of the Guide to synthetic data generation, prepared by the Singapore data protection authority.  Synthetic data is artificially generated to simulate real data and must retain its essential statistical characteristics to be useful without compromising personal data. Its generation must be carefully planned, falling along a spectrum ranging from completely random data to real data. The guide includes practical case studies on the best practices for generating synthetic data and reducing residual re-identification risks.  

More official guidance

NIST cybersecurity guide: America’s NIST has updated its Privacy Framework, tying it to recent Cybersecurity Guidelines. It is intended to help organisations manage the privacy risks that arise from personal data flowing through complex IT systems. Furthermore, failure to manage these risks effectively can directly affect individuals and society, potentially damaging organisations’ brands, bottom lines and prospects for growth. Following the comment period, (until 13 June), the NIST will consider additional changes and release a final version later this year.

Domestic cameras are not excluded from GDPR: The Liechtenstein data protection agency has supplemented its guide on video surveillance with information on surveillance within one’s own home. This means that data protection does not stop in your living room, at least not if the purpose of data collection is not exclusively for personal or family activities. This is particularly the case if the purpose is to ensure security or perform quality control, for example, the observation of staff or external third parties, (cleaners, gardeners, babysitters, etc.). This applies equally to video surveillance and pure audio recordings. 

Large databases: Art. 5 and 32 of the GDPR require controllers and processors to process personal data in such a way as to ensure an appropriate level of security, in particular regarding the risks of massive data exfiltration, as the French CNIL reminds us. These measures in large numbers can be implemented via the following procedures:

• Secure external access to the information system via multi-factor authentication
• Log, analyse and set limits on the data flows that pass through the information system
• Consider humans as security actors: organise regular awareness-raising sessions adapted to user profiles (employees, developers, managers, subcontractors, etc.)
• Emphasise the data controller obligation to supervise data security with subcontractors.

More content from the CNIL on cybersecurity can be found on this page.

In other news

Apple and Meta fines: The European Commission imposed the first fines under its Digital Markets Act, punishing tech behemoths Apple and Meta for violating the EU’s new digital regulations. Apple was fined 500 million euros for violating the rules governing app stores ( “anti-steering” obligation). In comparison, Meta was fined 200 million euros for its “pay or consent” advertising approach, which charges EU users to use Facebook and Instagram without advertisements.

Worcado AI detector: America’s FTC requires Workado to stop advertising the accuracy of its AI detection products unless it shows that those products are as accurate as the claimed 98%, as independent testing showed the accuracy rate on general-purpose content was just 53%. The company says that its AI Content Detector was developed using a wide range of material, including blog posts and Wikipedia entries, to make it more accurate for the average user. The FTC alleges, however, that the AI model powering the AI Content Detector was only trained or fine-tuned to effectively classify academic content. 

Facial recognition at football matches

The Danish data protection agency has granted FC Copenhagen and the Danish Football Association permission to use automatic facial recognition during international football matches. The purpose is to support the enforcement of the rules on club quarantines and general quarantines in connection with football matches. The technology can therefore be used for access control to Parken Stadium. The impact assessment must be carried out before the processing begins.

Personal data processed as part of the facial recognition system must be transported to and stored encrypted on the server using up-to-date and widely recognised encryption algorithms. This also applies to the use of mobile devices at away matches. 

More enforcement decisions

Proof of consent for marketing calls: The UK’s ICO fined AFK Letters 90,000 pounds for making more than 95,000 unsolicited marketing calls to people registered with the Telephone Preference Service. Between January and September 2023, AFK used data collected through its website and a third-party telephone survey company to make mass marketing calls without being able to demonstrate valid and specific consent from the people contacted. Despite AFK claiming it could not provide evidence of consent because it deleted all customer data after three months, when challenged it was also unable to provide consent records for several calls made within a three-month timeframe. 

User tracking: The Hamburg data protection authority launched a large-scale automated review campaign in mid-April. Most of the 1,000 websites randomly selected comply with data protection regulations; however, deficiencies were identified on 185 local websites. Various third-party web services, (Google Analytics, Google Maps, Google Ads, YouTube, Facebook, Vimeo, MS advertising, Pinterest), were activated immediately upon accessing the site, resulting in users being tracked without the legally required consent. 

Email security analysis tool errors: In Romania, the data protection agency fined BITDEFENDER, (a software company), the equivalent of 10,000 euros. The investigation was initiated following the submission by the company of a personal data breach notification. Due to a programming or implementation error in the update operation of the email security analysis service, a significant amount of customers’ personal data was disclosed to third parties. The operator did not implement appropriate technical and organisational measures and did not carry out periodic testing, evaluation and assessment, including of the continued confidentiality, integrity, availability and resilience of systems and services.

In case you missed it 

Revolut staff tracking: According to The Guardian, the fintech company Revolut has been monitoring employee behaviour and awarding or deducting points on an internal “Karma” system. Revolut’s annual report described the practice as ‘successful’ while also revealing that last year’s profits had more than quadrupled. The 2020-launched system tracks how effectively employees adhere to risk and compliance regulations, awarding and deducting points that eventually impact compensation. After those points are added up at the team level, the ultimate bonus for each employee is either deducted or multiplied.

CJEU knowledge base on data protection: The EU’s top court has published a Fact Sheet document on the Protection of personal data, to present a selection of seminal rulings on the subject and rulings that have made a significant contribution to the development of this case-law. The document relates to sector-specific rules, particularly in the electronic communications sector and criminal law, but also aims to present a selection of judgments dealing with rules which are applicable across multiple areas.

The post Data protection digest 18 Apr – 2 May 2025: data controller obligation to monitor deletion or return of personal data held by the processor appeared first on TechGDPR.

In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.  It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU – B2B, B2C, and B2G. The guide elaborates among other things on:

• the definitions of data users, data holders and third parties, as well as 
• cloud and service interoperability requirements, 
• fairness of data-sharing contracts, and 
• enforcement and dispute resolution frameworks. 

The GDPR is fully applicable to all personal data processing activities under the Data Act.  In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.

Stay up to date! Sign on to receive our fortnightly digest via email.

US data transfers

The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these rules will sooner or later be challenged in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, there will most likely not be a transition period. It is important to be aware of this when purchasing US services. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. 

DORA implementation updates

On 18 February, the European Supervisors, (ESAs) —EBA, EIOPA, and ESMA – published a roadmap to designate critical ICT third-party service providers (CTPPs), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.

By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).  

Legal updates worldwide

China data audits: With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper’s legal analysis. The measures provide the conditions and rules for both self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.  

US privacy enforcement: In the past two months, New York state has amended several rules on data breach notification. The amended law requires New York residents to be notified of a data breach, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state’s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the template of the notice sent to affected persons must also be provided. 

Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor, (under 16 years of age), and to limit a minor’s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.

Automated decision CJEU ruling

The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a data subject is entitled to an explanation as to how a decision was taken in respect of him or her, and the explanation provided must enable the data subject to understand and challenge the automated decision. 

The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer’s credit standing carried out by Dun & Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.

Algorithmic discrimination and the GDPR

The European Parliament’s recent research meanwhile states, that one of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the act allows ‘special categories of personal data’ to be processed, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through legislative reform or further guidance, states the report. 

More from supervisory authorities

DPIA guidance: The Swedish Data Protection Authority IMY has published guidance on impact assessments for activities that process personal data, (in Swedish). The practical guide is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some legal interpretation support, as well as detailed templates for an assessment.

Urban data platforms: As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on optimized traffic control, and early warning systems in the event of disasters or urban planning. 

To that end, the regulator has prepared technical guidance, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.

Employment records: The UK ICO updated its guidance aimed at employers who keep employment records. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker’s right to a private life.

The terms ‘worker’ or ‘former worker’ mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment – in particular, our detailed guidance on workers’ health information and monitoring of workers.

Insurance companies data swaps

The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered. 

Privacy policy

The Latvian DVI looks at the most common shortcomings in privacy policies of the organisations it’s investigated, and asks data controllers to take them into account: 

• Privacy policy is hard to find
• Complex and unclear text
• Not all legal bases and purposes of data processing are listed
• The purpose of data processing is not linked to the legal basis
• Failure to specify the organization’s legitimate interests 
• Unclear information about the storage period
• Failure to specify recipients of personal data 

Finally, there is also a lack of guidance on data subjects’ rights and their implementation, and complicated mechanisms are provided for the implementation of rights. 

Emotion recognition

The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act’s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. Clarity is required on the definitions of emotions, biometric information, and the boundaries of “workplace” and “educational institutions.” 

In particular, in the GDPR, the definition of ‘biometric data’ is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term ‘biometric data’ in the AI Act must be interpreted in the light of the GDPR. The distinction between emotions and physical states and between emotions and easily visible expressions also remains unclear.

In other news

Web browsing data fine: America’s FTC requires Avast to pay 16.5 million dollars, (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Refused bank loan: It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,  that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller. 

Data security

Location data: The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it easier for third parties to collect location data and resell it to data traders. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.

Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.

Self-declared GDPR compliance: The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead, it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).

Suppose the data stored in the cloud is transferred to a third country outside the EU/EEA area. It must also be checked whether this offers a level of protection equivalent to that in the EU/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.

In case you missed it

AI from non-EU countries: A number of European regulators draw attention to the risks associated with the use of AI ​​tools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed: 

• Pay attention to the transparency of the provider and appropriate documentation.
• Use a separate, secure IT environment to avoid data leaks.
• If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).
• Take into account the AI ​​competence and ban on prohibited AI practices that must be ensured from February following the AI Act. 
• Make sure that the manufacturer of the AI ​​application, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).

AI in education: The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest infographics. While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience.

In practice, they often help with: automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security and much more. 

The post Data protection digest 16 Feb – 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers appeared first on TechGDPR.

The Data Act will become applicable in the EU starting on 12 September 2025. In the runup, the European Commission has published an FAQ on the new legislation. Together with the Data Governance Act, it enables a fair distribution of value by establishing clear rules related to the access and use of data within the EU’s data economy. While the Data Act does not regulate the protection of personal data, the GDPR remains fully applicable to all personal data processing activities under the Act. 

This includes the powers and competences of supervisory authorities and the rights of data subjects. Sometimes, it complements the GDPR, (eg, real-time portability of data from Internet-of-Things objects). In other cases, it restricts the re-use of data by third parties, such as for profiling purposes, (unless it is necessary to provide the service to the user). In the event of a conflict between the GDPR and the Data Act, the GDPR rules shall prevail, (see Art. 1(5) of the Data Act).  

Stay up to date! Sign on to receive our fortnightly digest via email.

Corrective powers under the GDPR

The CJEU has ruled that a supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on their initiative. The case relates to a savings bank in Germany where one of its employees had consulted a customer’s data on several occasions without being authorised to do so. The employee had confirmed in writing that she had neither copied nor retained or shared the data, and the bank had taken disciplinary measures. The data controller nevertheless notified the data protection authority of this breach.

More legal updates

California tech updates: Among over a dozen new bills covering personal data and generative AI, Governor Gavin Newsom signed a bill on training data sources into law. It includes reporting provisions for developers on sources or owners of datasets, a description of data points in them, whether the datasets contain personal information, how the datasets further the intended purpose of the AI system or service, whether the datasets include any data protected by copyright, trademark, or patent and more. Changes will be due on 1 January 2026. 

California has also expanded the definition of personal data to more abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. At the same time, a landmark artificial intelligence safety bill was blocked by the governor after strong opposition from major technology companies. The draft bill required the most powerful AI models to undergo safety testing and other oversight obligations.

Lax social media privacy controls: The Federal Trade Commission has examined the data practices of major social media and video streaming services, revealing they engaged in vast surveillance of consumers to monetize their personal information while failing to adequately protect users online, especially minors. Among other things, companies feed users’ and non-users personal information into their automated systems, including for use by their algorithms, data analytics, and AI, without proper testing and oversight. Meanwhile, data subjects had little or no way to opt out of how their data was used by these automated systems.

Who determines how to secure data?

The Polish Supreme Administrative Court has made a final decision on whether a data controller can use an employee to determine how to secure data. In a related case, the probation officer of a district court lost an unencrypted pendrive with the personal data of 400 people. The analysis of the case showed that the controller had not fulfilled security obligations correctly. 

Before the incident, the controller issued the device and instructed the probation officer to implement security measures on their own. The obligation to register and encrypt the medium was introduced only after the officer lost it. Additionally, employees were only given basic training in data protection, which did not give them enough knowledge on securing digital mediums or calculating the risks of data loss. As a result, the employee decided to protect the data by carrying their drive in a locked bag.

More from supervisory authorities

Data accountability from A to Z: The Luxembourg data protection and cybersecurity authorities have recently developed DAAZ, a GDPR compliance tool that addresses the challenges faced by start-ups and small and medium-sized enterprises, (available in English). The tool comes in response to the personal data protection challenges faced by SMEs in particular, which are often at a disadvantage compared with large organisations in terms of resources and expertise.

Mobile applications: The French CNIL has published the final version of its recommendations to help professionals design privacy-friendly mobile applications. From 2025, these will be the subject of a specific control campaign. According to the latest data, a typical French consumer downloads 30 apps and uses their mobile phone for an average of 3 hours and 30 minutes per day. Among other things, the recommendations include best practices for stakeholders to ensure that users understand whether the requested permissions are really necessary for the application to function.

AI Act and GDPR: Finally, the Belgian regulator published its information guide, (available in English), on the EU AI Act from a GDPR perspective. It includes sections on AI system definition, and data protection principles such as purpose limitation, data minimisation and data subject rights in an AI context. It also emphasizes accountability, security measures and human oversight in AI development. 

Termination of employment

Although former employees have the right to request the deletion of their data, it should be understood that this right is not absolute, according to the Latvian regulator. In one example, the former employer has the right to temporarily retain an e-mail box for a certain period to ensure continuous communication with the company’s customers, (eg, by forwarding e-mails), and access information that is essential to the operation of the company. However, the employer must clearly define for how long this e-mail address will be stored and communicate it to employees. 

This does not mean that the employer can use the information found in the e-mail for other purposes. The principle of purpose limitation should be taken into account here. If an employer recovers, for example, a computer or smartphone used by an employee after the end of the employment relationship, they may discover that private e-mails or other communication channels were accessed on it. If the employee is not logged out of these accounts, the employer has no right of access, despite owning the device.

Data requests via a representative

Finland’s data protection commissioner has stated that a person can make an inspection request for their data with the help of an agent and, for example, ask the organisation to provide the agent with that information. Data protection legislation does not prevent the exercise of data protection rights through another person. An individual who contacted the regulator’s office had asked the Tax Administration to deliver all information about them to their representative’s postal address. However, the Tax Administration refused to provide information to the agent, citing that the information could only be provided to the person directly.

More enforcement decisions

Commercial legitimate interest: Hogan Lovells’ law blog reports that a Dutch court once again has recalled a decision of the data protection authority for its overly strict interpretation that purely commercial interests cannot be legitimate interests under the GDPR. The court ruled in favour of the unnamed company by suspending a 120,000 euro fine, as there was still room for legal discussion. 

The cumulative criteria for a valid legitimate interest, (eg, for direct commercial marketing), requires a careful assessment, including whether the data subject could reasonably expect the data processing. Additionally, the personal data concerned should be strictly necessary for the legitimate interests pursued, and, finally, the fundamental rights and freedoms of the data subject must be preserved. 

Meta fine for password storage in plaintext: The Irish Data Protection Commission has fined Meta Ireland 91 million euros. This inquiry was launched in April 2019, after the company notified the regulator that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, (eg, without cryptographic protection or encryption). These passwords were not made available to external parties. 

Selling data to competitors: A man in the UK has pleaded guilty and been fined for unlawfully retaining and selling thousands of details of customer records from the car leasing company he worked for. Shortly before he resigned from his role as sales consultant, at Leaseline Vehicle Management Ltd, he sold over 3,600 pieces of personal information he’d taken from the company’s internal customer database. He approached multiple competitor companies with this information, whilst claiming that the data belonged to him.

Data security

Facial recognition: The German Data Protection Conference observes that some authorities are already using biometric facial recognition in public spaces, citing non-specific criminal procedural rules. However, the legal framework and the civil liberties of those affected – potentially all citizens – are not sufficiently taken into account. For this reason, the European legislators have excluded certain applications in the AI Act and set strict limits for others. The regulator calls upon the national legislators to create specific and proportionate legal bases for the use of facial recognition systems in public spaces.  

Minor’s data: Following the UK Ofcom’s publication of the draft Children’s Codes of Practice which are due to come into effect in early 2025, Instagram has changed the way it works for minors, connectedworld.clydeco.com reports. For all under 18s, the new “teen accounts” will activate several privacy settings by default, such as preventing non-followers from seeing their material and requiring them to manually accept new followers.

Also, the only way for 13 to 15-year-olds to change the settings is to add a parent or guardian to their account. Strict guidelines will also be applied to sensitive content to avoid suggesting potentially dangerous material and muting notifications overnight, (“sleep mode”). 

Portability right: A new portability right applies to employees and consumers in Québec, JD Supra law blog reports. The purpose is to allow individuals in private and public sectors to access their data and transfer it to another legally authorised organization of their choice. It only applies to data that has already been digitally stored, and directly provided by the individual. Though the legislation does not specify any particular format. PDFs, pictures, and proprietary formats that call for additional software or costly licensing should be avoided in favour of formats like CSV, XML, or JSON. 

The post Data protection digest 17 Sep – 1 Oct 2024: EU Data Act as an illustration of the GDPR ‘prevail’ principle appeared first on TechGDPR.

A multitude of new regulations are either in the ordinary legislative procedure or already in force. These include the Data Act, the Data Governance Act, the Digital Services Act, the Digital Markets Act, the Cyber-Resilience Act, European Health Data Space Regulation, the Artificial Intelligence Act. Data regulations in the European Union (EU) are becoming more complex and challenging for businesses to comply with. The increasing number of administrative burdens and compliance requirements in these regulated areas are a valid concern for businesses. Supervisory enforcement, for enacted regulations will be a wake-up call for organizations that are not prepared. Tech players operating in the EU and authorities overseeing those activities face the similar challenge of adapting to legislative overlap. New fines, new supervisory authorities and new compliance requirements are expected. To better understand this burst of regulation, the EU’s strategic policies must be carefully examined.

What is the EU aiming for?

• The United States (US) and China (CN) have different advantages in the field of technological competitiveness. 
• The US has a strong private sector with abundant financial resources, while CN has a state-sponsored private sector. 
• The EU meanwhile wants to shape its own digital future, and create a competitive Digital Single Market while enforcing European democratic values. In a short span of time, the European Commission has implemented digital transformation policies to become more competitive in the global economy, reduce the carbon footprint that arises from the red-tape bureaucracy and go digital. 
• Better public services and comprehensive scientific research will be strengthened by the re-use of data envisaged in the European Strategy for Data. 

Understanding the distinct European view on data 

Greater productivity for IoT and data-enabled products are also on the list. But greater accessibility to data is needed to enable innovation in a data-driven economy. This explains why data intermediaries are expected to play a key economic role, as envisioned in the Data Governance Act. Making more data available to smaller players will be made possible by creating common European data spaces in strategic sectors. There are multiple underlying reasons for the data spaces, all of which align with the strategic data policies of the European Union.

• The new regulations are in line with the existing strategic objectives, allowing for organizations to get ahead of the game by embracing the EU’s strategic data policies. 
• The industrial data space and co-generated industrial data is part of the Data Act. 
• The common European health data space is also regulated with the upcoming European Health Data Space Regulation. 
• Green Deal data space, financial data space, energy data space, agricultural data spaces, are also mentioned in the “European Strategy for Data”.

EU strategic goals

• The digitalisation of public services and the digital transformation of businesses are of high priority in the 2030 Digital Compass: the European way for the Digital Decade. 
• The Digital Compass goals are consistent with the rising amount of data being created in the EU. 
• The EU is determined to maintain its regulatory norms and standards in its relations with international partners. 
• By 2030, the EU aims to build an interconnected data processing ecosystem conscious of fundamental rights and in full compliance with legal requirements. As stated in the 2030 Digital Compass policy, the EU will continue to promote the ethical use of AI, establish strict cybersecurity and resilience requirements, tackle disinformation and illegal content online, ensure the operational security of digital finance and facilitate transformation of e-government. Respectively, these strategic policies are being covered by the Artificial Intelligence Act, the NIS2 directive and Cyber-Resilience Act, the Digital Services Act, the Digital Operational Resilience Act for the financial sector and European Health Data Space Regulation.

Implications for the future

These new regulations pave the way for the EU to achieve its new industrial strategy of climate neutrality and digital leadership. They help to reduce the carbon footprint and prevent red tape bureaucracy. 

• The digital transformation is essential for a greener EU.
• The reuse of data is also critical. 
• As stated in the EU Strategy for Data, this includes greater productivity and competitive markets, as well as improvements in health and well-being. 

The emergence of data-driven ecosystems can prove itself in the long run but it may take years for the EU to figure out the interplay of new regulations within the existing legal frameworks, the preparation of new guidelines and the appropriate degree of coordination between supervisory authorities. 

The EU will need to ensure that data and data-enabled products and services are available throughout the single market. Considering the EU’s goal of building a legal digital framework and becoming an international market leader, similar regulations may spread over time to different continents through the Brussels Effect. The key intention is to create a European data ecosystem that is respectful of fundamental rights. Whether these strategic intentions will be translated into the regulatory scope as intended remains to be seen. 

The post Making sense of new EU-wide data regulations, the red thread behind the digital single market appeared first on TechGDPR.

Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes and redress: DPO dismissals, Connecticut privacy draft law, EU Health Data Space

Ius Laboris blogpost explains when data protection officers have special protection from dismissal. Art. 38(3) of the GDPR expressly states that they shall not be dismissed or penalised by the controller or the processor for performing their tasks. It establishes an additional guarantee for DPOs who cannot be dismissed for the mere performance of their duties. Therefore, an additional guarantee must be put in place for this type of employees, (this would be the case in a situation such as the comparison here between DPOs and employees appointed as members of an organisation’s workers’ representatives). Spanish law does not specifically provide this option to DPOs. However, in 2021, the Labour Chamber of the High Court of Justice of Madrid analysed the remedies for DPOs in the event of unfair dismissal. In particular, if they are entitled to choose between reinstatement in their job or an unfair dismissal severance payment if there are no valid grounds to support their dismissal. In the end, the Spanish court authourised both treatments. Read more on DPO dismissals here. 

Meanwhile in the US, Connecticut legislators from both chambers passed an major act on personal data privacy and online monitoring, (SB 6). It is now currently under consideration by the State Governor. If the bill becomes law, it will go into effect on July 1, 2023, making Connecticut the fifth state to enact a comprehensive data privacy law, JD Supra News&Insights reports. SB 6 would apply to individuals or entities that conduct business in Connecticut and control or process personal data during the preceding year of at least either: a) 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or b) 25,000 consumers who derived more than 25% of their gross revenue from selling personal data. It also protects sensitive data, like minors or ethic origins, citizenship and immigration status, but with a number of exceptions under the HIPAA or FCRA. 

Its main principles and obligations on data controllers include: 

• Data Minimization 
• Duty to Avoid Secondary Use
• Security Practices
• Consent
• Privacy Notices
• Non Discrimination 
• Data Protection Assessments

And for data processors: 

• Data Processing Agreements
• Data Subject Request
• Duty of Care (assisting the controller)
• Data Protection Assessments
• Confidentiality
• Subcontractors

According to Reuters, the European Commission wants to make health data easier to access by 2025 for patients, doctors, regulators and researchers in a bid to improve diagnoses, cut unnecessary costs from duplication of medical tests and boost medical research. Electronic prescriptions are also estimated to lead to large savings by reducing errors in dispensing medicines, as many states still use paper prescriptions. Under the plan:

• Healthcare providers would be required to produce electronic health data that are interoperable.
• Data generated from patients’ health records and wellness apps would be pooled in compatible formats, and 
• made accessible to patients, regulators and researchers under strict rules to protect privacy. (eg, anonymised health records for analysts and data professionals)
• Stronger cybersecurity is also planned.

In parallel, last week the European Commission announced that it had launched the European Health Data Space, (EHDS), one of the central building blocks of a strong European Health Union. The EHDS builds further on the GDPR, proposed Data Governance Act, draft Data Act and NIS Directive. It complements these initiatives and provides more tailor-made rules for the health sector. The EHDS will make use of the on-going and forthcoming deployment of public digital goods in the EU, such as Artificial Intelligence, High Performance Computing, cloud and smart middleware. In addition, frameworks for AI, e-Identity and cybersecurity, will support the space.

Official guidance: UK regulators’ work plan, opinion on Data Act, athletes’ data, treatment of health data

The UK government promises to bring together the major regulators tasked with regulating digital services in 2022-2023: the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office (ICO), and the Office of Communications (Ofcom). Their key priorities, among many, will be:

• Protecting children online: This includes a joint working framework to support the oversight of Ofcom’s Video Sharing Platform regulatory framework and the ICO’s Age Appropriate Design Code regime, as well as joint research on age assurance.
• Promoting competition and privacy in online advertising: This includes the CMA and ICO working together to review: Google’s emerging proposals to phase out third-party cookies; and Apple’s App Tracking Transparency and Intelligent Tracking Prevention features.
• Developing a clear articulation of the relationships between competition and online safety policy.
• Continuing to develop the understanding of end-to-end encryption, etc. Read the full workplan here.

The EDPS and EDPB published their joint opinion on the proposed Data Act. The draft law aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects, (‘Internet of Things’), medical or health devices and virtual assistants. It also aims to enhance data subjects’ right to data portability under Art. 20 of the GDPR. The EDPB and EDPS urged legislators to ensure that data subjects’ rights are duly protected, namely:

• The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles.
• Products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy-intrusive way possible. 
• Clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. 
• Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.
• Defining the legal basis of emergency or “exceptional need” in which public sector bodies and EUIs should be able to request data.
• Designating national data protection authorities as coordinating competent authorities under the Data Act.

Meanwhile, the EU Parliament adopted a set of proposals to develop AI in the long term. The report warns that the EU needs to act fast to set clear standards based on EU values, otherwise the standards will be set elsewhere. As AI technologies depend on available data, sharing of data in the EU needs to be revised and extended. Full integration and harmonisation of the EU digital single market will help cross-border exchange and innovation. Other measures include: 

• Digital infrastructure should be strengthened, ensuring access to services for everyone. 
• The deployment of broadband, fibre and 5G should be supported and key emerging technologies such as quantum computing should be a priority. 
• The EU should support the development of AI skills so that people have the skills needed for life and work. 
• The military and security aspects of AI also need to be tackled: the EU should cooperate internationally with like-minded partners to promote its human-centric, EU-value based vision, says the report. Learn more about AI road map and a special commitee report here. 

The Spanish data protection authority AEPD has added a news section to its website on health and data protection, (in Spanish). The knowledge base  is made up of seven sections that range from general information on the treatment of health data and how to exercise the right of access to medical records to issues related to medical research and clinical trials or personal data breaches.The objective is to have a systematised compendium of legislation, criteria, doctrine and precedents. In 2021, 680 health-related claims were registered by AEPD, an increase of 75% compared to 2020. Additionally, in the second half of 2021, 15% of the breach notifications received by the regulator  were made by data controllers whose main activity sector is healthcare or in the field of health.

Data protection in sport and the legal implications of collecting athletes’ data was analysed by Australian lawyers from Holding Redlich. Data collection in sport is not new. It has long been commonplace to record athletes’ data, particularly things like heart rate, to understand the body and ultimately increase performance. “What is changing though is the type of data that can be collected, the technological advances, the ease at which it can be collected and the ways in which the data can be stored and manipulated” states the article. Additionally, data collection is no longer limited to the time an athlete is actually training, with variety of sources and data types proliferating. It is therefore important to oblige sporting organisations to:

• account for and govern collection and use, (including disclosure), of personal information;
• collection should be based on the principle of  ‘reasonably necessary’, (it depends on whether there is a clear connection between the information collected and the organisation’s functions or activities.)
• ensure integrity of and an athlete’s ability to correct their personal information;
• provide the rights of individuals to access their personal information, and make a complaint;
• require a higher level of privacy consideration for sensitive athlete’s data;
• contracts with athletes should include clauses or a well-drafted privacy policy that govern the collection and use of data and that these clauses should be sufficiently broad, etc.

Data breaches, investigations and enforcement actions: abortion clinic visits, shareholders data, alarm services footage

US data broker company SafeGraph may be selling the location data of people who have visited health clinics that provide abortion services, according to IAPP News reports. The data sets, (location data from ordinary apps installed on peoples’ phones), reportedly show where groups of patients came from, how long they stayed at the clinic and where they went afterwards. Sometimes app users don’t even know that their phone—be that via a prayer app, or a weather app—is collecting and sending location data to third parties. The company then calculates where it believes a visitor lives by their US Census block. Additionally, there are concerns vigilante activity and harassment of patients by anti-abortion activists could increase due to the availability of such location data. Read the full investigation on the topic by Vice here.

The Norwegian data protection authority has reprimanded seafood company Mowi for failing to disclose all information required by the country’s pricacy legislation to the company’s shareholders. This is personal data that Mowi has collected directly from the company’s share managers. In Norway and other European countries, you can buy shares in listed companies via a bank that acts as the manager of the shareholding. This means that the company does not necessarily know who its shareholders are. However, the Public Limited Liability Companies Act gives the company the right to be informed by the nominee who the underlying owner of the shares is. When the company obtains such information from the manager, personal information is processed. The company must therefore provide the relevant shareholders with all the information required, (so that whoever buys shares via his bank is aware of the fact that his data can be shared with the company he bought shares in).

The Swedish privacy regulator IMY initiated an inspection of the alarm company Verisure. In the mass media information has emerged that claims that employees at the alarm company in connection with incoming alarms shared security footage and images among themselves in various ways without it being justified. The pictures were saved on employees’ own hard drives, and IMY has also received complaints from customers regarding Verisure’s processing of personal data. 

The inspection will find out what has happened but also will see what technical security measures the company has in the form of authorization controls and logs, and what instructions are given to the employees on how images may be handled. It will establish what routines are followed when alarms are received, in which situations the customers’ cameras are activated, what rules and routines exist for taking pictures and saving pictures on the employee’s hard drive, and finally, is the information that has appeared in the media correct.

Data security: passwordless standards

‘Your Phone May Soon Replace Many of Your Passwords’, says US cybersecurity guru Brian Krebs in his latest blogpost. Apple, Google and Microsoft announced they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services: “Apple, Google and Microsoft already support these passwordless standards, (e.g. “Sign in with Google”), but users need to sign in at every website to use the passwordless functionality. Under this new system, users will be able to automatically access their passkey on many of their devices — without having to re-enroll every account — and use their mobile device to sign into an app or website on a nearby device”. Experts predict the changes should help repel many types of phishing attacks and ease the overall password burden on Internet users, says the article.

Big Tech: bank consumer data, competition and privacy on digital platforms

The Bank for International Settlements, central bankers’ umbrella organisation, has published a paper calling for consumer and companies control of their digital data. The paper notes consumers are mostly unaware of the value of their data and should be freely able to opt in or out at will from data collection, in a transparent safeguarded data governance system. Citing the experience of India’s Data Empowerment Protection Architecture, the paper says such a system need not be expensive and can operate at scale. Read the full text here. 

How much does competition trump privacy where personal data is concerned? How much does this issue figure in the minds of regulators, keen to support business, and civil society groups, (CSG), concerned with protecting freedoms? This is particularly true for digital platforms, such as social media platforms, search engines, digital entertainment, or online retailers. The way in which market dominance is traditionally measured does not always capture the extent of these companies’ market power,  as their products and services are often ‘free’ to consumers.  Privacy International took input from 10 International regulatory authorities and around three times that from civil groups, and has published the findings in a report. This trend is fuelled by the increasing reliance of many sectors of the economy on data, particularly personal data. 

Access to personal data is perceived as an increasingly valuable capability in the digital economy and its acquisition at vast scales is what allows big tech companies to make billions of dollars each year via targeted advertising. Among its main conclusions is that competition and personal data considerations are part and parcel of the way both regulators and CSGs work, and this is not specific to a legal jurisdiction or location. You can read the full report here. 

The post Weekly digest May 2 – 8, 2022: DPO dismissals, shareholders, athletes privacy, passwordless future & more appeared first on TechGDPR.

Legal processes: draft EU Data Act, AI liability rules

The Commission proposed new rules on who can use and access data generated in the EU across all economic sectors. The EU Data Act will “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all”. In particular the Act will:

• allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers;
• consumers and businesses will be able to access the data of their device and use it for aftermarket and value-added services, (eg, farmers, airlines, construction companies will make better decisions buying higher quality products and services);
• measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts;
• statutes for public sector bodies to access and use data held by the private sector necessary in the exceptional circumstance of a public emergency;
• new rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer.

In addition, the Data Act reviews certain aspects of the Database Directive which protects investments in the structured presentation of data. Notably, it clarifies that databases containing data from IoT devices and objects should not be subject to separate legal protection. This will ensure they can be accessed and used. The volume of industrial data is constantly growing and the Commission reports 80% of it is never used.

The EDPB sent a letter to the Commission on adapting liability rules to the digital age and Artificial Intelligence initiative. It considers that the revision of the legal framework should ensure consistency with and complement the EU acquis in the field of personal data protection, in particular when it comes to the security of personal data processing and the use of AI systems. While, under the GDPR, only controllers and processors would be liable, (eg, in a personal data breach case, it is essential to consider the role and potential liability of providers of AI systems developed and made available in order to secure personal data processing). However because of the nature of AI, assigning the responsibility to a party in a claim that involves an AI system might be particularly difficult, especially when the burden of proof lies with the individual since the latter could be unaware of the fact that AI is used and, in the majority of cases, would lack the necessary information to prove the liability of the AI system. For that purpose, the EDPB wishes to stress the positive effects of:

• including systematic human supervision;
• transparency for the end-user on the use and operation of the AI system and on the deployed methods and algorithms;
• limitations and liability risks on the use of AI systems due to different types of attacks;
• providers of AI systems should be responsible for providing users with mitigation tools for known and new types of attacks and for embedding security by design throughout the entire lifecycle of the AI;
• users of AI systems should be responsible for ensuring the safe operation of the system, etc.

Additionally, specific liabilities might be triggered by the ineffective application of data protection principles by AI providers and users. Lack of data accuracy or scarce attention paid to the fairness of algorithmic decisions might translate into impairments to individuals’ rights and freedoms as well as economic losses. 

Official guidance: video surveillance

The UK Information Commissioner’s Office has published a guide on the use of video surveillance. As video surveillance technology becomes more mainstream and affordable, it is now more common to see technologies such as smart doorbells and wireless cameras. Traditional CCTV also continues to evolve into more complex AI-based surveillance systems. These can process more sensitive categories of personal data. The ways in which the technology is used also continue to develop. Some of the provisions include:

• data protection by design default approach;
• performing LIA demonstrates the lawfulness of the processing, that can naturally feed into a DPIA, for any processing that is likely to result in a high risk to individuals;
• maintaining a record of the processing activities taking place; 
• determining a necessary data retention periods;
• notifying and paying a data protection fee to the ICO, unless exempt, etc.

The guidance covers UK GDPR and Data Protection Act 2018 requirements. It applies where personal data is being processed by video surveillance systems in the public and private sectors. It also outlines considerations for the use of Automatic Number Plate Recognition, Body Worn Video, Unmanned Aerial Vehicles, (also known as drones), Facial Recognition Technology and surveillance, commercial products such as smart doorbells and surveillance in vehicles, workplace monitoring, live streaming, and other commercially available surveillance systems that have the potential to process personal data.

Investigations and enforcement actions: proof of identity, satisfaction survey, cooperation with the regulator, data breach notification

The Netherlands’ data protection authority fined Belgium-based DPG Media 525,000 euros for GDPR violations. The regulator found that individuals who wanted to view the data the company held or have it removed first had to provide proof of identity. The regulator received several complaints about the way Sanoma Media Netherlands BV, (before it was acquired by DPG Media in 2020), dealt with these types of requests. In particular: 

• Subscribers received unwanted advertising from the company.
• Anyone who wanted to unsubscribe, know what personal data was kept, or wanted to have data deleted, first had to upload proof of identity. 
• When the proof of identity was sent digitally, these people were not informed by the company that they were allowed to protect their data.
• For customers who had not created an online account with DPG Media it was more difficult to access or change their data. 

DPG Media has changed its working methods, and now sends a verification email to establish the identity of a requester. DPG Media has objected to the decision.

The EDPB analyzed the recent enforcement case where the Hungarian supervisory authority fined a car importer for unlawful data processing practices related to satisfaction measurement. After the applicant had their car inspected/serviced by the respondent as a specialist car garage, the applicant provided the respondent with its email address at the request. The applicant subsequently received an unsolicited email asking him to complete a satisfaction questionnaire in relation to the above service provided and then another email asking him to complete the questionnaire again due to his lack of response. The applicant’s consent for the transfer was not requested. Throughout the investigation, the importer company could not demonstrate how the following processed data are related to the stated purposes of satisfaction measurement and complaint management: the customer’s name, email address, home address, telephone number, age, gender, chassis number, registration number, technical data of the vehicle, the name of the dealer partner used, the date of the service used and the content of the feedback.

The EDPB also looked at another fine, by the Polish regulator, for lack of cooperation. The regulator requested a company respond to the content of a complaint and to answer detailed questions regarding the case. The regulator sent four requests to the company, (the data controller), and it accepted only one of them and did not reply. Disregarding the obligations related to cooperation with the regulator constitutes a breach of great gravity and as such is subject to financial sanctions. Therefore, in this case, the supervisory authority imposed an administrative fine of approx. 4,000 euros, which will not only be effective, proportionate, and dissuasive in this individual case but will also be a signal for other entities. 

The Spanish regulator AEPD fined Worldwide Classic Cars Network 1,500 euros and imposed corrective measures for having video surveillance without just cause and lack of information posters, Data Guidance reports. The complaint was filed by an individual for the installation of two video surveillance cameras which captured images of the public. Moreover, the video surveillance cameras did not display signs in accordance with the GDPR. The AEPD ordered Worldwide Classic Cars, within 10 business days, to provide proof of the following measures: a) removing the cameras from the current location, or redirecting them to its particular area; b) placing the information sign in the video-monitored areas; and c) making the stored information referred to in the GDPR available to those affected.

The Italian regulator ‘Garante’ ordered Minelli S.p.A to notify a data breach to data subjects, Data Guidance reports. The company became aware of a data breach following a report by an employee. The data breach consisted of the temporary loss of availability of data, (bank details, health data, authentication credentials), contained in a number of servers and PCs owned by the company, and the probable loss of confidentiality of the same data as a result of a ransomware attack. The breach involved around 800 data subjects, including employees, consultants, customers, and suppliers. However, Minelli had only notified the data breach to the employee who had initially detected the incident, and failed to notify all the data subjects involved. 

DPIA: Microsoft Teams

The Dutch government released a public version of the DPIA on Microsoft Teams. The document assesses the data protection risks of the professional use of the tool in combination with OneDrive, SharePoint Online, and the Azure Active Directory. These applications are commonly used to access and store files shared via Teams. As a precondition to using Microsoft’s online services, end-users, and admins, including guest users, must be authenticated through the online cloud service Azure Active Directory. The DPIA conclusion says Microsoft has implemented many legal, technical, and organizational measures to mitigate the risks for data subjects. In reply to the initial findings of this DPIA, Microsoft has also committed to improving some shortcomings and has provided important assurances.

However, in view of the ‘Schrems II’ ruling and the technical findings described in this report, Microsoft has to make more adjustments for one high and a couple of low-level identified risks. It is uncertain how the transfer risks will be assessed by the national data protection authorities this year, (in their joint investigation into the use of cloud services by public sector organizations). For this DPIA the transfer risks have been rigorously assessed, including a separate DTIA. Download the full DPIA document here.

Big Tech: TikTok’s child privacy, Meta-EU data transfer row, AI-based privacy compliance tool

The Texas Attorney General has launched an investigation into TikTok, demanding a wealth of documentary proof that the company has not been violating child privacy and enabling unlawful conduct and human trafficking. Two Civil Investigative Demands, (CID), request TikTok explain privacy policy, procedure and review practices, and how it identifies and removes content for child safety. TikTok must also provide copies of policies, guidance, manuals, training materials and the like related to children’s use of TikTok. The company has until March 18 to reply to the CIDs.

Ireland’s data protection regulator reportedly is inching towards banning Meta’s Facebook and Instagram from transferring data to the US after Data Protection Commissioner Helen Dixon issued a draft ruling for which Meta has 28 days to make legal submissions. They will likely focus on their claim the transfer ban, a result of the Schrems privacy campaign and the 2020 ECJ decision to scrap the existing transatlantic data transfer agreement, damages its and thousands of other companies’ business. The decision could be shared with fellow EU regulators in April and if none of them lodge an objection, “the earliest time we could have a final decision could be the end of May,” Helen Dixon told Reuters. Any objection could add some months to the timeline.

Mobile app developers have a new AI-based tool to help to identify possible privacy and compliance issues within apps. Called Checks, it’s out of Google’s Area 120 incubator and is freemium to all Android and iOS developers. Via Google Play developers will be able to get their apps scanned for any potential privacy and compliance problems, and a report offering applicable solutions and resources.

The post Weekly digest February 21 – 27, 2022: the EU Data Act to facilitate use of digital economic data appeared first on TechGDPR.