The State Commissioner for Data Protection of Lower Saxony has ruled that the “Reject all” button is a must on the first level of the consent banner for cookie preferences when an “Accept all” option is available. Consent banners may not specifically encourage consent and discourage the rejection of cookies. Otherwise, the consents obtained in this way are invalid, which constitutes a violation of the Telecommunications Digital Services Data Protection Act and the GDPR in Germany.  The background to the proceedings was an order issued by the Commissioner, (confirmed by the Hanover Administrative Court recently), against a Lower Saxony media company on the findings that: 

• Rejecting cookies was much more complicated than accepting them
• Users were pressured to consent by constantly repeating banners
• The “optimal user experience” and “accept and close” labels were misleading
• The number of partners and third-party services involved was not apparent
• References to the right to withdraw consent and data processing in third countries outside the EU were only visible after additional scrolling on the page, etc.

Stay up to date! Sign up to receive our fortnightly digest via email.

GDPR simplification

The European Commission has published its final proposal aiming to simplify and clarify the derogation from the record-keeping obligation under Art. 30 of the GDPR. The scope of the derogation in the amending regulation will be broadened to include SMCs and organisations with fewer than 750 employees.

The proposal will also clarify that SMCs are exempted from the record-keeping obligation, unless their processing is likely to result in a ‘high risk’ to data subjects, defined in Art. 35 of the GDPR, and that the processing of special categories of personal data by Art. 9(2)(b) does not, as such, trigger the obligation to maintain the records.

Meta AI training in the EU will proceed

Concerning Meta’s AI models training using social network user data, the Hamburg data protection regulator, in agreement with the German data protection authorities, has decided against being the only EU supervisory body to issue a national provisional injunction against Meta’s AI training. Given the planned evaluation of Meta’s approach by the EU supervisory authorities, and following the decision of the Cologne Higher Regional Court, (the use of data for AI training is lawful under Article 6(1)(f) of the GDPR without requiring user consent, citing Meta’s legitimate purpose), an isolated emergency procedure for Germany is not the appropriate instrument to clarify the existing assessment differences across Europe.

More legal updates

CJEU decision on Meta’s “Pay or Ok” model: At the same time, the European Court of Justice (CJEU) has ruled in the case of Meta Platforms Ireland Ltd v. European Data Protection Board (EDPB). The case concerned the Board’s opinion focused on the circumstances under which so-called “pay or consent” models – where users of large online platforms are invited to either consent to the processing of personal data for behavioural advertising or to pay for the service to avoid such processing – can be considered to meet the conditions for valid consent under the GDPR. 

The EDPB considered that in most cases, it was unlikely that large online platforms could ensure valid consent when users were given only two options: to consent to the processing of all their data for marketing purposes or to pay. The EU top court rejected Meta’s claim, holding that since the opinion was advisory, it did not have a legally binding effect on third parties and could therefore neither be annulled nor give rise to a claim for damages. 

China facial recognition: According to digitalpolicyalert.org, the Cyberspace Administration of China’s rules on the secure use of face recognition technology go into effect on 1 June. Except for research and algorithm training, the rule covers organisations that process this data in China. It proposes express consent, transparency, carrying out impact assessments, security measures in place, and purpose limitation. Additionally, it stipulates that face recognition cannot be the only verification technique when there are other options and that its application in public areas is restricted to public safety, excluding private areas.

Personal data breach handling

According to the GDPR, there is a general obligation for data controllers to report personal data breaches to a supervisory authority, unless the breach is unlikely to result in a risk to the rights or freedoms of natural persons. At the same time, data controllers must notify data subjects if the personal data breach is likely to result in a high risk to their rights and freedoms. The obligation of data controllers to report personal data breaches entails several advantages, as reporting breaches is, among other things, a tool that contributes to the ongoing improvement of data protection.

For failing to report the incident, the authority may make use of its corrective powers. To that end, the Danish data protection authority has just updated the remaining parts of its guidance on handling personal data breaches (in Danish). 

More from supervisory authorities

Employer obligations: The IDPC of Malta published a useful set of FAQs relating to the employment sector. These FAQs seek to address common questions which employers may have about their data protection obligations under the GDPR, particularly about how to handle the personal data of their employees. The FAQs cover questions relating to biometric data processing, police conduct certificates, pre-employment medical checks, employee monitoring, management of employee email accounts, and data retention. You can read the FAQs available in English here. 

AI impact assessment standard: The International Standards Organisation has published ISO/IEC 42005 guidance for organisations conducting AI system impact assessments. These assessments focus on understanding how AI systems — and their foreseeable applications — may affect individuals, groups, or society at large. The standard supports transparency, accountability and trust in AI by helping organisations identify, evaluate and document potential impacts throughout the AI system lifecycle. 

Age assurance online: The Vermont Legislature passed the Vermont Age-Appropriate Design Code (AADC). The Vermont AADC joins several other states’ efforts in protecting kids’ privacy, autonomy, and online safety by prohibiting abusive data and design practices. The bill now awaits the Governor’s approval. According to EPIC legal analysis, significant provisions in it include:

• Requiring covered businesses to configure minors’ default privacy settings to the highest level of privacy.
• Providing minors with the ability to limit unwanted adult contact.
• Regulating how minors’ data is used to ensure that personalised feeds are not driven by surveillance data, but instead by minors’ expressed preferences.  
• Requiring companies to be transparent about how they use minors’ data.
• Requiring the Attorney General to update rules prohibiting abusive data processing or design practices that “lead to compulsive use or subvert or impair user autonomy, decision making, or choice”, etc.

Email security

Germany’s Federal Office for Information Security (BSI) issued a cybersecurity recommendation to upgrade your email security. This guide is aimed at all companies that send and receive emails within their domain. Using concrete, practical examples, such as Microsoft Exchange Online and Google Workspace with Gmail, it demonstrates how the cybersecurity of email communication with customers, other companies, or third parties can be improved. Often, states the regulator, this requires only a few steps, such as adjusting the configuration of the groupware used by the company or more careful implementation of the SPF, DKIM, and DMARC standards.

Legitimate interest

The Estonian data protection agency meanwhile answers the questions on legitimate interest: when and how to rely on it in data processing? While other legal bases for data processing such as consent, contract or contract negotiations require the person’s own will or initiative, (eg, consent to receive campaign offers, submitting a CV for a job), the legitimate interest is always the data controler’s initiative, whether for their benefit or the benefit of a third party. However, to use legitimate interest as a basis for data processing operations, a legitimate interest analysis must also be carried out, which should be in writing, verifiable and traceable, detailing how the result was reached. Three conditions must be met simultaneously:

• The controller or the third party, or third parties receiving the data, have a lawful legitimate interest in the processing.
• The processing of personal data is necessary for the exercise of a legitimate interest.
• The fundamental rights and freedoms of the data subject are to be protected.

Additionally, the public sector cannot rely on legitimate interest unless it has an activity that is not related to its main task, which arises from the law. And it cannot be relied on when processing special types of data (eg, health data).

AI and personal data

Finland’s privacy regulator published guidelines on taking data protection into account in the development and use of artificial intelligence systems (in Finnish). An organisation must choose a suitable basis for processing personal data. It is also required when personal data is used to train an artificial intelligence system. The guidance describes in more detail the applicability of the different processing legal bases. Any organisation must also assess the data protection risks of the AI ​​system even before personal data is processed. The risks must be assessed from the perspective of the people whose data is being processed. Based on the risk, the organisation must decide, for example, on the necessary security measures. Organisations are given guidance on how to comply with the data protection principles set out in the GDPR, such as data minimisation, purpose limitation and information obligation. 

IT systems’ new security measures

The Danish data protection agency is adding two new measures to its catalogue of measures with a focus on preventing security breaches through hacking.  The two new measures have the following titles: a) Security management and maintenance of software, and b) Network segmentation. The regulator notes that there is nothing revolutionary about the new measures, but many of the breach cases it receives could have been avoided by following what is described in these measures. For instance, several breaches related to IoT, where software in surveillance cameras does not seem to be handled with the same attention as other IT equipment, even though this very equipment can provide an easy access route to the internal network.

Lufthansa data breach

The Hungarian data protection agency announced a data breach involving Lufthansa Group. An unauthorised access occurred in a system operated by an external service provider that handles hotel accommodation for passengers on cancelled flights. As a result, unauthorised persons had access to data such as the passenger’s name, gender, mobile phone number, flight number, reference to travelling with a small child, and the date of the hotel reservation. Lufthansa said no payment details were affected and there was no evidence of any data being publicly disclosed. 

The incident may affect those who received hotel vouchers for cancelled flights between November 2, 2019 and January 22, 2024. The company has since taken the necessary security measures and notified data protection authorities. Passengers are advised to be cautious, especially when receiving calls and messages from unknown sources.

Aggressive real estate brokerage

The Italian regulator Garante spotlighted a new and worrying phenomenon of aggressive telemarketing that has emerged in the real estate brokerage sector. Thousands of potential sellers and buyers were contacted via phone calls and WhatsApp messages, without having given valid consent to receive promotional communications, by real estate agencies that used very detailed lists provided by a service company. The lists used constituted a real mass mapping of the territory and were “enriched” with telephone numbers (landline and mobile), and cadastral information was also obtained. Each owner residing in a specific area of ​​commercial interest for the agencies was subjected to a real filing.

Similar investigations were concluded by the French CNIL, which resulted in a fine against CALOGA and SOLOCAL MARKETING SERVICES for canvassing prospects without their consent and transmitting their data to partners without their consent. Companies acquired prospects’ data mainly from other data brokers, publishers of competition and product testing sites (so-called ‘first-time collectors’). They used this data to canvass people by e-mail, on behalf of their advertising clients. They could also transmit some of this data to their customers, so that they could carry out prospecting themselves.

In other news

Excel spreadsheet: The UK ICO reprimanded the London Borough of Hammersmith and Fulham (the local council) after it left exposed the personal information of 6,528 people for almost two years.  The personal data breach occurred when the council responded to a freedom of information request made via the WhatDoTheyKnow.com (WDTK) website in 2021. The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. The information was immediately removed. In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive as it included details of children in care and unaccompanied asylum-seeking children. 

Dutch municipalities: The Dutch data protection authority AP will be visiting municipalities on a random basis in the coming months. These inspections aim to check how municipalities deal with the personal data and privacy of citizens and to guide municipalities in the right direction, where necessary. During the visits, the AP will be looking at:

• Do municipalities have a complete and up-to-date overview of everything they do with the personal data? 
• Do municipalities properly identify potential privacy risks before they use personal data for something? 
• Do municipalities have their internal privacy supervision properly arranged? 
• Do municipalities have a data protection officer who can act freely and independently?

Spanish fines statistics: The Spanish AEPD received 19,000 complaints in 2024, with AI, data spaces, and neurodata among its priority challenges. The most frequent complaints relate to video surveillance, internet services, commerce, transportation and hospitality. The areas of activity with the highest amount of fines are related to energy/water companies, financial institutions/creditors, internet services, telecommunications, and fraudulent contracting. The agency also led 22 cross-border cases as the lead authority and has cooperated as a stakeholder in 348. The year closed with almost 120,000 data protection officers reporting to the agency. 

In case you missed it 

Bank data: The Swedish data protection authority, together with SEB, Nordea, Swedbank and Handelsbanken, has looked at some of the legal conditions for increasing information sharing between banks to combat money laundering, terrorist financing and fraud. The project has, among other things, investigated whether there is a legal basis for a bank to share information about customers within the framework of another bank’s customer due diligence process and risk assessment.

The regulator concluded that legislative amendments were likely needed to enable the sharing of personal data that the banks wish to implement within the framework of the current project.

Replika AI fine: The Italian regulator Garante imposed a 5 million euro fine on a US-based company Luka Inc., which manages the chatbot Replika, and launched an independent investigation to assess whether personal data is being properly processed by the generative AI system behind the service. The chatbot features both a written and voice interface, allowing users to ‘generate a virtual companion’ that can take on the role of a confidant, therapist, romantic partner, or mentor. The authority also found that the company had not implemented any age verification mechanisms—either at registration or during use of the service—despite having declared that minors were excluded from potential users.

Corporate digital responsibility: Germany’s Federal Office for Information Security (BSI) has published a white paper on “Corporate Responsibility in Digital Consumer Protection” (in German).  A central component of the white paper is the aspect of information security in consumers’ everyday use of digital offerings. Various fields of action are highlighted, including education, awareness-raising, product safety throughout its entire life cycle, communication in the event of a crisis or incident, and ecological sustainability.  Interested parties are therefore invited to actively participate in the discussion and provide feedback.

The post Data protection digest  17 May – 1 June 2025: The ‘reject all’ button is a must; legitimate interest as the data controller’s initiative appeared first on TechGDPR.

The 23andMe genetic company filed for bankruptcy in the US after struggling with weak demand for its ancestry testing kits and a 2023 data breach that damaged its reputation, Reuters reports. US officials had questioned what would happen to the genetic data collected by 23andMe, although the company’s privacy policies state that the data could be sold to other companies. 23andMe reassured customers that the bankruptcy process will not affect how it stores, manages, or protects customer data. 

Given the uncertainties about the future of the company, the amount of data it has, and the risks inherent in the use of these tests, the French CNIL presents the procedure to follow to have your data permanently deleted in your profile settings. Also, the purchase of a genetic test on the Internet by people residing in France is punishable by a fine of 3,750 euros. Similarly, carrying out a genetic test outside the medical and scientific fields is prohibited and punishable by a fine of 15,000 euros and one year in prison for people or companies offering these tests.

Digital spring cleaning in Germany

Digital documents and paper files containing personal data may only be retained for as long as necessary, reminds the Hamburg data protection authority. At least once a year, taking stock of what’s still stored and whether this data or files will be needed for longer is recommended. Professional data processors handle this automatically. Where no automated routines are in place, deletion must be done manually.

Plus, German companies and authorities should check whether their deletion routines already take into account the new statutory retention periods that will apply from 2025. Specifically, some retention periods have been lowered by federal lawmakers, which means that the impacted data must also be removed sooner. (The Fourth Act to Reduce Bureaucracy). Changes, among other things, have been made to the German Commercial Code and the German Fiscal Code. Accounting paperwork, the most significant case group in practice, must now be kept for eight years rather than the prior ten before being destroyed. You can find more business document retention periods here. 

BCRs approval

The procedure for approving Binding Corporate Rules for controllers and processors for intragroup transfers of EU personal data to non-EU countries is laid out by provisions in Art—47, 63, 64 and 65 of the GDPR. As a result, BCRs are to be approved by the competent supervisory authority in the relevant jurisdiction by the consistency mechanism, under which the EDPB will issue a non-binding opinion on the draft decision by the competent regulator. As the intracompany groups applying for the BCR approval may have entities in more than one Member State, this procedure will involve all the concerned supervisory authorities in those countries from where the data transfers are to take place. To that end, the EDPB has just revised its approval process to shorten the time it takes for a BCR to be approved. 

Privacy policy shortcomings

The Latvian data protection inspectorate DVI conducted a preventive inspection of the privacy policies published on the websites of thirty Latvian-registered merchants whose main activity is related to retail sales by mail order or in online stores. The content of the privacy policies was checked for compliance with the requirements of Art. 13 and 14 of the GDPR. At least some shortcomings were found in each inspected document.

The regulator assumes that it is initially more difficult to prepare such a document because there is not sufficient understanding of its necessity and content. At the same time, it reminds controllers that their responsibility for customers’ data is proven not by a written statement that it processes data appropriately but by clear implementation of the rules. Other shortcomings in the published policies were related to the failure to provide or incorrect provision of information, particularly the contact information of the supervisory authority, the rights of the data subject, information about processors and partners to whom the customer’s data has been transferred, but most often involving incorrectly specified purposes and lawful grounds for data processing. 

Data breach form

The Corporate Data Protection Association, (Switzerland), has published a data breach report template. Data security breaches can trigger various reporting obligations under the Swiss Data Protection Act, the EU’s GDPR, the new Swiss Information Security Act, and the EU NIS2 Directive. The template is intended to contribute to the practical implementation of digital regulatory requirements and can be used freely by companies. The template is initially available in German. An English version is currently being developed.

More from supervisory authorities

Online stores security: The Lithuanian regulator VDAI meanwhile monitored the security measures for personal data processed by online stores and provided some recommendations: a) ensure control over the management of access rights, b) develop and implement effective data deletion, c) use advanced encryption, (during transmission and storage), d) improve management change processes, (eg, implementation of new systems), e) regularly review and update your policies, (using both the latest legal requirements and best practices).

Connected cars: Modern cars act as “chatterboxes on wheels”, collecting information on everything from your daily routines to biometric data. How does this affect the protection of your data? The Danish Datatilsynet advises you to check the privacy settings on your automobile carefully and to be cautious about sharing personal information:

• Unclear consent (Many drivers are forced to accept terms of use that require the sharing of personal data to use the car’s features).
• Data abuse (Data about your driving and location may end up with third-party companies or there is a risk that hackers will gain access).
• Targeted marketing (Car manufacturers can share your data with companies without your full knowledge).
• Negative impact (Worse insurance terms, warranty termination, shutdown of services).

Multi-factor authentication (MFA): The French CNIL publishes recommendations to support users and providers of multi-factor authentication solutions, (in French). In particular, it explains: 

• the conditions under which the use of MFA is appropriate for security needs;
• on compliance with the principles of the GDPR, including a legal basis, data minimisation, the retention periods and the exercise of rights by the data subjects;
• on the determination of the qualification of the actors involved;
• on the choice of modalities, (authentication factors: knowledge, possession, inherence), and their GDPR compliance, etc.

Honda privacy fine

The California Privacy Protection Agency, (CPPA), has issued a decision that requires American Honda Motor Co. to change its business practices and pay a 632,500-dollar fine to resolve claims that the company violated the CCPA. The investigation arose from the Enforcement Division’s ongoing review of data privacy practices by connected vehicle manufacturers and related technologies. Honda violated Californians’ privacy rights by:

• requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit;
• using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way;
• making it difficult for Californians to authorise other individuals or organisations to exercise their privacy rights; and
• sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.

Human research samples

Finland’s Data Protection Commissioner has requested information from the University of Helsinki on how it has implemented the transfer of data related to human research samples to a Chinese company. The regulator is investigating whether the university protected personal data in the manner required by data protection legislation when the data was transferred to China. According to the University of Helsinki, it has purchased genetic analysis services from the Chinese genetic technology company BGI Group.

No adequacy decision has been made for China, and the European Commission has not yet examined the level of data protection in China, (in connection with the Irish investigation into TikTok). At the moment, personal data can be transferred freely within the European Economic Area. Data can also be transferred directly to a country for which the Commission has made a so-called adequacy decision. These include the US, the UK, Japan and South Korea.

More enforcement decisions

Apple ATT sanction: The French Competition Authority fined Apple for abusing its dominant position due to the implementation of the App Tracking Transparency, (ATT), system. In its competitive analysis, the authority took into account the opinions issued by the data protection regulator CNIL. Since 2021, app publishers who want to track their users for advertising purposes across multiple apps or sites have been required to obtain explicit permission from the user through a partially standardized window designed by Apple. 

The competition authority received complaints from several online advertising trade associations against Apple. The implementation of the agreement appeared to be neither necessary nor proportionate to Apple’s stated objective of protecting personal data due to the constraints weighing on publishers and users. The CNIL had previously considered that the ATT system could be adapted in order to allow actors to obtain valid consent within the meaning of the GDPR and to avoid, in particular, double solicitations.

Software provider fine: The UK’s ICO has fined Advanced Computer Software Group Ltd, (Advanced), 3.07m pounds for security failings that put the personal information of 79,404 people at risk.  Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations. The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication. The cyber attack was widely reported at the time, with reports of disruption to critical services and access to patient records.  

Scientific research and data reuse

The EDPB has published a final study on the secondary use of personal data in the context of scientific research, which highlighted the lack of a uniform approach among Member States. The legislation analysed was not limited to the GDPR but included international agreements or documents containing data protection rules, (such as Council of Europe Convention 108+), and ethical standards, (such as the World Medical Association (WMA)’s Declaration of Helsinki, (DH), and EU sectoral legal frameworks, (e.g. on clinical trials, biobanks). 

AI cameras in shops

According to the CNIL, some tobacconists in France have deployed AI-based cameras to estimate the age of customers and avoid the sale of prohibited products to minors. In practice, these cameras scan the person’s face at the time of purchase to assess whether they are a minor or an adult and inform the merchant using a warning light (e.g. a green or red light). The use of these devices pursues a dual objective of public interest: protecting young people and the preservation of public health. However, the fact that this verification is carried out through algorithmic processing of automated image analysis is not trivial and may entail risks for the protection of personal data and the privacy of individuals.

In case you missed it 

US technology risks: The Netherlands’ House of Representatives approved a resolution on risk assessments and exit strategy for US tech corporations’ cloud services on March 18. According to the motion, all government cloud services that are now purchased from American suppliers must go through a risk assessment and, if required, have a written exit strategy that enables them to switch to Dutch or European providers. By the end of 2025, this procedure is expected to be finished.

Outdated IT systems and AI: According to the Guardian newspaper, the UK government’s goal to increase efficiency by integrating AI into every aspect of its operations runs the risk of being hampered by outdated technology, low-quality data, and a shortage of qualified personnel. The cross-party public accounts committee report revealed that over 20 government IT systems were classified as “legacy,” which means outdated and unsupported. A January official strategy for the technology, however, called for the government to “rapidly pilot” AI-powered services, claiming that doing so would boost productivity. 

The post Data protection digest 18 Mar – 2 Apr 2025: 23andMe bankruptcy case, digital spring cleaning appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

New SCCs initiative

The European Commission started work on new SCCs for data transfer to third-country data importers, (controllers and processors), subject to the GDPR. They will complement the existing clauses for data transfers to third-country importers not subject to the GDPR. Adopted in 2021, the latest set of SCC does not work for importers whose processing operations are subject to the GDPR under Art. 3, as they would duplicate and, in part, deviate from the obligations that already follow directly from the GDPR.  Despite the Commission’s call for action three years ago, SCCs for those specific cases were not introduced, leaving organisations in legal uncertainty, (see Uber’s latest fine). 

The adoption of the new SCCs is planned for the second quarter of 2025. 

Australia privacy reinforcement

The parliament introduced and held its first reading on the amendments to the privacy legislation to introduce a range of measures, including expanding the Information Commissioner’s powers, facilitating information sharing in emergencies or following eligible data breaches, requiring the development of a Children’s Online Privacy Code, providing protections for overseas data transfers, introducing new civil penalties and criminal offences, (for a practice known as ‘doxxing’), and increasing transparency about automated decisions. 

Data disclosure on a party to the contract

The CJEU meanwhile explains the lawfulness of personal data processing in the performance of a contract,  to which the data subject is a party. The case relates to a request of a partner seeking to obtain the contact details of other partners, (parties to the contract), with indirect shareholdings in an investment fund through a trust company. 

The CJEU ruled that disclosure would be justified only if the main subject matter of the contract could not be achieved if that processing were not to occur. If such processing is also necessary for legitimate interests pursued by a controller or third party, it should be strictly necessary to achieve that purpose. While there is a legal obligation for a data controller, it should be foreseeable for those persons subject to disclosure, that the disclosure is proportionate, and meets an objective of public interest.

Dark patterns advisory

The California Privacy Protection Agency issued an enforcement advisory on user interfaces that subvert or impair a consumer’s autonomy, leading to a privacy-averse practice. Businesses should adopt clear and understandable language and offer consumers symmetrical choices to avoid impairing and interfering with consumers’ ability to make their choices. 

More official guidance

Asset deals and data protection: The sale of a company can generally be carried out in two ways, either by transferring shares or by transferring assets and/or economic goods, explains the German Data Protection Conference. While the data processing in the context of a “share deal” is possible without any problems, apart from audit procedures, since only the shares in a company are transferred, the company otherwise continues unchanged as a data controller; the transmission of personal data in the context of an “asset deal” requires a differentiated approach in terms of data protection law. Read the methodology of the latter case in the original paper (in German).

How do you identify a person by phone? The common way is by asking to provide several personal details, such as their first name,  email address, username, etc. In this case, the more data is requested, the more likely it is to identify the person accurately, and at the same time, the greater the intrusion into the person’s privacy. Therefore, the organisation must observe proportionality in its activities.

A better practice would be using a key: a password previously agreed upon by both parties chosen by the customer, or more sophisticated tools such as a secure electronic signature generator, explains the Latvian regulator.   

Data subject notification upon a breach: People who are victims of a data breach often receive insufficient information from a data controller on what exactly happened, when and what information was leaked, and what they can do themselves to reduce the risks, states the Dutch regulator. Also, warning emails, even if sent within a legal time frame, sometimes lack an alarming title or introduction, with the risk that the recipient may simply not read the message. You can examine some recommendations, and sample notification texts, (in Dutch), here. 

Bank data

The Polish UODO imposed a fine of approx. 1 million euros on mBank for failure to notify persons affected by a data leak. An employee of a company processing personal data on behalf of mBank made a mistake and sent customer documents to another financial institution. The documents were returned to the bank, but they had already been opened. The documents included: all sorts of personal information, identification documents, and information on credit and real estate.  

The bank did not notify its customers about the problem, even though after reporting the breach the regulator informed them about the need to take such action. The explanations offered by mBank included the fact that the documents were mistakenly sent to an institution that is also bound by banking secrecy, an entity that the bank cooperates with and which, according to the bank, has the status of a trusted entity. The employees of this institution confirmed that they do not have copies of the documents received in error. 

Microsoft Teams

The Norwegian Data Protection Authority has issued a fine to the University of Agder, (UiA). The university had not implemented suitable measures to safeguard personal data security in its use of Microsoft Teams. In February 2024, an employee at UiA discovered that documents with personal data had been stored in open Teams folders, to which employees had access without an official imperative. 

The discrepancy has been ongoing since the university adopted Microsoft Teams in August 2018. Around 16,000 registered users were affected. The information includes, among other things, name, social security number, information about exams, the number of exam attempts and special arrangements. In addition, the discrepancy included an overview of refugees associated with the university.

More enforcement actions

Health data: Meanwhile the French CNIL fined CEGEDIM SANTÉ 800,000 euros for processing health data without authorisation. The company publishes and sells management software to community doctors and health centres. Around 25,000 medical practices and 500 health centres use this software. They allow doctors to manage their agenda, patient records and prescriptions. As part of its activity, the company offers a panel of doctors using one of these software programs to conduct studies. This data was not anonymous, but only pseudonymous, so the re-identification of the persons concerned was technically possible.

Live cameras in psychiatric hospitals: America’s FTC reports that surveillance camera company Verkada Inc. failed to provide reasonable security for the personal information it collected, including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools, and prison cells. These failures allowed a threat actor, in March 2021, to remotely access Verkada’s customer camera feeds and watch them live, without anyone’s knowledge or consent.

Despite the invasive security breach, Verkada remained unaware of the threat actor’s intrusive exploration until the threat actor self-reported the hack to the media.

Invalid cookie banners: Finally the Belgian regulator took action against Mediahuis for several infringements in the use of cookie banners on 4 news sites, (De Standaard, Het Belang van Limburg, Het Nieuwsblad, Gazet van Antwerpen). They do not provide a “refuse all” button on the first information level of the cookie banner and misleading button colours are used. The complaints were filed by the Austrian non-profit privacy rights organization NOYB, which acted as a mandated representative in the case. 

Probabilistic method and GDPR

The ability of machine learning and artificial intelligence to handle uncertainty and make predictions in the field of statistics has led to their widespread adoption. However, the limitations that probabilistic methods present in terms of performance, (false negatives, false positives, prediction errors, etc.), can affect the accuracy and suitability of data processing, states the latest Spanish AEPD blogpost.

In one example, an estimation operation for age verification with an error of 0.01% in a sample of 1000 adults might be acceptable for some purposes. However, in a sample of all types of users in the EU, (450 million inhabitants), an error of 0.01% means making errors with 45,000 people. A significant number of them would be under 18 years of age and this will probably in some cases generate erroneous estimates classifying them as adults.  

Finally, the results obtained with different samples may show how accuracy and effectiveness are strongly influenced by the algorithm, gender, image quality, region of birth, age and the interactions between all these factors. 

Big Data

Privacy ‘paradox’: The Guernsey data protection authority discusses in a blog that while people say they care about privacy, their actions suggest otherwise as they are quick to surrender their personal information online. However, there is no paradox in such behaviour. Privacy is not just synonymous with “secrecy”. It can be also about control and autonomy over one’s personal information. In just one example, a person can value privacy and still click “yes” to share their location with a food delivery app. 

Positively, more companies now embrace the challenge of the realisation that respecting their customers’ privacy is the best way to earn trust. This is why individuals may now be seeing more prompts for permission to access their cameras or address books, offering the choice to say “yes” or “no”. 

AI training: Meta and Google AI training programs are being investigated by the European data protection authorities. The Irish lead regulator DPC commenced a cross-border inquiry into Google’s new foundational AI model Pathways Language Model 2. In question its compliance with the requirement of the Data Protection Impact Assessment, before engaging in the processing of the personal data of EU/EEA data subjects. Meanwhile, Meta and X’s AI training programs are still on hold in the EU. In parallel, the UK Information Commissioner is monitoring the situation with Meta as it is about to resume, in a couple of weeks, the use of UK Facebook and Instagram user data to train generative AI. The company took into account the reprimand from the regulator and has made it simpler for users to object to the processing.

The post Data protection digest 2 – 16 Sep 2024: New SCCs initiative, data asset deals, probabilistic method and GDPR appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Non-material damage under the GDPR

In one of its recent decisions the CJEU clarifies the right to compensation for non-material damage for data subjects. The request was made in proceedings between a natural person and Juris GmbH, concerning compensation for the damage suffered by the claimant as a result of various processing operations involving their personal data which were carried out for marketing purposes, despite the objections he had sent to that company. The CJEU upheld its previous decision, (of 25 January 2024 MediaMarktSaturn, C‑687/21), that infringement of the GDPR which confers rights on the data subject is not sufficient to constitute ‘non-material damage’, irrespective of the gravity of the damage suffered by that person:

“The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Art. 82 (1) of the GDPR, as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.” 

At the same time, it is not sufficient for the data controller, in order to be exempted from liability, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Art. 29 of the GDPR. More legal reasoning of the case as well as rules on determining the amount of damages due as compensation for damage can be read in the court ruling. 

 ‘Pay or okay’ consent model

The EDPB adopted a long-awaited Opinion on Valid Consent in the context of Consent or Pay models implemented by Large Online Platforms. In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they only offer users a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee. The EDPB underlines that personal data cannot be considered a tradeable commodity, and controllers should consider the need to prevent the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy. 

Thus, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, with a form of advertising involving the processing of less or no personal data. 

GDPR enforcement: new rules, strict deadlines, dispute resolution

On 10 April, the European Parliament adopted amendments to a proposal laying down additional procedural rules relating to the enforcement of the GDPR. In its 2023 work programme, the Commission announced that it would propose harmonising some national procedural aspects to improve cooperation between national data protection authorities. The MEPs amendments include:

• the right of all parties to equal and impartial treatment regardless of where their complaint was lodged;
• their right to be heard before any measure is taken that would adversely affect them, and 
• their right to procedural transparency, including access to a joint case file. 

MEPs want to standardise procedural deadlines for a supervisory authority to acknowledge that they have received a complaint and declare it admissible or inadmissible. Then, the authority would have to determine if the case is a cross-border one, and which authority should be the lead authority. Draft decisions must be delivered within nine months of receiving the complaint, outside of certain exceptional situations.

MEPs also want to clarify the rules involving amicable settlements, (consensual, negotiated resolutions to disputes). However, these do not prevent a DPA from starting its own initiative investigation into the matter. Finally, all parties to complaint procedures have the right to effective judicial remedies, for example when DPAs do not take necessary actions or comply with deadlines. 

FISA Section 702 reauthorisation

Last week the US House of Representatives voted to reauthorise Section 702 of the Foreign Intelligence Surveillance Act, (FISA), which includes a crucial provision allowing for American citizens to be surveilled without a warrant for another two years. The law has made it possible to monitor foreign communications in great detail, but it has also resulted in the gathering of phone conversations and correspondence from US individuals. 

Some privacy protections, such as the ban on sweeping up communications about a target along with communications to or from the target, were maintained. However, other amendments, including a new definition of internet service providers, might broaden FISA’s application. Prior to the statutory expiration of Section 702 on April 19, the measure now goes to the Senate. More analysis by the Lawfare Institute can be read here. 

More legal updates

Child safety online: On 10 April, the European Parliament endorsed certain derogations to the E-Privacy Directive to combat online child sexual abuse. In particular, MEPs adopted a temporary extension that allows the voluntary detection, by internet platforms, of child sexual abuse material, (CSAM), online. The implementation measures follow strict data protection safeguards pursuant to the GDPR, (legal basis for data processing, data retention policies, restricted data transfers, etc.). The derogation will be extended until 3 April 2026 so that an agreement on the long-term legal framework can be reached. The provisional rules will now have to be formally adopted by the Council before they can become law. 

US privacy legislation: Last week, a bipartisan group of lawmakers in Congress announced the Federal Privacy Bill, (APRA), with the likelihood of long months of discussions before the bill’s passage. This comprehensive draft legislation promises clear, national data privacy rights and protections for Americans, boosts data minimisation in the commercial sector and curbs large data holders and brokers, harmonises the existing state data privacy laws, and establishes new enforcement mechanisms and a private right of action for individuals. At the same time, the Federal Trade Commission would still have the authority to provide further recommendations and rules covering a significant portion of the APRA. 

Right of access basics 

The Luxembourg data protection authority has published a new illustrative factsheet, (only available in French), on the right of access. Any individual can ask a private or public entity, (the data controller), whether it holds their personal data and obtain a copy of the data processed. This right allows in particular to check whether the data is correct. The organisations can be asked to provide the categories of data processed, retention periods, explanations on how to exercise your rights, the lawful basis for processing, other recipients of your data, data transfers to third countries, data sources, and explanations on decisions made by automated processing or profiling. 

However, the right of access is not an absolute right. The organisation may refuse to provide you with data about third parties in some cases or a confidentiality obligation may be imposed by law. The organisation must respond to the request within one month including the justifications for refusal or possible delays in providing information. If the organisation does not respond, does not meet deadlines or you are not satisfied with its response, you can submit a complaint to the data protection authority. 

AI development and data protection guide

The French data protection authority CNIL has published its first recommendations on the development of artificial intelligence, in a way that respects personal data. The recommendations, (in French only), concern the development of AI systems involving the processing of personal data, (Machine Learning, general purpose AI, systems that are trained “once and for all” or continuously). The points addressed in the initial recommendations make it possible to:

• determine the applicable legal regime;
• define a purpose;
• determine the legal qualification of the actors;
• define a legal basis;
• perform tests and verifications in case of data reuse;
• carry out an impact assessment if necessary;
• take data protection into account when making system design choices;
• take data protection into account in the collection and management of data.

More official guidance

Legal basis for customer health data processing: When obtaining data from a person about their health condition, their explicit consent is required – confirms an administrative court in Poland. In the related case, a law firm contacted people injured in traffic accidents to represent them against insurance companies in courts in order to obtain compensation and pensions, as well as reimbursement of treatment and rehabilitation costs. The company obtained information about potential customers based on, among other things, press releases, online publications or content available on social media, as well as information provided or disseminated by organisations engaged in charitable activities. 

Subsequently, when meeting prospective clients, a representative of the law firm received only oral consent to the processing of personal data ahead of a possible conclusion of a contract with these persons but did not record or register it in any way. Also, the collection of this data was not necessary to perform the contract, because the persons from whom the data was obtained were not yet customers. However, this data was processed for other purposes, (eg. examining the profitability of concluding a contract with a potential customer and possibly establishing contact with such a person again). 

Recruitment data: The Latvian data protection regulator reminds us that an employer must avoid excessive data processing when selecting applicants. For example, a job advertisement should indicate as specifically as possible what information the employer expects from the candidate, and develop its own CV form. Also, after submitting their data, applicants as data subjects have the right to submit information requests asking for clarification on various aspects related to the processing of their personal data, so the employer must ensure that it is able to respond to such requests. Finally, there must be established procedures for how information obtained during the selection process, including applicants who are not hired, is stored and deleted. 

In the event that, after data collection, the employer concludes that data processing could also be carried out for a purpose different from that originally collected, the employer must assess whether this purpose is compatible with the initial processing, and also ensure that the applicant is informed. If the employer chooses to use the services of recruitment companies to find suitable employees, it is important to determine the role of such service providers and if the company is considered a data processor, an agreement on the data processing must be concluded. 

Avast non-anonymised data fine

Internet security company Avast has contested a fine of approx 13 mln euros from the Czech data protection agency over transferring the non-anonymised data of 100 million users to its subsidiary Jumpshot in 2019. Although Avast stated that it used robust anonymisation techniques, it was proven that at least some of the data subjects using its antivirus program and browser extensions could be re-identified. Moreover, the purpose of processing this data was not (only) to create statistical analyses, as Avast stated. 

In fact, the pseudonymised Internet browsing history was linked to a unique identifier. Jumpshot, among other things, presented itself as a company that made data available to “marketers,” providing them with insight into online consumer behaviour and offering “atomic-level” tracking of user journeys. The decision, (a cross-border case under the EU one-stop-shop procedure), comes after a 16.5 million fine from the US Federal Trade Commission and restrictions on selling user data for advertising. Avast, now part of Gen Digital, faces challenges both in the Czech Republic and the US.

Other enforcement decisions

Biometrics abuse in the workplace: In the UK, dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the Information Comissioner’s Office. In February, the regulator found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 centres managed by Serco Leisure. The ICO’s latest recommendations require companies to consider alternative and less intrusive options rather than biometrics scanning to meet their staff management objectives. In light of the ICO decision, a number of other leisure centre operators, like Virgin Active and 1Life, are either reviewing or stopping the use of similar biometric technology, according to The Guardian.  

Ransom attack on a healthcare system: Italian privacy regulator Garante issued fines on several technical and administrative entities, (in the Lazio region), in proceedings opened after a cyber attack on a regional healthcare system back in 2021. The ransomware was introduced into the system through a laptop used by an employee. It blocked access to many health services, preventing, among other things, management of reservations, payments, collection of reports or registration of vaccinations. Local health authorities, hospitals and nursing homes were unable to use some regional information systems, through which data on the health of millions of patients is processed, for a period of time that ranged from a few days to a few months. 

Outdated systems and inadequate management of the data breach failed to mitigate the negative consequences of the attack – from the inability to determine which of the servers were compromised by the IT service provider, to the inability to avoid further propagation of malware targeting numerous healthcare facilities under the umbrella of the data controller, (the regional administration). 

Audit methodology

The UK ICO conducted a consensual data governance audit of East Surrey College, (ESC). The recommendations by the regulator not only provided the ESC with independent assurance of compliance but also could serve as guidance for other organisations concerning:

• Data Governance and Accountability, (creating a privacy culture; comprehensive and up-to-date data maps and ROPA; training needs analysis).
• Records Management, (eg, creating a local-level asset register alongside the ROPA; correct use of attachments, encryption and the security of personal data in transit).
• Data Sharing, (reviewing, updating and creating data sharing policies, procedures and registers; documenting and appropriately justifying the lawful basis for sharing personal data;  data sharing agreements containing sufficient detail;  documenting and regularly reviewing technical and organisational security arrangements with data sharing parties, etc). 

Data security

Underestimated risks to data subjects: The Dutch national data protection agency AP claims that an excessive number of Dutch organisations that suffer from cyberattacks neglect to notify individuals that their personal information has been compromised. Approximately 70% of the time, organisations underestimate the likelihood of an attack. Therefore, the individuals whose personal information was compromised are unable to defend themselves against potential fraud or other crimes committed by online criminals.  They often target IT suppliers that manage large amounts of personal data. However, the organisations contacting them generally remain responsible if anything happens to this data. 

Countering cyber threats: An organisation that takes security measures seriously will not only be able to protect its data but will also be a trusted partner and a role model for others. The Estonian privacy regulator reiterates some simple but important recommendations on how to safely handle personal data in everyday work: 

• data encryption and pseudonymisation for long-term data storage;
• strong password rules or at least two-factor authentication;
• monitoring system activity and detecting unusual activity or requests;
• an incident response plan that is reasonable and clear;
• regular training or testing so that employees recognise scams and phishing emails;
• security audits, testing; 
• involvement of the data protection specialist;
• implementation of the information security standards;
• authorised processor due diligence.

The post Data protection digest 3 – 17 Apr 2024: non-material damage dilemma when losing control of your data appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Legal processes and redress

China privacy laws updates: The Chinese Cyberspace Administration has issued administrative measures for personal data compliance audits for public input. In the case of high-risk processing operations or security incidents, the department in charge of personal data protection, (under the new PIPL legislation), may order the organisation to delegate the compliance audit to a professional institution. Similarly, businesses can perform their audits or entrust them to a recognised professional institution. However, no more than three consecutive compliance audits for the same organisation may be performed by the same institution. Companies that process more than one million people’s personal information must complete it at least once a year. 

China has considerably tightened controls on information sharing in recent years, particularly data transfers abroad, on the grounds of national security.

China generative AI: In parallel, China passed innovative legislation to govern generative AI. Interim Measures for the Management of Generative AI Services go into effect on 15 August. They apply to broad public services in China and hold firms accountable for the output of their platforms. The data used to train the systems will have to fulfil certain stringent conditions, not addressed in previous legislation, Deacons lawyers clarify:

• Providers of generative AI must take responsibility for network information security, personal data protection, and produced content quality. 
• Service providers are liable for the created material and are obliged to ban and report unlawful and illegally linked information. 

Technology created in research institutes or destined for export will be excluded. 

Swiss privacy law revised: On 1 September, the revised federal data protection act will come into force. The current law remains in force until 31 August. Major innovations will include criminal aspects of breaches of obligations, reinforced duty for data controllers to provide information to data subjects, data protection impact assessment for high-risk processing both in public and private sectors, fees for private data processors, regulators’ additional duties and powers, and more. 

India comprehensive privacy law: The Digital Personal Data Protection Bill 2023 passed in parliament before receiving presidential assent. It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon the consent of an individual.  Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the state. The main criticisms of the bill include:

• The bill exempts data processing on grounds of national security which may lead to data collection, processing, and retention beyond what is necessary. 
• The bill also does not grant the right to data portability and the right to be forgotten. 
• The bill allows the transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in certain countries.
• The bill does not regulate risks of harm arising from the processing of personal data.

More analyses by PRS Legislative Research Institute are available here. 

Official guidance

Google Analytics: The use of tools like Google Analytics does not only require legal transfers to the United States, (following the announcement of the US adequacy decision by the European Commission), states the Danish data protection authority. In addition to third-country transfers, there are a large number of requirements in the GDPR that must be complied with. Among other things, you need to establish a legal basis for data processing, define data processing roles and conclude data sharing agreements, fulfil data subject rights, and much more.

Rights to data portability and restriction of processing: The wide range of digital services often leads to the desire or need to change a service provider, so it is important to be aware that we have data transfer rights. However, the Latvian data protection agency reminds us that such an option is available only if: a) the personal data processed by the organisation is based on your consent or the concluded contract; b) the information has been provided by the person themself; c) data refers to the person who requests data transfer.

Similarly, a person may face a situation where they need not delete personal data, but limit its processing. A situation may arise when an organisation holds personal data which is either inaccurate or out of date. If a person believes that their data is being processed illegally, they can also ask for its deletion or restriction of processing. There might be cases when the company does not need your personal data, but you need them to keep it, (eg, video surveillance records that a store normally deletes after a certain period of time but agrees to keep separately for police investigation needs). 

Finally, you can always ask to limit the processing of your data if you doubt that the legitimate interests of the controller are more important than your right to data protection. 

Harmful online design: The UK Information Commissioner’s Office and Competition and Markets Authority are calling for businesses to stop using harmful website designs that can trick consumers into giving up more of their data than they would like. It includes:

•  overly complicated privacy controls, 
• default settings that give less control over personal information, and
•  bundling privacy choices together in ways that push consumers to share more data.

Where consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition. Lack of consumer control over cookies is a common example of harmful design. 

Parental control and connected devices: The French data protection regulator CNIL has issued an opinion on decrees implementing parental control over means of access to the Internet including the different functionalities that parental control devices will have to integrate on connected devices – smartphones, computers, video game consoles – blocking the download of applications and blocking access to content installed on terminals. Its activation must be offered free of charge, from the first commissioning of the device. They must also integrate the principles of personal data protection by design and by default. The CNIL has recommended two mandatory features, which could be activated according to the maturity of minors, to protect them when browsing the web:

• blacklists to block access to sites or categories of sites previously determined by parents; and
• whitelists to limit browsing to only previously authorized sites (for the youngest category). 

Enforcement decisions

TikTok in the EU: The EDPB settles dispute on TikTok processing of children’s data. The binding decision addresses the objections of the Irish, (lead), supervisory authority regarding the personal data processing of registered minors, (including those under 13 years old). The objections centred on whether there had been an infringement of data protection by design and default about age verification, and other design practices. The binding decision might result in a fine and other reprimands for the social media giant, which will become known in the next few weeks. 

AI at schools:  In Canada, a case detailed by Osler’s lawyers considers the privacy of children in educational institutions when they are exposed to AI tools. In collaboration with a consulting firm, a school district developed an algorithm to target students who were at high risk of dropping out: a machine learning methodology analyses hundreds of types of raw data from a student database to generate a set of predictive indicators. The purpose limitation for such data processing was violated, according to the investigation commission. 

When the data was initially obtained, students and their parents were not informed and hence did not consent to the use of the data to build predictive indications of dropout risk. Even though the information was used for a purpose that was compatible with the school board’s goals of ensuring academic achievement, the regulator ordered the school to delete the tool’s existing output. It also requested that the school board do a privacy impact study before deploying the Tool. More information on the case may be found in the original publication. 

Police data leak: According to BBC News, the Northern Ireland Police Service has apologised for inadvertently disclosing the personal information of all 10,000 of its personnel. In response to a Freedom of Information request, the organisation provided the identities of all police and civilian staff, as well as their locations and functions. The FOI request requested a breakdown of all employee levels and grades from the PSNI. However, in addition to publishing a table indicating the number of personnel holding jobs such as constable, the PSNI also released a spreadsheet. This contained the surnames, initials, and other information of over 10,000 officers.

Carbon copy and sensitive data: The UK Commissioner’s Office has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. Both the Patient and Client Council and the Executive Office disclosed personal details by using inappropriate group email options. In the first case, the organisation sent an email to 15 people, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option. The people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. In the second case, following the report of the historical institutional abuse inquiry, the organisation sent an e-newsletter to 251 subscribers using the ‘to’ field. People included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging with the compensation scheme.

DDoS attack: The UK Information Commissioner also issued a reprimand to My Media World/ Brand New Tube. An unauthorised third party gained access to ITS’s systems and exfiltrated the personal data of 345,000 UK data subjects. The company has been unable to determine the specific cause of the incident concluding on separate occasions that a server misconfiguration and a DDoS attack were responsible for the access to their systems. The company also did not have any evidence of appropriate technical and organisational measures to protect users’ data. The nature of the data affected included the names, email addresses and passwords of users. The organisation must now ensure they have:

• appropriate contracts in place with any third-party providers which set out the roles and responsibilities of each party, 
• maintained records of processing activities, and
• regular scans and testing of their environment, record outcomes and address any issues promptly. 

More security best practices recommended to organisations by ICO can be found here and here. 

Data security

Connected beacons: Connected tags, which have been around for several years, make it possible to locate and find the objects to which they are attached. While technology is useful for finding lost objects, states the French data protection regulator, many media stories show that they can be misused to track the location of people without their knowledge. Only the owner can detect the beacon and therefore track its movements. However different measures have been put in place by manufacturers of connected beacons to allow you to detect them in case of doubt.

If you have an iPhone, you’ll get a notification when an AirTag you don’t own moves with you for a period of time. A feature will then allow you to connect to the AirTag to make it ring. If you have the latest version of Android, you will automatically receive a notification when a separate AirTag from its owner moves at the same time as you for a while. If you do not have a smartphone, the AirTag will beep its position if it is too far from its owner for a certain time. 

The use of a connected beacon to follow a person without their consent is a criminal offence, punishable by one year’s imprisonment and a fine of 45,000 euros. More information on how to detect and disable the tags is in the original publication. 

Big Tech

Meta compulsory fine: The Norwegian data protection authority has imposed a compulsory fine on Meta – approx. 90,000 euros per day. The background is that Meta does not comply with the Norwegian data protection authority’s ban on behaviour-based marketing on Facebook and Instagram. However, Meta has petitioned the Oslo district court for a temporary injunction against the ban. 

The ban does not prohibit personalised marketing on Facebook or Instagram as such. Meta can, for example, target marketing based on information that users enter on their profile, such as place of residence, gender and age, or interests that users themselves state that they want to see marketing about. The decision also does not prevent Meta from showing behaviour-based marketing to users who give valid consent to it.

Google user tracking: A US court denied Google’s request to dismiss a lawsuit alleging that the company violated the privacy of millions of individuals by secretly tracking their internet usage, Reuters reports. The plaintiffs claimed that Google’s analytics, cookies, and applications allowed the Mountain View, California-based business to follow their activities even when they used Google’s Chrome browser in “Incognito” mode and other browsers in “private” mode. Since June 2016, Google users have been covered by the case. It demands at least 5000 euros in damages for each user. 

Connected vehicles: Finally, the California privacy protection agency announced a review of data privacy practices by connected vehicle manufacturers and related technologies. These vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle. 

The post Data protection digest 31 July – 14 August 2023: privacy laws development, AI evaluations at school, and security of connected devices appeared first on TechGDPR.

Legal processes: EU-US privacy framework, DMA, CCPA/CPRA, right to be forgotten

The Baden-Württemberg data protection commissioner warns that Joe Biden’s executive order with regard to the EU-US privacy framework is an important step, but it creates legal ambiguity. It addresses the requirements of the CJEU’s “Schrems II” judgment by adapting, among other things, the extensive access to EU residents data in the context of US national security and the complaints and appeals procedure. Nonetheless, it represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament, and is not legally enforceable, especially for EU citizens. In addition, it is not clear how the executive order relates to other existing US regulations such as the Cloud Act. Other ambiguities are as follows:

• The legal concept of proportionality differs in the EU, so that it remains unclear when, from the US’s point of view, access for national security remains permissible.
• Significant requirements are placed on the filing of a complaint by EU data subjects, so that it is still possible to filter out “undesirable” complaints.
• The newly created Data Protection Review Court, (an appeal body for complainants), will be set up by order of the Minister of Justice, which may contradict its judicial independence.
• The CJEU not only demanded legal remedies against state spying, but also the end of surveillance without cause, (the system change demanded by the court does not exist at present).

The European Commission will now have to decide whether there is equivalent protection of personal data in the US. The draft decision is expected in spring 2023. More legal research on the topic is promised by the NOYB privacy foundation, whose founder Max Schrems started the legal battle in 2013. 

Where various controllers rely on the single consent of a data subject, it is sufficient that the data subject contacts any one of them, states the CJEU’s recent ruling. The controller of personal data must, by means of appropriate technical and organisational measures, inform the other controllers that have provided the data or have received such data of the withdrawal of the consent of the data subject. Equally, the controller is required to take reasonable steps to inform third parties such as internet search engine providers of a request for erasure. The case related to Telenet, a Belgium telephone service operator, which passes on the contact details of its subscribers, (with their consent), to providers of directories, including Proximus. One of Telenet’s subscribers asked not to be included in directories published by Proximus and third parties; nonetheless, their contact details appeared online.  

The EU Digital Markets Act, (DMA), entered into force on 1 November. The new regulation will put an end to unfair practices by companies that act as gatekeepers in the online platform economy. In many cases the rules intercept and reinforce fundamental privacy and data protection concepts, such as:

• Provide business users with access to the data generated by their activities on the gatekeeper’s platform.
• Ban on tracking end users outside of the gatekeepers’ core platform for the purpose of targeted advertising, without effective consent having been granted.
• The interoperability obligation to ensure that the levels of service integrity, security and encryption offered by the gatekeeper will not be reduced, (eg, text messages/audio/video calls between individual or group users). End users will equally have the choice to use or refuse such an option, where their provider has decided to interoperate with a gatekeeper.

The DMA will also facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers. After the entry into application on 2 May 2023, potential gatekeepers will have to notify their core platform services to the Commission within 2 months if they meet the quantitative thresholds.

The California privacy regulator released modified proposed regulations for compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. It also seeks public comments on the improved text until 21 November. The adaptations relate to:

• the notice of collections, (on how to disclose third parties that the business allows to collect personal information from the consumer),
• right to limit the use/disclosure of sensitive personal information, (without the purpose of inferring characteristics about a consumer),
• limits to responding to consumer requests due to “disproportionate effort”,
• requests to correct personal information,
• data minimisation, (business’s collection, use, retention or sharing of personal information must be reasonably necessary and proportionate to achieve the relevant purposes).

Official guidance: anonymisation for SMEs, data breach reporting, direct marketing, employment practices, DP icons, dark commercial patterns

The Spanish data protection agency AEPD has published a basic anonymisation guide, (in Spanish), for data controllers, data processors and data protection specialists. It is especially aimed at serving SMEs and startups when they have to deal with the anonymisation of small data sets. The document explains the difference between the concepts of anonymisation, de-identification, and re-identification. The guide is complemented by a free tool, (downloadable via this link), for organisations to transform simple data sets by applying anonymisation techniques.

The AEPD has also launched a tool which aims to help data controllers decide whether to report a personal data breach to the supervisory authority, following Art. 33 of the GDPR, (available in English). This tool can also be used by data protection officers, data processors, or consultants to obtain adequate information with which to advise controllers. Once finished, the data provided during the process are deleted, and the AEPD does not have access.

The UK privacy regulator ICO updated its guidance on direct marketing using electronic mail. The Privacy and Electronic Communications Regulations 2003, (PECR), takes its definition of direct marketing from the UK Data Protection Act 2018 and covers the sending of electronic mail for direct marketing purposes to particular individuals. The guide does create a few exceptions for: a) some types of online advertising, (eg, advertisements placed on websites not using cookies or similar technologies), b) direct marketing using social media, (eg, advertising messages shown on news feeds), and c) mail sent for administrative or customer service purposes, (if they do not contain any promotional content). Read the full guidance here.

The ICO also released a draft guidance on employment practices: information about workers’ health, (sickness and injuries, disability, drug tests, health monitoring, etc). It is some of the most sensitive personal information you might process about your workers. Data protection law applies whenever you process information about your workers’ health. Notably, the term ‘worker’ relates to all employment relationships, whether this includes employees, contractors, volunteers, or gig and platform workers. 

The Baden-Württemberg data protection authority in Germany released free-of-charge data protection icons, aimed at making privacy notices by data controllers clearer and easier to understand. For example, data subjects can see at a glance on which legal grounds data processing is based. The icons can be downloaded here.

The OECD has published a paper on dark commercial patterns. These practices are commonly found in online user interfaces including cookie consent notices. Many consumer and data protection authorities have taken enforcement actions and consumer organisations have filed complaints about their use, states the OECD. However, enforcement cases to date predominantly relate to a limited set of dark patterns commonly recognised by regulators. This indicates possible gaps in the law, available evidence, or enforcement capacity.

Investigations and enforcement actions: learning records, bank cards’ contactless data, HTTP protocol, employee login information, adult domains

The ICO has issued a reprimand to the Department for Education (DfE), following the prolonged misuse of the personal data of up to 28 million children. An investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18. At the time of the breach, 12,600 organisations had access to the learning records service database, including schools, colleges, higher education institutions, and other education providers. This allowed organisations to verify a number of functions including the academic qualifications of potential students or check eligiblity for funding. Trustopia had access to the database for two years and had carried out searches on 22,000 learners for age verification purposes. Trustopia has never provided any government-funded educational training.

The US FTC is taking action against the online alcohol marketplace Drizly, (an Uber subsidiary), and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.

The FTC is also taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.  Notably multiple Chegg employees fell for a phishing attack, and a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 mln customers).The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

Spain’s AEPD fined Burwebs S.L and Techpump Solutions, (owners of various internet domains with adult content), 75,000 euros and 525,000 euros respectively for multiple violations of the GDPR, Data Guidance reports. In the case of Burwebs, the AEPD found:

• All personal data of registered users is stored indefinitely.
• No provision regarding the consent of holders of parental authority or guardianship on profiles of minors registered as users.
• The process for opening an account on the domains does not employ additional data or procedures to confirm the applicant’s identification in addition to the supporting papers initially used.
• Privacy policy does not inform users of the possibility of revoking consent at any time before the initial provision of consent, and fails to inform users of the period for which their personal data will be retained.
• The total absence of “privacy by design”.
• Records of processing activities does not list all the procedures, (eg, retention of unregistered user data).
• In addition to cookie walls that block access to websites and require users to approve relevant cookies, its applicable webpages lack information on the usage of cookies. 

In the case of Techpump Solutions, the AEPD found identical data processing violations to the above case, plus:

• Transfers of personal data to companies within the same group occurring, despite the privacy policies claiming that such a process will not occur. 
• Indefinite storage of the personal data of those who used the relevant webpages, until website users request the withdrawal of consent. 
• No clear or affirmative consent mechanism exists to acquire user personal data.  
• The majority of the company resides outside of Spain, and the information in its privacy policy is in English, a foreign language for the target audience. 
• Frequent collection of personal information, including IP addresses, without explaining the circumstances to users.

Both companies were given one month to apply all the corrective measures.

The Greek data protection authority has fined four banks, (Eurobank, National bank,  Alfa Bank, and Piraeus), 20,000 euros each for the retention on the chip of customers’ Mastercards information on their last 10 transactions. The data can be read “contactless”. The banks, without informing clients, issued replacement cards with the feature. 

A 15,000 euro fine by the Italian privacy regulator Garante was issued against a company for not having adequately protected customer data. The access to the company’s website dedicated to “online services” took place via the “http” network protocol, not encrypted and not secure. Various data was passed through this channel, including authentication credentials, names, social security numbers, e-mail addresses, telephone numbers, and billing data. The company violated important principles of “privacy by design”, and “integrity and confidentiality” of the data processing. 

Data security: crucial TOMs, digital footprint, cybersecurity and privacy annual report by NIST

America’s NIST has published its latest Cybersecurity and Privacy Annual Report. It is organised into eight key areas: cryptographic standards and validation, cybersecurity measurement, education and workforce, identity and access management, privacy engineering, risk management, trustworthy networks, and trustworthy platforms. The NIST conducted research and demonstrated practical applications in several key priority areas, including post quantum cryptography, cybersecurity in supply chains, zero trust, and control systems cybersecurity. The NIST also initiated research in some new areas, including exploring the cybersecurity of genomics data.

The UK ICO warned that organisations are leaving themselves open to cyber attacks by ignoring crucial technical and organisational measures like updating software and training staff, (Art. 32 of the GDPR). The warning comes with a 4.4 million pound fine to Interserve Group. An employee forwarded a phishing email, which was not quarantined by the system, to another employee who opened it and downloaded its content –  data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The Latvian DVI explains a digital footprint and how to protect it. A user can leave it either actively or passively, but once shared, the digital footprint is relatively permanent. It can determine a person’s digital reputation, which is now as important as a person’s offline reputation. Cybercriminals can also use your digital footprint for purposes such as phishing or creating a fake identity. In one of the examples, the active digital footprint is formed when a credit card of a specific service provider is used, while the passive digital footprint is formed by analysing the flow of money in the account and the purposes for which one spends one’s financial resources. Thus:

• Remember to carefully familiarise yourself with the privacy policies of the websites where you intend to consume the offered goods or services. Additionally, 
• Every time you sign in to a third-party website using, for example, your Facebook credentials, you give that company permission to obtain your user data — potentially putting your personal information at risk. 
• Perform regular searches for your name and related personal information in search engines.
• Enforce the privacy settings of your online accounts, and minimise the amount of personal data shared, (eg, location). 
• Regularly update software. 

Big Tech: TikTok employees’ access to data, Medibank’s refusal to pay ransom, Amazon’s Alexa recording

TikTok informed its EU users that their data can be accessed by employees outside the continent, including in China – to ensure their experience of the platform is “consistent, enjoyable and safe”. The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently, The Guardian reports.

Medibank, Australia’s biggest health insurer, said no ransom payment will be made to the criminal responsible for a recent data theft, (around 9.7 million current and former customers). The company believes there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. Plus, paying a ransom could encourage the hacker to extort customers directly, hurting more people.  Australian companies have been hit by a string of cyber attacks in recent weeks prompting the government to think about significant increases in penalties for repeated or serious privacy breaches, with amendments to privacy laws. 

Finally, Amazon must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices, Bloomberg Law reports. Plaintiffs allege that Amazon sold its Alexa-enabled devices to consumers using unfair and deceptive advertising, and illegally record conversations. The plaintiffs need discovery concerning Amazon’s intent in marketing Alexa devices, complaints received by the company, and how Alexa-enabled devices function. Amazon estimated it would have to produce 4.4 million documents in response to the plaintiffs’ requests.

The post Data protection & privacy digest 25 Oct – 8 Nov 2022: EU-US privacy framework ambiguity, data breach reporting, right to be forgotten appeared first on TechGDPR.

Official guidance: first European data protection seal, GDPR harmonisation rules, data breach notification, children’s data protection, artistic and literary works

The EDPB approved the very first GDPR certification seal, (see the detailed opinion here). Europrivacy became the first certification mechanism that demonstrates compliance. It was developed through the European Research Programme Horizon 2020 and is continuously updated by the European Centre for Certification and Privacy in Luxembourg and its International Board of Experts. Companies and services can use the certification scheme to increase the value of their businesses and trust in their services. They can use Europrivacy to:

• assess the compliance of their data processing activities,
• select data processors,
• assess the adequacy of cross-border data transfers,
• assure citizens and clients of the adequate processing of their data.

The scheme applies to a wide variety of data processing activities while taking into account sector-specific obligations and risks, such as AI, IoT, blockchain, automated cars, smart cities, etc. It is supported by a ledger-based registry of certificates for authenticating delivered certificates and for preventing forgery. The GDPR certification seal has an innovative format for criteria, which is both human and machine-readable. It is also aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001). 

The EDPB is also asking the European Commission for clarification and harmonisation of rules on procedures that still differ in each European Member State. This includes clarity about the rights of people making a complaint, criteria for handling complaints, the scope and nature of the documents that must be shared in complex investigations, deadlines for handling cases, how to close cases, investigative powers, and the publication of decisions. Additionally, complaints can sometimes be resolved in a non-contentious way, for example after the intervention of the SA has facilitated the exercise of a data subject’s rights. However, the current lack of harmonisation regarding amicable settlements creates challenges. 

To support children, their parents and educators in the digital world, the French regulator CNIL provides practical sheets, games, and videos, in clear and straightforward language, (in French only). This includes a digital vocabulary for children explaining what terms like IP address, cookies or paywalls mean, but also teaches children the right reflexes when doing things such as subscribing to a social network,(“TacoTac”), downloading online games on parents’ devices, sharing “funny” images/videos of people online, and much more. 

Latvia’s data protection authority DVI explains the principles of data processing within artistic and literary expression, as creators’ final results may contain other people’s data. An artist or writer, when evaluating the result of their work and before making it available to the general public, must conclude that it:

• It was created within the framework of the artist’s right to freedom of speech and expression.
• The right to privacy and data protection of natural persons whose data is included in the artistic or literary object is not threatened.
• Does not threaten the interests of the data subject, which are more important than the interest of the public to get to know the creation.
• It would not be desirable to publish works, (eg, photos), in which natural persons are depicted offensively, or which may cause personal injury, moral or other harm, thereby infringing the right to privacy of that person.
• If the involved natural persons are informed about the planned purpose, it must be expressed clearly, without hidden intentions. 

The EDPB is seeking public comments on updated guidelines on personal data breach notification under the GDPR. Back in 2017, Working Party 29 adopted the document, which was endorsed by the EDPB. The new one is a slightly updated version of those guidelines. In particular, the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated. Any reference to the WP29 Guidelines on Personal data breach notification should, from now on, be interpreted as a reference to these EDPB Guidelines.

Legal processes:  test databases, MiCA draft regulation, bank AML monitoring, debt information collection

The CJEU delivered judgment related to retention and purpose limitation principles: creation and long retention of a database to carry out tests and correct errors, and compatibility of such processing with the purposes of initial collection. The request was made in proceedings between ‘Digi’, one of Hungary’s main internet and television providers, and the country’s data protection regulator NAIH, concerning a Digi test database breach, (by an ethical hacker). Digi had not deleted the test database, with the result that a large amount of personal data had been stored without any purpose for almost 18 months. However, data copied into the test database had been lawfully collected to conclude and perform the subscription contracts. On the request of the Budapest High court, the CJEU clarified that:

• Processing of a database set up for testing and error correction is not exempt from the legitimate expectations of those customers as regards the further use of their data, (such errors are liable to be harmful to the provision of the contractually provided service). 
• It is not apparent that all or part of that data was sensitive or that the subsequent processing had harmful consequences for subscribers or was not accompanied by appropriate safeguards.
• At the same time, a database created for testing and correcting errors should not be kept for a period exceeding what is necessary to carry out those tests and to correct those errors. 

The final text proposal for a Regulation on Markets in Crypto-assets (MiCA) has been endorsed by the European Council, and now awaits formal approval in the European Parliament. MiCA attempts to provide a harmonised framework for the protection of holders of digital assets, including their data. Currently some crypto-assets fall outside of the scope of EU financial services legislation. There are no rules, other than AML rules, for services related to these unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the service of exchanging crypto-assets for funds or other crypto-assets, or the custody of crypto-assets. The lack of such rules leaves holders exposed to risks, in particular in areas not covered by consumer protection rules. 

The proposed regulation states that the issuing, offering, or seeking admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this regulation should be carried out by applicable Union law on the protection of personal data. Furthermore, crypto-assets shall not be considered to be offered for free where purchasers are required to provide or to undertake to provide personal data to the offeror. Also, regarding the transfer of personal data to a third country, the European Banking Authority shall apply Regulation 2018/1725 (‘on the protection of natural persons concerning the processing of personal data by the Union institutions’). 

The Dutch data protection authority, (AP), is concerned that a new anti-money laundering law opens the door to unprecedented mass surveillance by banks. Part of the proposal is to monitor all bank transactions of all Dutch account holders in one centralized database, using algorithms. In addition, banks must start exchanging customer data with each other. In many cases this monitoring could be outsourced to an algorithm-capable third party. Combined, the risks associated with this system are disproportionate to the purpose of the bill, believes the AP. For instance, this system could lead to people losing access to their bank accounts completely wrongly. Banks are already required to carry out individual checks on people or companies that may be laundering money or financing terrorism. And they must report unusual transactions to the authorities. 

The Norwegian data protection authority Datatilsynet responded to the government’s proposal to extend the debt information scheme to also include mortgage-secured debt. The regulator recognizes that banks and other creditors need to process information about existing mortgages and car loans in connection with the assessment of a loan application. However, the proposal conflicts with the data minimisation principle, states Datatilsynet. Banks and other credit institutions already have access to information about mortgages and car loans. It appears that the real purpose of the proposed extension of the debt information scheme is to make the creditors’ collection of information about mortgage-secured debt more efficient. This needs to be done in a more privacy-friendly way, and the regulator also points out that citizens’ debt information is attractive for both public and commercial actors, increasing the risk of purpose slippage.

Investigations and enforcement actions: lost DSAR, generic responses to DSARs, whistleblowing reports management, Clearview AI fine, Zoetop data leak

The Italian privacy regulator Garante fined BPER Banca 10,000 euros for violating Art. 12 and 17 of the GDPR. The complainant asked the bank, via email, to delete his professional account from a job application database. This email was acknowledged by the company, which asked him to repeat the request accompanied by identity documents, which the bank duly received at the same email address. However, this last communication was not followed by any effective action by the person in charge, (HR planning and development service), following an internal misunderstanding: changes in the company’s e-mail system generated some problems in communication flows between the various corporate functions. The account deletion request was finally fulfilled when the complainant’s lawyer sent a registered letter presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation. However, the company noticed that some of the applicant’s data would still need to be processed for administrative, accounting, operational and organizational reasons. Other statutory retention periods would also apply for other litigation, or administrative/judicial proceedings. 

Garante also imposed a 10,000 euro fine on Clio S.r.l for violating Art 5, 6, and 30 of the GDPR, and in connection with similar decisions issued against the Municipality of Ginosa and Acqua Novara.VCO, Data Guidance reports. Clio supplies and manages on behalf of various public and private entities an application used for the acquisition and management of whistleblowing reports. Garante found that Clio had failed to regulate the relationships with various customers, who acted as data controllers, as a result of which Clio had carried out data processing activities in the absence of an appropriate legal basis. In addition, Clio had failed to keep a register of the processing activities carried out on behalf of the data controllers. Garante however noted the collaborative behavior of Clio in the course of the investigation.

The Croatian data protection authority AZOP recently issued a negative statement on a generic response to data subject access requests, (in this case, the location of stored data), by a telecoms provider. The complainant received a generic notice listing the category of data collected along with the legal bases, and was told that any information on the processing of data, (collected with his consent), could only be obtained from the point of sale. Since the applicant was not satisfied with the generic answer, he repeated his inquiry on the same day in greater detail, specifically about where his data was stored, but he did not receive an answer from the company. 

The French regulator CNIL imposed a penalty of 20 million euros, (the maximum financial penalty under Art. 83 of the GDPR), on CLEARVIEW AI and ordered the company to stop collecting and using, without any legal basis, the data of people in France and to delete data already collected. CLEARVIEW previously was given two months to comply with the formal notice and justify it to the CNIL. However, it did not provide any response. CLEARVIEW scrapes photographs from a wide range of websites, including social media, that can be consulted without logging into an account, and extracts accessible images and videos from distribution platforms. Through this collection, CLEARVIEW creates, expands, and markets access to its search engine in which an individual can be searched for using images. The company offers this service to law enforcement agencies. CLEARVIEW boss Hoan Ton-That stated to the media that his company had no clients or premises in France and was not subject to EU privacy law, adding that his firm collected “public data from the open internet” and complied with all standards of privacy.

The New York Attorney General secured 1.9 million dollars from an e-commerce retailer, Zoetop, (owner of SHEIN and ROMWE), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers. Zoetop was targeted in a cyberattack. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. Zoetop also represented, falsely, that it had seen no evidence that credit card information was taken from the systems.

Data security: data breaches, software support practices, password management

A quick reminder from the Latvian data protection authority DVI was published on what constitutes a data breach and how to report it. Breaches can be classified according to three well-known information security principles:

• Confidentiality incident, (hackers have found a security “hole” in the organisation’s information system and retrieved the personal data of customers).
• Integrity incident, (due to an incorrectly organized SQL queue, the integrity of records of a customer database stored in the cloud has been lost. As a result, the new records are assigned to inappropriate reference fields and related information of one customer is attributed to another customer).
• Availability incident, (due to the organisation’s incorrect backup copy policy, the existing database is overwritten with a half-year-old backup copy, without the possibility of restoring to a more current version of the database).

An organisation must therefore have developed and implemented an internal procedure for determining whether a breach has occurred, as well as a procedure for assessing the risks arising. If it is determined that it is likely that the breach could reasonably pose risks to the rights and freedoms of a natural person: the organisation must notify the supervisory authority within 72 hours. If, however, the notification takes place later, the reasons for the delay must be explained. Finally, the causes of the breach must be thoroughly investigated and measures must be taken to prevent repeated breaches in the future.

Privacy International looked into the software support practices for 5 of the most popular smart devices, (smartphones, personal computers, gaming consoles, tablets, and smart TVs), and concluded that they fail to meet the expectations of the vast majority of consumers. The majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product’s expected life cycle. And when it comes to accessibility of information, only a few companies appeared to have detailed policies online. It is therefore critical that software remains up to date for a long time to ensure a device is secure and reduce risks to consumers’ privacy and security, stated PI.

In the context of increasing compromises of password databases, the French CNIL updates its recommendation to take into account the evolution of knowledge and allow organisations to guarantee a minimum level of security for this authentication method. According to a 2021 Verizon study, 81% of global data breach notifications are related to a password issue. In France, about 60% of notifications received by the CNIL since the beginning of 2021 are related to hacking and a large number could have been avoided by following good password practices, (two-factor authentication or electronic certificates). 

If operations relating to password management are entrusted, in whole or in part, to a subcontractor, roles and responsibilities must be precisely defined and formalised and the level of security required and the security objectives assigned to the processor must be clearly defined, taking into account the nature of the processing and the risks it is likely to generate. Finally, if simple software publishers are not subject to the legal framework for data protection, users must comply. In this sense, the documentation of password management software must specify in detail the modalities of generation, storage, and transmission of passwords.

Big Tech: human behaviour that leads to data breaches, Australia data leaks, Meta’s Pixel tracking tool, AI hiring tools, speech to identify mental health problems

London-based cybersecurity company OutThink has raised 10 million dollars in early-stage investments as it looks to help organisations identify human behaviour that can lead to data breaches. The company, which claims human behaviour is the source of 91% of data breaches, uses machine learning, natural language processing, and applied psychology to identify, understand and manage the attitudes, intentions, and sentiments of individuals.

Australia envisages increased penalties for data breaches following major cyberattacks. Australia’s telco, financial, and government sectors have been on high alert since Optus, the country’s second-largest telco, disclosed a hack that saw the theft of personal data from up to 10 million accounts. The attack was followed by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, including medical diagnoses and procedures. Australia’s Woolworths Group also said its online retailer MyDeal identified that a “compromised user credential” was used to access its systems that exposed data of nearly 2.2 million users, Reuters reports. 

At least 47 proposed class actions have been filed since February claiming that Meta Platforms Inc.’s Pixel tracking tool sent the plaintiffs’ video consumption data from online platforms to Facebook without their consent, in violation of the federal Video Privacy Protection Act, a Bloomberg Law analysis of court dockets found. Almost half of the new cases were filed in September alone. The complaints allege they knowingly disclosed protected information by allowing Meta’s embedded Pixel code to share a digital subscriber’s viewing activity and unique Facebook ID with the social media platform.

AI hiring tools do not reduce bias or improve diversity, Cambridge University researchers say in a study of the evolving technique the BBC called “pseudoscience”, reporting on the study. In particular, claims one of the research team, these tools can’t be trained to only identify job-related characteristics and strip out gender and race from the hiring process, because the kinds of attributes we think are essential for being a good employee are inherently bound up with gender and race. Some companies have also found these tools problematic, the study notes. For instance, a German public broadcaster found wearing glasses or a headscarf in a video changed a candidate’s scores. 

Finally, software that analyses snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics, and telehealth platforms, putting privacy activists on alert, according to Axios news. Unlike Siri and Alexa, vocal biomarker systems analyse how you talk — prosody, pauses, intonation, pitch, etc. — but not what you say. While the voice sample is run through a machine-learning model that uses a capacious database of anonymized voices for comparison, it may increase systemic biases towards people from specific regions, backgrounds, or with a specific accent.

The post Data protection & privacy digest 12 – 24 October 2022: first GDPR certification seal, test databases, password management appeared first on TechGDPR.

Legal processes: personal data breaches, EU Commission’s data transfers, non-implementation of the GDPR by a country, US-UK data access, targeted ads

In Poland, an administrative court upheld the decision of the personal data protection office UODO on the fine imposed on Bank Millennium. A personal data breach occurred as a result of the loss of bank correspondence including client names, surnames, registration address, bank account numbers, etc. by courier services. The UODO learned about the incident from a complaint against the bank. The controller decided there was a medium risk of negative consequences for the persons affected by the breaches, so did not report the breach to the supervisory authority and did not fully comply with the obligation to notify the data subjects. 

In its decision the court clarified that a breach of personal data is not only when personal data has been read by an unauthorized person, but also when the data controller cannot exclude such a situation due to the lack of information in this regard. According to the court, the supervisory authority also correctly recognised that the bank is the controller of the personal data concerned by the breach. It was the bank, and not the postal operator, that defined the purposes and methods of data processing. However it is true that postal operators or courier service providers are controllers, but only for the data needed for correct delivery.

The European Commission urged Slovenia to fulfil its obligations under the GDPR, as well as make it possible for its data protection authority to use all the corrective powers under the legislation. The Commission considers that Slovenia has failed to fulfil its obligations stemming from the GDPR due to its persistent failure to reform its pre-GDPR national data protection framework. Slovenia now has two months to reply to the Commission’s reasoned opinion. If the reply is not satisfactory, the Commission may decide to bring this matter before the Court of Justice of the European Union. 

Conversely, according to the euractiv.com news website, the Commission may face a lawsuit for violating its own data protection rules when transferring EU users’ personal data from one of its websites to the US. Reportedly, the action was initiated by a German citizen with regard to the Conference of the Future of Europe’s website, meant to engage EU citizens in deciding the future of the bloc and its member states. Amazon Web Services hosts the website, hence when registering for the event, personal data such as the IP address is transferred to the US. Moreover, the Commission’s website also allows users to log in via their Facebook account, which is US-based media too and faces an investigation by the Irish data regulator on similar allegations. In parallel, a complaint was filed before the European Data Protection Supervisor that has jurisdiction over the application of the data protection rules by EU institutions. However, the EDPS has put investigations on hold because a lawsuit is pending and the decision might take up to 18 months. 

The US-UK Data Access Agreement will go into effect in October, according to the joint statement shared by the US Justice department. It will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime. Namely, it will allow information and evidence that is held by service providers and big tech companies related to the prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before. This will help, for example, the law enforcement agencies gain more effective access to the evidence they need to bring offenders to justice, including terrorists and child abuse offenders, thereby preventing further victims.

According to Privacy International the UK Department for Culture, Media and Sport (DCMS) recently ran a consultation to review the regulatory framework for paid-for online advertising. The aim according to DCMS is “to tackle the evident lack of transparency and accountability across the whole supply chain.” While PI agrees with the rationale for intervention, as a starting point it would like to see existing regulation, (such as the UK GDPR), be properly and regularly enforced. PI would rather resources were focused on enforcing existing data protection standards, and as a result that more investigations be opened into intermediaries and platforms such as data brokers, data suppliers, data management platforms, and measurement and verification providers, third-party software development kits etc. The risks to privacy do not stem from ad targeting alone, or the content of adverts. There are many steps in the process before adverts are served in a targeted manner:

• Data collection, (hidden means such as trackers placed on the websites you visit)
• Profiling, (dividing users into small groups or “segments” based on previous online behaviour)
• Personalisation, (designing personalised content for each segment), and
• Targeting, (delivering tailor-made, targeted messages)

Through each of these stages the users still have very little understanding on where that data came from, or by who and for what profiling is used, or the level of detail of profiling practices, etc. PI concludes it is impossible to address the problem without tackling the whole supply chain, (eg, real time bidding technology), and creating accountability at each stage.

Official guidance: smart video devices, geographical indications for EU producers

The French privacy regulator CNIL has published its position on the conditions for the deployment of smart video devices in places open to the public, (excluding offices, warehouses, and domestic use). For several years, says CNIL, new types of cameras equipped with artificial intelligence software have been evolving. The CNIL’s position concerns “augmented” video devices that differ from biometric recognition devices such as facial recognition devices. Two criteria make it possible to distinguish these devices:

• the nature of the data processed: physical, physiological or behavioural characteristics;
• the purpose of the device: to uniquely identify or authenticate a person.

A biometric recognition device will always combine these two criteria while an “augmented” camera will not meet any, (eg, an “augmented” camera that films the street to classify the different uses: cars, bicycles, etc.), or only one of the two, (eg, an “augmented” camera that detects fights in a crowd). This distinction has legal consequences: biometric recognition devices involve the processing of so-called “sensitive” data which are, in principle, prohibited by the GDPR, with some exceptions. 

The CNIL considers that any actor who wishes to deploy an “augmented” video device will have to rely on a legal basis determined on a case-by-case basis. While none is excluded or privileged in principle, the legal basis of “legitimate interest” must not lead to a manifest imbalance between the interests pursued by the user of an “augmented” video device and the reasonable expectations of individuals, (eg, a store that analyses the mood of customers to display them appropriate advertisements). More generally from the outset it is necessary to demonstrate proportionality, (that is to say, the conditions for implementing the device in relation to the objectives pursued), of the envisaged device. Even the police are not authorised by law to connect automatic analysis devices to video protection cameras to detect conduct contrary to public order or offences, says the CNIL. 

As such, effective data protection and privacy by design mechanisms must be implemented to help reduce the risks to data subjects. Strong safeguards include, for example, the integration of measures allowing the almost immediate deletion of source images or the production of anonymous information. Finally the CNIL states that people generally cannot oppose the analysis of their images, for example, when the algorithms do not keep the images, or that the conditions for exercising this right are not practicable, (marking one’s opposition requires pressing a button, making a particular gesture in front of a camera, etc). You can read the full opinion by the CNIL, (in French), here. 

The EDPS meanwhile published an opinion on protecting the personal data of EU foodstuff producers. While supporting the proposal for a regulation on geographical indications for wine, spirits, agricultural products, and quality schemes for agricultural products, the EDPS recommends that a number of measures related to the processing of personal data are clarified and added:

• explicitly indicating the role of the European Union Intellectual Property Office as joint controller together with the European Commission;
• identifying in the proposal itself the different categories of personal data to be included in the supporting documentation accompanying the applications for registration, oppositions and official comments, extracts from the Union register and the single document;
• indicating in which circumstances and/or conditions it is necessary to make which categories of personal data publicly available and clearly define for which objectives;
• assessing whether it would be appropriate to put in place a procedure whereby only individuals who demonstrate a legitimate interest have access to additional categories of personal data, such as contact details;
• the chosen data retention period for the documentation related to the cancellation of geographical indications should be further justified or reduced.

Enforcement actions: passwords in clear text, wrongful emails, membership and consent, web hosting, vehicle geolocation, healthcare data, Google Workspace

The Danish data protection authority Datatilsynet expresses serious criticism of Salling Group for having stored a number of customers’ passwords in clear text format in a log file from one of the grocery group’s websites. The error persisted for more than a year. Salling Group uses a common login – Salling Group profile – so that the username and password can be used on all the services where the Salling Group profile provides access. In 2021, Salling Group implemented a monitoring tool to register incidents and events. Due to a human error, the customers’ passwords were not encrypted before they were stored in the system’s log file when the customers logged in to the website. 

As a result, up to 146 internal users in the Salling Group were given technical access to read both usernames and passwords for a number of customers who had logged in on the website. If this access had been used, it would have been possible to gain access to the name, address, email address, telephone number, masked payment card information and purchase history of a number of Salling Group’s customers. The regulator also ordered the company to notify the customers whose passwords have been stored unencrypted in the log for the monitoring tool. 

In a separate ruling Datatilsynet also assessed the benefits of membership, (of Magasin’s customer club Goodie), in return for giving consent to marketing. The consumer will not be prevented from buying certain products/services simply because consent is not given – they will simply have to pay regular prices and the general discounts that apply at Magasin. In other words, it is voluntary whether a customer gives marketing consent in exchange for benefits or buys products/services on normal market terms. Members can revoke their consent to marketing at any time, with the consequence that membership of a customer club ends. There are no costs associated with revoking consent, and in connection with registration for the customer club, it is clearly stated that revoking consent results in the termination of membership. On this basis, the Danish regulator found that Magasin’s processing of personal data had taken place in accordance with data protection regulations. The full decision, (in Danish), is available here.

The Spanish privacy regulator AEPD fined DKV Seguros y Reaseguros, (health insurance for individuals), 220,000 euros for confidentiality and security violations, (Art 5, 32, 33 GDPR), Data Guidance reports. According to the individual plaintiff, they received dozens of emails with medical clearances of unknown individuals from the company, including the individuals’ names, surnames, and test data, from 2020-2021. Further, the AEPD specified that the plaintiff had repeatedly brought the situation to the attention of DKV Seguros y Reaseguros, but they did not act until receiving notice from a regulator. The investigation found out that:  .

• the company’s technical and organisational security measures were inadequate, taking into consideration that the data in question was of a sensitive nature; 
• the company had failed to notify the AEPD that it had suffered a personal data security breach since it had become aware of it back in 2020. 

However, the AEPD noted that due to an admission of guilt and a voluntary payment on the part of the defendant, the fine was reduced by 20%.

Meanwhile the Berlin data protection commissioner is examining data processing contracts between web hosting providers and their customers. Many organisations operate their websites or online shops via an third-party service provider. As a rule, related data processing takes place on behalf of the responsible party, the site operator. This means that the web hoster is technically a processor and a specific contract needs to be signed. In order to support responsible parties and prevent them from future sanction and enforcement actions, the Berlin data protection commissioner is examining the agreements of selected large web hosters the area. Many organisations in Berlin have complained about standard form contracts offered by web hosting companies, who are not willing to change them. Thus, the regulator encourages all IT service providers to check their standard contracts independently and to adapt them to the law.

The HIPAA journal has published the latest statistics on healthcare data breaches in the US.  Reportedly, there were 31 reported breaches of 10,000 or more healthcare records in June – the same number as in May 2022  – two of which, (the Texas Tech University Health Sciences Center and Baptist Medical Center), affected more than 1.2 million individuals. Healthcare providers were the worst affected HIPAA-covered entities, along with business associates. Several healthcare providers submitted breach reports in June 2022 due to a ransomware attack on HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack. 

The French CNIL has imposed a penalty of 175,000 euros against the company UBEEQO International, (short vehicle rentals), for having disproportionately infringed the privacy of its customers by geolocating them almost permanently. The checks covered in particular the data collected, the retention periods defined, the information provided to individuals and the security measures implemented. The CNIL found in particular that, during the rental of a vehicle by an individual, the company collected data relating to the geolocation of the rented vehicle every 500 meters when the vehicle was in motion, when the engine was turned on and off or when the doors opened and closed. In addition, the company kept a history of some of the collected geolocation data for an excessive period of time. The company argued that vehicle geolocation data was collected for different reasons:

• ensure the maintenance and performance of the service, (eg, check that the vehicle is in the right place, monitor the state of the fleet);
• find the vehicle in case of theft;
• assist customers in the event of an accident.

The CNIL considers that none of these purposes justifies a collection of geolocation data as fine as that carried out by the company. Such a practice is indeed very intrusive in the privacy of users insofar as it is likely to reveal their movements, their places of frequentation or all the stops made during a route.

Finally, the Danish data protection agency has made a final decision in the case concerning the use of Google Chromebooks in Elsinore municipality, EDPB reports. Last year the municipality of Elsinore was ordered to make a risk assessment of the municipality’s processing of personal data in the primary school using Google Chromebooks and Workspace. Based on the documentation and assessment of the risk for the data subjects which the municipality has prepared, the regulator has now found that the processing does not meet the requirements of the GDPR on several points. The municipality as controller has not assessed some specific risks in relation to the data processor construction as to the processing activities the controller is allowed to do as a public authority. In addition, the data processor agreement states that information can be transferred to third countries in situations for technical support without the required level of security and protection. The regulator has now made a new decision. It contains, among other things:

• A suspension of the municipality of Elsinore’s data processing where information is transferred to third countries without the necessary level of protection.
• A general ban on processing of personal data with Google Workspace until adequate documentation and impact assessment has been carried out and until the processing operations have been brought into line with the GDPR.  

Many of the specific conclusions in this decision probably will apply to other Danish municipalities that use the same data processor setup as Elsinore. 

Data security: private correspondence for a government

The UK Information Commissioner called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled. 

An example of this included some protectively marked information being located in non-corporate or private accounts outside of the Department of Health and Social Care’s official systems. This information, stored on outside servers, betrays an oversight in the consideration of storage and retention of information and the associated risks this could bring. Although the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic, it is of concern that such practices continued without any review of their appropriateness or the risks they present.

Big Tech: Microsoft cloud for governments, DiDi Global privacy fine, UBER massive data breach

Microsoft is beefing up its cloud offer, in partnership with Italy’s Leonardo and Belgium’s Proximus, by launching a public cloud to service government customers. Dubbed the “Cloud  for Sovereignty” Microsoft says it will offer greater control over data, be cheaper, and be closer to developing technology. Rivals Amazon and Google are doing good cloud business in the US and elsewhere, but the EU’s privacy watchdog is currently checking to see if private cloud operators are doing enough to ensure the safety of public data.

Chinese ride-hailing service DiDi Global has been hit with a billion-dollar fine by the national cybersecurity regulator for going public on the NYSE before a Chinese probe into the company’s data practices had been completed. The probe found user data had been illegally collected for years, and that DiDi had endangered national cybersecurity with their data processing methods. The inquiry forced the New York delisting of the company, which says it will review and change its practices.

Uber has admitted to failing to report a massive 2016 data breach and covering it up from regulators for a year as part of a Non-Prosecution agreement in the ongoing federal criminal case in California; Data from over fifty million users was stolen, but the company points to a complete overhaul of data protection and privacy and change of top management since then. The company also fully co-operated with prosecutors. Uber has already paid out nearly 150 million dollars in all 50 US states in civil litigation related to the breach, Reuters reports.

The post Weekly digest 18 – 24 July 2022: personal data breaches, web hosting, targeted ads, smart video devices, geolocation & privacy appeared first on TechGDPR.

Enforcement actions: Google, Facebook, FreeMobile, Myheritage, credit assessment by mistake, access rights misconduct

France’s data protection regulator CNIL has fined Alphabet’s Google a record 150 mln euros for making it difficult for users to refuse online trackers known as cookies. Meta’s Facebook was also fined 60 mln euros for the same reason. The CNIL noted that the facebook.com, google.fr and youtube.com sites do not allow users to refuse cookies as simply as to accept them. They offer a button allowing cookies to be accepted immediately. However, to refuse them several clicks are necessary. Since, on the internet, the user expects to be able to consult a site quickly, the fact of not being able to refuse cookies as simply as possible, can influence them to give consent. The two companies have three months to comply with its orders or face an extra penalty payment of 100,000 euros per day of delay. These include the obligation for Google and Facebook to provide French internet users simpler tools for refusing cookies.

The CNIL also imposed a fine of 300,000 euros on Free Mobile, (a wireless service provider), for failing to respect individuals rights and to ensure the security of users’ data. The CNIL has received many complaints concerning the difficulties encountered by individuals in a) getting responses to their requests for access, b) objecting to receiving commercial prospecting messages, or c) being billed after subscriptions had been cancelled. Also, the mobile operator transmitted by email, in clear text, the passwords of users when they subscribed to an offer, without these passwords being temporary or the company requiring them to be changed. All the above infringes Art. 12, 15, 21, 25 and 32 of the GDPR. 

The Norwegian data protection authority has fined Elektro & Automasjon Systemer, (EAS), 20,000 euros for carrying out an individual’s credit assessment without a legal basis (Art.6 of the GDPR). The data subject in this case had no customer relationship or other connection to EAS’s business. The EAS admitted that the credit check took place by accident, due to the general manager’s lack of understanding of a credit assessment tool, the DataGuidance reports. Although EAS did not store the credit information, the damage occurs the moment sensitive data was collected and processed. A credit rating is the result of compiling personal information from many different sources: individuals’ personal finances, payment remarks, voluntary mortgages and debt ratio. The aggravating factors were a lack of technical and organisational measures, and internal controls and guidelines for when and how a credit assessment can be carried out.

The Spanish data protection regulator the AEPD published a couple of similar decisions, (in Spanish), against deficiencies regarding cookie and privacy policies, including:

• the owner of a website, who did not provide users with a cookie banner on the main page that allowed an immediate “Reject all” option. It also lacked clear information on user tracking through registration forms, questionnaires and in the comments section, as well as through embedded content from other sites. Also, the privacy policy wrongly identified the data controller. 
• against Myheritage LTD for similar deficiencies regarding the website’s cookie policy on its Spanish website: the use of non-necessary cookies, no possibility of rejecting them, and a lack of information on cookies used. Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy – the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, DataGuidance reports. 

The AEPD also issued a warning to a company for non compliance with individual rights to access the data and to receive a legally established reply. Under the threat of a fine, the company was forced to complete the process, notify the claimant whether the procedure was approved or denied, or indicate the reasons for which the request was not applicable.

Official guidance: employees access rights, data breach notification, real-world data in clinical study

The French CNIL published its guide, (in French), on the right of employees to access their data.  It allows a person to know if data concerning him is being processed and then to obtain the information in an understandable format. This may include the objectives pursued by the use of the data, the categories of data processed, and the other bodies  obtaining the data. This process also makes it possible to check the accuracy of the data and, if necessary, to have it corrected or erased. The rules for the procedure always include:

• verifying the identity of the applicant, (the demand for supporting documents or information must not be abusive, irrelevant and disproportionate to the request);
• responding to the request free of charge;
• the right of access relates to personal data and not to documents. However in the case of email combining both is possible – metadata, (time stamp, recipients, etc.), & the content of the email;
• the right of access must not infringe the rights of third parties, (business and intellectual property secrecy, right to privacy, secrecy of correspondence are regularly invoked by employers to refuse to respond favorably to employees);
• the anonymisation or pseudonymisation of data relating to third parties constitutes good practice;
• different rules exist to protect third party interests depending on the role of the person making the request, (when they are a sender or receiver of the information, or they are mentioned in the content of the document).

Emails identified as personal or whose content turns out to be private despite the absence of any mention of personal character, are subject to special protection, the employer not being authorized to access them. Also, an employer may refuse to act on a request for the communication of emails relating to a disciplinary investigation and the content of which, even redacted, could allow the requester to identify persons of whom they should not be aware.

The EDPB published practice-oriented guidelines on examples regarding Personal Data Breach Notification. Its aim is to help data controllers in deciding how to handle data breaches, what factors to consider during risk assessment, and suggest organisational and technical measures for preventing and mitigating the impacts of hacker attacks. The document complements the  Article 29 Working Party Guidelines and reflects the common experiences of the supervisory authorities across the EEA since the GDPR became applicable.The paper includes 18 case studies from such sectors as hospitals, banking, HR:

• ransomware, (with or without proper backup/exfiltration, data exfiltration attacks on job application data, hashed passwords, credential stuffing);
• internal human risks, (by employees, trusted third parties);
• lost or stolen devices, (encrypted or unencrypted), and paper documents;
• mailing mistakes, and social engineering, (identity theft, mail exfiltration).

The UK Medicine and Healthcare product regulator, the MHRA, has published its guidance on the use of real-world data (RWD) in clinical studies . RWD is the vast amount of data collected on patients in electronic health records, disease and patient registries, from wearable devices, specialised/secure websites as opposed to being specifically collected in a clinical study. Among many quality provisions the guide demands that the sponsor, (data controller), include a protocol in the study describing the tools and methods for selection, extraction, transfer, and handling of data and how it has been or will be validated. It is essential that processes are established to ensure the integrity of the data from acquisition through to archiving and sufficient detail captured to allow for the verification of these activities, and across different centers and countries. Thus, it is important to establish which privacy and security policies apply to the use of the database, interoperability issues, restrictions on the transfer, storage, use, publication and retention of the data, etc. Identical processes would need to be in place for any additional data collected outside of the main source database.

Legal processes and redress: pilot consent e-service, genetic information privacy, medical records snooping incident

The Estonian Information System Authority, the RIA, announced its new consent service that allows companies to ask the state for an individual’s data. An e-service, developed and managed by the RIA, allows a person to give permission to the Estonian State to share their personal data with a certain service provider. First it is being used in the installment application process. If a person gives their consent in the consent service environment, the bank will check the solvency of the person from the database of the Tax and customs board, on the basis of which a data-based decision to allow the person to pay in installments can be made. It will be possible to see all given consents and revoke them at any time. The consent service is currently available to Estonian citizens and requires a valid strong authentication tool (ID-card, Mobile-ID, or Smart-ID).

In California, the Bill for Genetic Information Privacy Act takes effect in January, Data Guidance reports. The Act applies to direct-to-consumer genetic testing companies, and requires such companies to comply with, among many things, consumer’s revocation of consent, take reasonable measures to ensure that the information cannot be associated with a consumer or household, publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except for required by law compliance checks on the procedure. It must contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household, etc.

The Norwegian Supreme Court recently gave a hospital the right to dismiss an employee who had “snooped” on the medical record of her partner’s ex-wife, and a patient in the same hospital, Lexology website reports. The employee read several documents in the ex-wife’s medical record to avoid meeting her and to find out in which ward she was staying. Before the employer became aware of the snooping incident, the employee held that the ex-wife knew that she had looked at her medical record as she had sent a text message to her, which resulted in a heated exchange. The court concluded that the snooping was a serious and gross breach of duty and trust, and that there were means other than accessing medical records to obtain such information. 

The court assesses, among other things, whether the employer had based its decision on information that the company was aware of at the time of dismissal. In the case at hand, the employer had not referred in its reasoning to the text messages or that the employee had failed to notify the employer of the unauthorized access to medical files. The court held that both – were natural in the extension of the violation of the snooping ban. The hospital was therefore still allowed to use this information, even though it did not include it in its reasoning immediately after the employee’s dismissal.

Data security: healthtech vendors

In the US a tech vendor Ciox Health recently reported an email breach that affects dozens of health entities. In its notice, the healthcare information management vendor said an unauthorized person accessed one employee’s email account, potentially downloading emails and attachments, containing all sorts of patient data. However, the employee did not have direct access to any healthcare provider’s or facility’s electronic medical record system. In total, the HIPAA Breach Reporting Tool showed about 700 major health data breaches affecting 45 mln individuals in 2021. Vendor incidents were responsible for nearly 47% of the individuals affected. Among the most critical measures that tech healthcare providers could implement are comprehensive business associate agreements, say US legal experts. The attestation questions in them may include, but are not limited to:

• Does your organization require annual training for workforce members?
• Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?
• Do you have business associate agreements in place with all required persons?
• Is your data encrypted both at rest and in transit?

Also, covered entities should continually monitor industry trends, reassess their business associate/vendor relationships, and keep their board informed about any potential risks.

Big Tech: No-cookie data transfer, cryptominer Norton360, China’s credit scoring and oversees listings, Fisher-Price toy failed privacy

Google’s new patent describes how its Technology enables transfer data without cookies. MediaPost website reports. The US Patent and Trademark Office granted Google a patent describing a web browser-based application programming interface that can control the authorization of data transmissions within a network and attribute a click without using cookies. The system can reduce the number of transmissions that do not result in content for the client device – saving bandwidth and computational resources for the client device. The website can transmit small packets of data to the client device when it visits a website. They can include preferences or session information or can be used to authenticate and maintain a session between the client device and the device hosting the website, according to the patent. The full patent document is available here.

According to the KrebsonSecurity blog, Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers: “Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove”.  Reportedly, there is no way to fully opt out of the program, and the user actually has to dig into NCrypt.exe in their computer’s directory to delete it. Meanwhile, some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

China’s central bank said it will adjust the legal framework around financial credit-scoring if needed, state media reported, an indication authorities may tweak guidelines for fintech firms on the amount and type of user data they can collect. The People’s Bank of China has just implemented new rules around what kinds of data can be collected for credit scoring and clarified what kind of businesses the rules would apply to. It also urged companies to apply for credit scoring licenses and to refrain from excessive collection of user data. AI, blockchain, cloud computing and big data have been developed rapidly over recent years in China, prompting governmental concerns about how private individuals could be affected  by the technology, Reuters reports.

China will also order cybersecurity reviews for platform firms seeking overseas listings. The Cyberspace Administration of China said the new rules come into effect on Feb. 15 and apply to platform companies with data on more than 1 million users. However, based on the rules, it remains unclear which types of companies would be affected. The regulator would also implement new rules on March 1 on the use of algorithm recommendation technology to increase oversight of news providers that use the technology to disseminate information. The rules will give users the right to switch off the service if they choose. 

Finally, researchers identified a vulnerability in children’s Bluetooth-connected phones, IAPP News reports. Security researchers at Pen Test Partners found that US Fisher Price Chatter uses Bluetooth Classic with no secure pairing process. When powered on, it just connects to any Bluetooth device in range. Thus, someone nearby could also use the Chatter telephone to speak to and listen to a child in your home, or to bug the neighbors. The attacker can make the Chatter phone ring, so an unsupervised child is likely to answer. While developer Mattel said the Bluetooth pairing times out once a connection occurs or if none is made, TechCrunch claims its attempts found the pairing process did not time out after more than one hour.

The post Weekly digest January 3 – 9, 2022: CNIL fines Google and Facebook for making rejecting cookies difficult appeared first on TechGDPR.