Official guidance

Website analytics: There are many website analytics and tracking tools on the market notes the Norwegian data protection regulator, but that doesn’t necessarily mean it’s legal to use them on your website. Be prepared to follow the GDPR, even if you do not know the name or identity of those visiting your site. The analysis tools collect a lot of information, which either alone or in combination can constitute personal data. If you currently have an analysis tool that collects information that you do not use for anything, you are breaking the law:

• You must have a legal basis for processing. 
• There are many requirements for user consent to be valid. The mere existence of the cookie banner is not enough.
• Choose tools that promise to only process personal data on your behalf and as you decide. 
• On some websites, the visitors’ behaviour can in itself reveal special categories of personal data, (eg, mental health care).
• Many service providers have offices or subcontractors in countries outside the EU/EEA. You must check this before using the tool. 
• Make sure you provide honest and easily understandable information to the visitors, and respect their data subject rights.

Health care data aggregation: The French data protection regulator published recommendations for actors in the digital health sector, (in French). The sandbox projects included federated learning between several health data warehouses, a diagnostic aid solution in oncology, anonymous statistical indicators of populations in medical research, and a therapeutic game. The GDPR states that data processing in the field of health must be implemented in the public interest, and can only be mobilised by public entities, or legal entities entrusted with a public service mission. 

Thus, commercial projects, (start-ups), should be based on their legitimate interests. People’s consent in many cases was also ruled out as the companies are not in a position to collect it, particularly for the reuse of data from healthcare establishments. Finally, whenever non-anonymous data is exported, an ad hoc risk analysis must be performed to determine the necessary security measures. Continuity of security measures outside of the workplace should be ensured as much as possible. 

Customer location data: More retailers and companies are transferring their loyalty programs to mobile applications. These often demand access to the customer’s location-related data to personalise offers for each customer, taking into account their habits and other information. Regardless of the legal basis applied by the merchant for the data processing, (both consent and legitimate interest are possible), the customer has all the rights specified in the GDPR. Completely ceasing the loyalty program if the customer withdraws consent only to the processing of geolocation data will not comply with regulatory requirements. Therefore, when developing an application, it is necessary to take into account different possible levels of the loyalty program, granular consent, and withdrawal.

EdTech development: The French regulator also published a summary of the main recommendations, (in French), based on the “sandbox” project in the EdTech sector. That included actors developing a portfolio of learning skills, a communication solution in the school context, creating a warehouse of learning traces with a view to their publication and analysis and providing a “ personal cloud ” for students connected to their digital workspace. During the “sandbox” support, among other things, the technical architecture of solutions was analysed with the data controllers and their subcontractors. It has to be noted that:

• State establishments, (eg, primary schools), do not have a legal personality; teachers and directors are acting as agents of the administration of national education. 
• When onboarding a technical solution, the Ministry of national education must be considered as the only data controller, (in joint controllership with the municipality). 
• The company offering technical solutions would become a subcontractor. 
• For processing operations that pursue “school” purposes the legal basis of the ” mission of public interest ” has been considered the most appropriate to establish.
• Other treatments may demand individual, (eg, parental) consent. 
• Only authorised subcontractors and recipients of pupils’ data are allowed. 
• Information notices must be adapted to different age groups, and more generally to the degree of maturity of the pupils concerned. 

Legal processes and redress

Non-material damage under the GDPR: The Dublin District Court awarded 2000 euros compensation to a plaintiff regarding the use of CCTV footage of him by his employer, which led to victimisation from colleagues, serious embarrassment, and loss of sleep. As part of a meeting involving quality control and other managers and supervisors, CCTV video was displayed to various personnel. The plaintiff was not present at the meeting and found out afterwards that the tape had been utilised. The company’s data protection policies regarding CCTV were not clear or transparent, and no legitimate interest assessment about the remote control of the workers was carried out. Read more details of the case in the original analysis by the Irish lawyers. 

US state privacy legislation: The most recent comprehensive state consumer data privacy law has been passed in Oregon. The law has some unique provisions despite being similar to consumer data privacy laws passed in different states. It applies to nonprofit organisations, has broad definitions of covered data, (including categories of sensitive and biometric data, as well as derived data), a smaller HIPAA, (protected health information), carveout, and grants Oregon residents the right to request a list of the third parties to whom controllers disclosed their data, opt-out options and more. Meanwhile, the Colorado Privacy Act has been enforceable since 1 July, making Colorado the third state after California and Virginia to pass a comprehensive privacy law to protect its residents.

COPPA 2.0: Amendments to the Children’s Online Privacy Protection Act, (and the Kids Online Safety Act), have been approved by a Senate Committee. It would close a loophole allowing companies to abuse minors’ data with little accountability, making it harder for the regulator to prove violations. It would be unlawful for a digital service or connected devices directed at children or teens, to collect, use, disclose to third parties, or compile their data for profiling and targeted marketing unless the operator has obtained consent from the relevant minor, (“verified parental consent”). The operators must also treat each user as a child or minor unless content is deemed to be directed to mixed audiences.

Enforcement decisions

Security measures: Open Bank was fined 2.5 million euros by Spain’s data protection regulator for failing to implement a framework to permit encrypted communication. In order to comply with anti-money laundering legislation, the complainant was asked to confirm the origin of funds received in their bank account. However, the only possibility was to provide the information by email, (rather than through a secure direct channel). The information requested by Open Bank is classified as ‘financial data,’ which requires the implementation of strengthened safeguards. The regulator decided that Open Bank did not implement a data protection strategy from the start, neither before nor during treatment.

In another recent example, the Polish regulator punished a firm to the tune of almost 9000 euros for losing employees and contractors’ personal data in a ransomware attack. The organisation failed to complete a risk assessment, notify the regulator of the breach within 72 hours of becoming aware of it, and notify the data subjects affected by the breach. The regulator also claimed that the company did not comply fully throughout its inquiry. In particular, the company’s communication was frequently inconsistent.

Non-registration with the regulator: Guernsey’s data protection authority is to pursue legal action for failure to register. It is a legal requirement for any organisation, (including sole traders) that handle people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the Guernsey regulator.  If you are not sure if you need to register, there are three clear criteria:

• You, (whether a sole trader, organisation, business, charity, landlord, business association etc.), are established in the Bailiwick of Guernsey.
• You are working with personal data, (any information that may identify individual people, such as staff members, your clients, your business contacts, your service users, your tenants etc.), either as a ‘controller’ or a ‘processor’.
• The activity you are performing is not part of your personal/household affairs.

Non-cooperation with the regulator:  According to Data Guidance, the Polish data protection authority fined a company 8000 euros for failing to cooperate, (Art. 58 of the GDPR). The regulator received a complaint alleging that the firm had improperly shared personal information with a third party. The regulator sent the business several letters demanding further information, including the legal basis and purpose of processing. The organisation, however, did not react to any of the letters. 

Reimbursement app: A one million euro fine was imposed by the Italian privacy regulator on Autostrade per l’Italia (ASPI) for having illegally processed the data of around 100,000 registered users of the toll reimbursement app, called Free to X. The critical issues of the service – which allows the total or partial refund of the cost of the motorway ticket for delays due to construction sites – had been reported by a consumer association. The authority has ascertained that Autostrade plays the role of data controller and not of data processor, as erroneously indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app.

Meta behavioural ads:  The Norwegian data protection authority has prohibited Meta from adapting advertising based on monitoring and profiling of users in Norway. The decision comes shortly after the CJEU stated that Meta’s data practices still do not take place legally. When Meta decides which ads you get to see, they also decide which content you don’t get to see. This affects freedom of expression and information in society. There is a danger that behaviour-based marketing reinforces existing stereotypes or that it can lead to unfair discrimination between different groups. Behaviour-based targeting of political advertisements is particularly problematic.

Medical data anonymisation for research: The Italian regulator fined a company for processing the health data of numerous patients collected from around 7000 general practitioners without adopting suitable anonymisation techniques. The GPs adhering to the international health research initiative had to add to their management system “Medico 2000” a function, (“data extractor” add-on), aimed at automatically anonymising patient data and transmitting them to the above company. But in fact, the tool only pseudonymised data assigned to the patients. There was also the erroneous attribution of the role of the data controller to GPs, and therefore the absence of a legal basis for data processing by the company. 

Data security

Videoconferencing tool: The EDPS has found that the use of Cisco Webex videoconferencing and related services by the CJEU meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. However, the decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity.  

With regard to technical safeguards, the court confirmed that support information is encrypted in transit, while case attachments are encrypted both in transit and at rest, in order to secure personal data from accidental loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 

The court also took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA: in case Cisco needs to have remote access to the court’s Cisco Webex infrastructure, the DPO of the court, in collaboration with the court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access.

Ryanair facial recognition: Privacy advocacy group NOYB filed a complaint against Ryanair, alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. The airline outsources this process to an external company named GetID. This means that customers have to entrust, (by consenting to it), their biometric data to a company they have never heard of or had a contract with. Passengers can avoid it by showing up at the airport at least 2 hours before departure or submitting a form and picture of their passport or national ID card in advance. 

Big Tech

Alexa child accounts and geolocation: The US Federal Trade Commission will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act and deceived parents and users of the Alexa voice assistant service about its data practices. Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and improve Alexa’s speech recognition algorithm. 

Among many requirements, Amazon will have to implement a process to identify inactive Alexa child profiles. Following the identification of any inactive child profile, the company shall delete any personal information, (voice recordings and geolocation information), within 90 days, unless the parent requests that such information be retained. Misrepresenting the privacy policies related to geolocation and children’s voice information will also be prohibited.

Amazon Go shops: A recent class action against Amazon in New York over its cashier-less Amazon Go shops was voluntarily terminated for unspecified reasons. Previously, the complaint claimed that Amazon acquired biometric data from customers in violation of a New York City Biometric Identifier Information Statute. According to the complainant, Amazon scanned customers’ hands and illegally uses technologies such as computer vision, deep learning algorithms, and sensor fusion to measure customers’ bodies to identify and monitor where they walked in the shop and what they purchased. The lawsuit demanded 500 dollars for each infraction of the legislation.

Worldcoin biometric verifications: Members of the public in selected locations worldwide are being encouraged to have their eyes scanned as part of a cryptocurrency initiative that tries to identify humans from AI systems via biometric verification. The Worldcoin protocol operates by providing biometrically verified individuals with a digital identity in the form of a Worldcoin token, which promises to be the first crypto token to be issued globally and freely to people simply for being genuine individuals. Users will also receive access to the app, which will allow them to make global payments, purchases, and transfers utilizing digital and traditional currencies. The UK Information Commissioner’s Office commented on the situation: 

• The organisation must conduct a data protection impact assessment before starting any processing that is likely to result in high risks, such as processing special category biometric data. 
• Where they identify high risks that they cannot mitigate, they must consult the regulator.
• The organisation also needs to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.

The post Data protection digest 17 – 30 July 2023: guide on website analytics, health care data sharing, and COPPA 2.0 appeared first on TechGDPR.

Legal processes and redress: synthetic data for fintech, draft Data Act, DPO dismissals

The UK Financial Conduct Authority, (FCA), issued a statement on synthetic data for beneficial innovation in UK financial markets. It strongly indicated fraud and anti-money laundering as a key use case for synthetic data, in part due to its ability to augment rare patterns of behavior in a dataset. Whilst the data protection legislation places conditions on such data processing, the FCA emphasizes that data sharing between different entities, (eg, access to the real datasets, as well as synthetic transactional datasets with embedded fraud typologies), is possible under the current regulatory framework if at least one lawful basis is met, accompanied by built-in privacy by design, data protection impact assessments, data sharing agreements, and other legal requirements.

The European Parliament adopted the draft Data Act – new rules for fair access and use of industrial data. It would contribute to the development of new services, in particular in the sector of AI where huge amounts of data are needed for algorithm training. It can also lead to better prices for after-sales services and repairs of connected devices. When companies draft their data-sharing contracts, the law will rebalance the negotiation power in favour of SMEs, by shielding them from unfair contractual terms imposed by companies that are in a significantly stronger bargaining position. Finally, the proposed act would facilitate switching between providers of cloud services, and other data processing services, and introduce safeguards against unlawful international data transfer by cloud service providers.

The CJEU rendered two decisions regarding the procedures for dismissing data protection officers and their potential conflicts of interest, (under the German Federal Data Protection Law), insideprivacy.com reports. In the relevant cases, the DPO also handled other organisational duties in a professional capacity. The data controllers argued that since those positions were incompatible, (chair of the work council in one of the cases), the DPO’s dismissal was appropriate. The former DPO started a legal action which ended up in the EU top court. 

However, the CJEU determined that as long as the national laws do not undermine the goals set for DPOs under the GDPR, EU member states may require that DPOs be dismissed for “just cause”. It is also for the national courts to decide whether a conflict of interest existed taking into account “all the relevant circumstances, in particular the organisational structure of the controller or its processor and in light of all the applicable rules, including any policies of the controller or its processor.”

Official guidance: MS Excel, research projects, free data protection tool, game developers

Bavaria’s data protection authority explains how to avoid data breaches when using Microsoft Excel. It is not uncommon for users to encounter the program intuitively; Contrary to the primary purpose, Excel is often used when the number of columns in Word is not sufficient. However, if there is personal data in an Excel workbook, improper handling of the application can easily trigger a data breach. Excel workbooks can contain multiple worksheets, (the number is only limited by the available memory), even if you don’t work regularly with such “multi-sheet” workbooks yourself. Be especially careful with Excel files created by others, as Excel workbooks can contain invisible worksheets, as well as columns, rows, or even individual cells, comments, and metadata. It is worth remembering:

• before sharing an Excel workbook with personal information, especially before attaching it to an email, make sure that you really want to share everything;
• consider whether the file should be processed further by a recipient, otherwise;
• send a PDF version that can be checked for hidden data before sending;
• if possible, consistently delete the worksheets that are no longer required;
• before creating a new workbook with multiple worksheets, consider whether you can complete the task with multiple single-sheet workbooks;
• consider whether you need Excel for the task to be completed or whether a “simple” resource, (eg, a word processing program), will suffice.

If not careful, an Excel data breach can trigger the reporting obligation under Art. 33 of the GDPR, and the notification obligation under Art. 34 of the GDPR.

Meanwhile, the Danish data protection authority has amended rules for deleting personal data at the end of research projects. Data controllers may have a legitimate need to process information for a period after the end of the investigation, (eg, for the purposes of peer review or countering accusations of scientific misconduct), so data should not always be deleted, anonymised, destroyed or returned at the end of a research project. Personal data can be transferred for storage in an archive in accordance with the rules in archive legislation. In addition, in some research areas, work is done with ongoing coverage of research fields, and building of relationships or data material, where it is not meaningful to talk about a project being “finished”. 

The Finnish data protection authority is promoting its data protection tool available as open source code to increase the data protection expertise of SMEs. You can familiarise yourself with the tool (in English) here. With the initial level test, the respondent can first check how well they control the basic issues of the data protection regulation. The role-mapping test helps the respondent to define what role the company plays in regard to the processing of personal data. Each role also has its own tests. The source code and content of the data protection tool are for free use, to further develop a company or industry-specific privacy tool or to produce new language versions, or even in commercial applications.

Finally, the UK Information Commissioner’s Office offers new guidance to game developers on protecting minors. The recommendations are based on the experiences and findings during a series of voluntary audits, (eg, on Yubo, Facepunch), of game developers, studios and publishers within the gaming industry: 

• The age range of the players and the different needs of children at different ages and stages of development should be at the heart of how you design your games. 
• Designing games to promote meaningful parent/guardian – child interactions, while setting a high level of privacy by default and appropriate parental controls is key.
• It is important to only process children’s personal data in ways that are not detrimental to their health or wellbeing. 
• It is crucial that games do not use nudge techniques to lead children to make poor privacy decisions.
• Bad privacy information design obscures risks, unravels good player experiences, and sows mistrust between children, parents, and game providers.

Investigations and enforcement actions: employee emails monitoring, failed data subject requests at a sports center, HBNR and BIPA violations in the US, student data management

In Austria, the data protection authority finds employer’s monitoring of employee emails unlawful. Several complainants argued that the company, without their consent and knowledge, checked the technical mail server logs of all 6,000 employees for a specific recipient domain. The reason for this control measure was the suspicion of a breach of trade secrets. The data protection authority came to the conclusion that the control measure, which only took place six months after the incident that gave rise to it, was not proportionate due to the lack of a temporal connection and the topicality. Plus, there was no valid consent from the works council. 

The Norwegian data protection authority confirmed its fine of over 900,000 euros to Sats for breach of several provisions in the GDPR. The complaints were related to the company’s failure to comply with clients’ demands for access and deletion. Furthermore, the fitness centre chain lacked the authorisation to process data about the customers’ training history. Sats is the Nordic region’s largest fitness center chain and has its head office in Norway.  Therefore the Norwegian regulators dealt with the case in collaboration with other supervisory authorities under the so called one-stop-shop mechanism.

In the US, the Illinois Supreme Court ruled that fast food chain White Castle System must face claims that it repeatedly scanned the fingerprints of nearly 9,500 employees without their consent, (to access a company computer system), which the company says could cost it more than 17 billion dollars. The Illinois Biometric Information Privacy Act, (BIPA), imposes penalties of 1000 dollars per violation and 5000 dollars for reckless or intentional violations. The law requires companies to obtain permission before collecting fingerprints, retinal scans, and other biometric information from workers and consumers. 

Also in the US, the Federal Trade Commission has taken enforcement action for the first time under its Health Breach Notification, (HBN), Rule against the telehealth and prescription drug discount provider GoodRx Holdings, for failing to notify consumers and others of its unauthorized disclosures of consumers’ personal health information to Facebook, Google, and other companies. The company collects personal and health information about its users, including information from users themselves and from pharmacy benefit managers confirming when a consumer purchases a medication using a GoodRx coupon. 

From 2021 US health apps and smart products that collect or use consumers’ health information must comply with the HBN Rule. It ensures that entities not covered by the Health Insurance Portability and Accountability Act, (HIPAA), face accountability when consumers’ sensitive health information is breached. In the above case, GoodRx also displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the HIPAA.

The French privacy regulator CNIL gave formal notice to two higher education institutions to comply with the GDPR concerning files used for administrative and pedagogical management. Areas of non-compliance include data retention period, student information, use of subcontractors, and data security:

• they had not provided a precise retention period for all processing of students’ personal data, nor have they provided for a purge and archiving system;
• they do not properly inform students about the collection of their data via the various forms they fill out during their schooling;
• they were not able to send the CNIL the duly signed data processing agreements with subcontractors;
• they had no password policy to guarantee a minimum level of security in this area.

Data security: messaging apps

Privacy International issued a guide on communicating with others via messaging apps. Reportedly, there are two main aspects to consider: a) whether it offers end-to-end encryption that protects the content of your communication; and b) whether it collects any information beyond the content of the message, such as location, who you communicate with, and other details referred to as ‘metadata’. For sensitive conversations, it may be sensible to use disappearing messages if offered by your app, (however, it is unclear whether self-destructing messages are also recoverable by mobile phone extraction technology).

The use of E2EE for messaging should always be preferred over text messages, which are completely unencrypted meaning they can be easily read, manipulated in transit, or spoofed. They may also be stored by your telecommunications provider, which may be subject to access requests from governments and law enforcement. For example, Signal uses E2EE not only to encrypt the contents of messages but also to obscure all metadata even from itself. In contrast, both WhatsApp and Telegram store, and can access IP addresses, profile photos, “social graphs”, and more.

Big Tech: Palantir technology ban in Germany, more Tik Tok data centers in Europe

A top German court ruled against the use of software developed by the Palantir Technologies, saying that police use of automated data analysis to prevent crime in some German states was unconstitutional as it infringes on the right to informational self-determination. The US-based technology has so far been employed, among other things, to look into the criminal organisation accused of plotting to overthrow the German government in December, Reuters reports. Palantir says it only offers software for processing data. However, the German Society for Civil Rights, which brought the lawsuit, claimed the software used data from innocent people to form suspicions and could produce errors.

TikTok plans to open two more data centers in Europe, (Ireland), hoping to lessen regulatory pressure on the business. Data migration for TikTok users in Europe will start this year and last until 2024. TikTok hasn’t been subject to the same hefty fines as Google and Meta in the EU. Now TikTok is attempting to reassure governments and privacy regulators that users’ personal information cannot be accessed and that its content cannot be altered by the Chinese government or anyone else working for Beijing. 

The company also reported an average of 125 million monthly active users in the EU, under the brand-new online content rules known as the Digital Services Act. For comparison, Twitter says it has 100.9 million. Alphabet – 278.6 million at Google Maps, 274.6 million at Google Play, 332 million at Google Search, 74.9 million at Shopping, and 401.7 million at YouTube. The Meta Platform claims 255 million on Facebook and about 250 million on Instagram.

The post Data protection & privacy digest 4 – 17 Feb 2023: synthetic data for fintech, MS Excel guide, Palantir technology ban appeared first on TechGDPR.

Legal processes: UK new data protection draft bill, rules to prevent child abuse online

A UK new data protection draft bill was published on a parliamentary website. This document is intended to update and simplify the UK’s data protection framework to reduce organisational burdens while maintaining high data protection standards. The bill was introduced to the House of Commons and given its first reading on 18 July. This stage is formal and takes place without any debate. MPs will next consider it at the second reading on 5 September. The main provisions of the bill include:

• greater flexibility on how to comply with certain aspects of the data protection legislation (eg, relying on legitimate interest or amending the requirement for controllers to keep logs relating to processing);
• improving the clarity of the framework, particularly for research organisations;
• more certainty and stability for cross-border flows of personal data;
• changes to the Privacy and Electronic Communications Regulations 2003, relating to the confidentiality of terminal equipment, (eg, cookie rules), unsolicited direct marketing communications, (eg, nuisance calls), and communications security (eg, network traffic and location data);
• a framework for providing digital verification services in the UK to secure those services’ reliability and enable digital identities to be used with the same confidence as paper documents;
• a wider application of provisions on information standards extending to persons including providers of IT, IT services or information processing services used, or intended for use, in connection with the provision of health or the adult social care sector in England;
• smart data schemes to allow for the secure sharing of customer data, (eg, held by a communications provider or financial services provider), upon the customer’s request, with authorised third-party providers;
• use of personal data for law enforcement and national security purposes.

Meanwhile, the Irish government has approved the expansion of the Data Protection Commission, (DPC). The intention is to appoint two additional commissioners to support the evolving organisational structure, governance and business needs of the DPC. The appointments are to be made following the Data Protection Act 2018, which allows up to three commissioners to be appointed. The commission and its stakeholders, like the Irish Council for Civil Liberties, have regularly highlighted the increased working burden and investigative complexity. Ireland is a notable one-stop shop for the Big Tech companies headquartered in the EU. The DPC’s GDPR enforcement capacity, especially its cross-border aspects, has also been a point of debate in recent years across Europe. 

The EDPB and EDPS have adopted a joint position on the proposal for a regulation of the European Parliament and of the Council laying down rules to prevent and combat child sexual abuse. The proposal lacks clarity on critical elements, such as the notions of “significant risk”. Furthermore, the entities in charge of applying those safeguards, starting with private operators and ending with administrative and/or judicial authorities, enjoy a very broad margin of appreciation, which leads to legal uncertainty on how to balance the rights at stake in each case. The EDPB and EDPS also believe scanning audio communications is particularly intrusive and must remain outside the scope of the obligations in the proposed regulation, both concerning voice messages and live communications. The regulators express doubts regarding the efficiency of blocking measures and consider that requiring providers of internet services to decrypt online communications to block those concerning CSAM would be disproportionate.

Official guidance: UK BCRs, use of biometric data, age verification online

The UK Information Commissioner’s Office, (ICO), has released updated guidance on GDPR-governed Binding Corporate Rules, (BCRs), application forms, and tables for data controllers and processors. The concept of BCRs to provide adequate safeguards for making restricted transfers was developed under EU law and continues to be part of UK law under the UK GDPR, (specifically, Art. 47). BCRs are intended for use by multinational corporate groups, groups of undertakings or enterprises engaged in a joint economic activity such as franchises, joint ventures or professional partnerships. The guidance is intended to assist controllers when preparing the UK BCR pack for approval: the application form, the binding instrument, and any supporting documents. EU and UK BCRs requirements in both jurisdictions currently overlap. Therefore, the ICO has simplified the UK BCR approval process for applicants.

The Spanish privacy regulator AEPD published a blog post, (in Spanish), on the use of biometric data from a data protection perspective. Biometric data processing techniques are based on collecting and processing people’s physical, behavioral, physiological, or neural traits through devices or sensors, creating signatures or patterns that enable the identification, monitoring, or profiling of people. Some methods require the cooperation of the individual. In contrast, other methods can capture biometric data remotely, without requiring the cooperation of the individual and without the individual being aware of it. When demonstrating the adequacy of treatment to the GDPR, it is convenient to use classification criteria of biometric operations: 

• purpose of operations with biometric data concerning the purpose of the treatment, 
• legal framework,
• scope of treatment,
• qualified human intervention,
• transparency,
• free choice of the data subject,
• adequacy, sustainability and necessity,
• minimum data,
• degree of user control,
• Implicit collateral effects in the biometric operation, (eg, proctoring), etc.

How to perform age control on a website? The French CNIL offers some effective and privacy-friendly solutions. After analyzing existing systems, the French privacy regulator recommends developing new solutions. The age control to protect young people is compatible with the  GDPR, provided that sufficient guarantees are presented to minimize privacy breaches and prevent age control from being an opportunity for publishers to retrieve additional data on Internet users visiting their site. In addition, it is necessary to avoid the data being captured by a third party for malicious uses, (biometric data breach, phishing, spoofing, blackmail). 

It is possible to verify age by using an automatic system’s credit card, facial analysis of facial features. However, these solutions must be operated by third parties with sufficient security and reliability to avoid data theft and ensure that the additional risks generated by their use are considered. Another solution is possible, says the CNIL, but presents specific technical difficulties or a lower maturity. In this case, a trusted third party is provided with reliable proof of age by an administration or a company that knows the Internet user and can certify his age. This proof would then be transmitted by the trusted site or by the user himself to the site to which the user requests access. The system recommended by the CNIL would provide triple protection of privacy:

• the person providing proof of age knows the identity of the user, but does not know which site is being visited;
• the person who transmits the proof of age to the site may know the site or service consulted, but does not know the identity of the user;
• the site or service subject to age verification knows that the user is of legal age and that a person is consulting it, but does not know their identity.

Investigations and enforcement actions: vehicle rental, progressive health research, wrongful patient referral, passwords in plain text, cookie violations

The supervisory authorities, (SAs), of the Baltic States launched coordinated preventive supervision on the compliance of personal data processing in the field of short-term vehicle rentals, the EDPB reports. The SAs have agreed that supervision will be carried out on enterprises whose main recipients of services are natural persons (eg, electric scooters). Primarily, merchants whose principal place of business is located in one of the Baltic States and who offer their services throughout the Baltics will be monitored. Concerning its decision-making, each SA may extend the scope of the supervision to the activities of enterprises that are also active in only one Member State.

The EDPB has published a selection of cases of strategic importance where there is a likely high risk to the rights and freedoms of natural persons. The degree of public debate and media attention is not included as a separate criteria, but the data protection authorities can take these factors into account. A proposal may be made if it concerns:

• a structural or recurring problem in several Member States;
• a case related to the intersection of data protection with other legal fields;
• a case that affects a large number of data subjects in several Member States;
• a large number of complaints in several Member States; 
• a fundamental issue falling within the scope of the EDPB strategy;
• a case where the GDPR implies that high risk can be assumed, such as the processing of special categories of data, processing regarding vulnerable people such as minors, situations where a data protection impact assessment, (DPIA), is required, or situations where a DPIA is required based on the criteria for processing operations that are likely to result in high risk (as laid down in the EDPB Guidelines).

The Italian privacy regulator ‘Garante’ gave a favorable decision on the processing of data by a hospital aimed at the study of patients suffering from neoplastic, infectious, degenerative, and traumatic pathologies of the thoracic region. The project envisages the creation of a database and research activity in nine areas that will be the subject of further specific protocols and submitted to the competent ethics committees for each area. To give the green light, however, the authority asked the researchers to base the collection – and the subsequent processing of health data for medical research purposes – on “progressive stages” consent. 

Garante previously authorized the collection and storage of data in the “Torax” database based on an initial consent expressed by patients at the time of participating in the study, provided that the hospital subsequently acquired specific consent from the patients. Garante decided for deceased or no longer contactable patients, and research projects were better defined and approved by the territorially competent ethics committees. The authority has favorably taken note of the technical measures implemented by the hospital to eliminate the risk of patient identification, deeming them suitable for ensuring the anonymization of the data processed. However, the company must periodically check these measures and possibly adjust.

Meanwhile, the Polish supervisory authority UODO imposed an administrative fine on the University Clinical Center of the Medical University of Warsaw. The decision was due to the failure to notify the UODO of a breach of personal data protection and the failure to notify the data subject. A patient received a referral from a doctor to a specialist clinic containing personal data about another person: their name, surname, address, identification number, information about the diagnosis and purpose of the advice. The administrator confirmed that there was a mistake in entering another patient’s personal data on the referral to a specialist clinic. Still, after analyzing it, he concluded that the referral used the personal data of a person who did not exist in reality. Although the controller qualified the incident as a security incident, it was not considered to have significant effects on the rights and obligations of the data subject. 

In the opinion of the UODO, there was a breach of personal data protection consisting of the disclosure of personal data to an unauthorized person, (another patient), as a result of an error by a doctor issuing a referral to a specialist clinic. The document issued by the doctor contained only one mistake in the patient’s favour. However, the rest of the data contained in the referral, eg, name, address, and identification number, did apply to the patient. Hence, it cannot be considered that the event concerned a non-existent person. Despite the mistake to this person’s advantage, they can be easily identified.

The Danish data protection authority criticized and issued two orders to EG Digital Welfare ApS. The IT system Mediconnect offered by EG, among other things, is used by municipalities, regions, and insurance companies to handle sensitive and confidential information about citizens. In this context, EG acts as a data processor for the Mediconnect IT system. It appears from the case that passwords are stored in the Mediconnect IT system in plain text, opening the possibility of access to special categories of data that are username and password-protected. The regulator issued an order to carry out irreversible encryption of passwords, and to ensure that the login solution is not done exclusively using a username and password (eg, multi-factor login, certificates, tokens, or a PKI solution).

Spain’s AEPD fined Vueling Airlines 30,000 euros for cookies violations. According to the complaint, when accessing Vueling’s website, users could not reject cookies or purchase tickets without accepting the sending of commercial communications and promotions. Vueling’s misuse of cookies on its website constituted a violation of Art. 22 of the country’s Information Society Services and Electronic Commerce legislation. The AEPD imposed on Vueling the above fine, which was subsequently reduced to 18,000 euros following Vueling’s admission of guilt and the voluntary payment of the fine.

Audits: an insurance company’s data processing

The UK ICO has audited Somerset Bridge Insurance Services Ltd data processing. The company agreed to it consensually. It was agreed that the audit would focus on direct marketing: the processes in place where an organisation undertakes marketing activities directed at customers on their database and/or obtained from third-party lists. This would include controls for management structures, policies, and procedures, monitoring and reporting, training, fairness and transparency, lawful consent, accuracy and integrity of records, operations, and data subjects’ rights. The summary of the audit was as follows:

• The company processes personal data from customers obtaining insurance quotes and policies. 
• It collects personal data directly from its customers through its website, aggregator sites, or telephone calls.
• It only relies on active opt-in consent for any form of marketing, including via email, phone, or SMS. 
• It currently does not use soft opt-in. Electronic marketing is mainly through a monthly newsletter. Each email to the customer includes the option to unsubscribe.
• It does not process special category data when processing data for marketing purposes. 
• Automated marketing calls are not made. 
• It does not buy in marketing lists from third parties. 

The ICO auditors reported a high level of assurance that the direct marketing activities conducted by the company were compliant with the UK GDPR, DPA 2018 and the Privacy and Electronic Communications Regulations. 

Data security: ransomware attacks

The EU cybersecurity agency ENISA stated that ransomware is one of the most devastating types of cybersecurity attack over the last decade and has grown to impact organisations of all sizes across the globe in the last year:

• About 10 terabytes of data were stolen each month by ransomware threat actors. 58.2% of the data stolen included employees’ data.
• At least 47 unique ransomware threat actors were found.
• For 94.2% of incidents, it is unknown if the company paid the ransom.
• When negotiation fails, the attackers usually publish the data on their web pages. This happens often and is a reality in 37,88% of incidents.
• The remaining 62,12% of companies either came to an agreement with the attackers or found another solution.

Several different ransomware business models emerged from the study: a) individual attackers; b) ransomware-as-a-service model; c) a data brokerage model; and d) a model aimed mostly at achieving notoriety. Thus the ENISA report recommends the following:

• keep an updated backup of your business files & personal data;
• keep this backup isolated from the network;
• apply the 3-2-1 rule of backup: 3 copies, 2 different storage media, 1 copy offsite;
• run security software designed to detect most ransomware in your endpoint devices;
• restrict administrative privileges, etc.

Big Tech: Paramount Global, US tech in Russia, TikTok in US, Manchester City’s smart scarf

Paramount Global, owner of CBS, is facing a class action lawsuit that alleges the Hollywood giant tracked and collected CBS.com subscriber data and sold it to Facebook without users’ consent. Paramount is accused of violating the Video Privacy Protection act, and Facebook has already recognised it uses CBS.com subscriber data, via the Facebook Tracking Pixel that Paramount uses.

Russia continues to tighten the regulatory screws on US tech firms, with fines imposed on Snapchat, WhatsApp, and Tinder for failing to store the data of their Russian users on local servers. Local data storage is a requirement since a 2019 law, although many western companies have fallen foul of it, and the number is growing.

China’s TikTok has paid a 92 million dollar settlement in a 2019 case brought in a Federal court in Illinois, alleging multiple data protection and privacy violations and illegal collection of biometric data. As part of the deal, TikTok must now restrict and disclose in its privacy policy what it collects and end the secret sending of data overseas.

Tech incorporated in clothes gives you useful feedback on a range of things. Now Manchester City have made their fans a scarf that gives the club loads of information about the wearer’s match experience. An EmotiBit sensor can read blood pressure, heart rate, emotional arousal or stress levels. The club has partnered for the pilot stage with Cisco, tech and production company Unit9, and sports marketers Octagon UK, although Man City is being coy for the moment about just what personal data will be collected and shared and with whom.

The post Weekly digest 25 July – 1 August 2022: UK publishes new data protection draft bill and updates BCRs appeared first on TechGDPR.

Legal processes: cloud in the EU, cookie consent, AI standards, children’s data protection in California

The EDPB has announced a coordinated investigation and enforcement probe on the use of the cloud in the EU by the public sector. Reportedly, the cloud uptake by enterprises doubled across Europe in the last 6 years. The COVID-19 pandemic has sparked a digital transformation of organisations, with many turning to cloud technology. However, public bodies at the national and EU levels may face difficulties in obtaining information and communication technology products and services that comply with EU data protection rules. 22 national supervisory authorities, (also in coordination with the EDPS), will examine public bodies’ challenges with GDPR compliance when using cloud-based services, including the process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship. The probe followed by an end-of-year report will be covering a wide range of sectors – health, finance, tax, education, and central buyers, or providers of IT services. 

The Norwegian data protection authority Datatilsynet asked the government to tighten national rules on the cookie consent mechanism. Datatylsinet compares the Norwegian and French approaches to cookie opt-out options. In France, like the rest of the EU, consent to the use of cookies is required to be in line with the requirements of the GDPR. The reason for the latest multimillion fines on Google and Facebook from the French regulator CNIL was that the two companies allowed users to consent to the use of cookies through a single click, while the procedure for refusing consent was more cumbersome and time-consuming. In comparison, however, the practice for which tech giants have now been fined in France would hardly have been considered problematic under the regulations for cookies in Norway, where consents are allowed through preset browser settings. In the view of  Datatilsynet, these cases illustrate how unsustainable the current regulation of cookies and similar tracking technologies in Norway is, and they ask that the government grant Datatilsynet supervisory powers. 

The EU’s effort to set a standard for Al will likely take more than a year before it can become legislation. The main debate is focusing on whether facial recognition should be banned and who should enforce the rules, Reuters reports. The initiative moved forward last year due to pandemics and the spread of algorithm-based gadgets and services in daily life. Reportedly the European Commission wants to allow facial recognition use by law enforcement in terror attacks and serious crimes. But civil rights activists fear it could facilitate discrimination and surveillance by governments and companies. Also, a balanced enforcement approach would be needed where the basic implementation would be at the national level by national regulators and certain applications and certain impacts would be left to the Commission. 

In California, legislators proposed a new bipartisan bill to protect children online. The California Age-Appropriate Design Code Act was written after the UK Children’s Code and contains provisions for children’s data protection and limits to online exposure for minors under age 18, IAPP News reports. Existing law, the Parent’s Accountability and Child Protection Act, requires a person or legal entity that conducts business in California and that seeks to sell specified products or services to take reasonable steps to ensure that the purchaser is of legal age. They are prohibited to reuse obtained data during the verification process for any other purposes. Commencing July 1, 2024, this bill would also require a business that creates goods, services, or product features likely to be accessed by children to comply with specified standards, including considering the best interests of children, (eg, using clear language suited to the age of children likely to access that good, service, or product feature).

Official guidance: data for research purposes, DPIA checklist, CNIL’s 2022 strategy

The UK Information Commissioner’s Office is seeking feedback on the draft guidance on the research provisions in the UK GDPR and the Data Protection Act 2018. Both pieces of legislation contain a number of provisions for processing personal data for research purposes: namely a) archiving in the public interest; b) scientific or historical research; and c) statistical purposes. However, they are contained in a number of articles and paragraphs in both pieces of legislation creating a complicated area of data protection. The draft guide helps those engaged in research to carry out their processing while being compliant with the existing law. Adhering to this guide, data controllers should be able to demonstrate their processing is necessary for one of these research purposes and that it meets a set of indicative criteria for each of the three types of research. These provisions cover three broad areas of data protection: 

• the data protection principles, (purpose limitation, storage limitation);
• conditions for processing special category data and criminal offence data; 
• exemptions from data subjects’ rights and 
• appropriate safeguards (data minimization, pseudonymization, anonymisation).

Interested parties can submit their responses by 22 April via this page.

The Spanish regulator AEPD published a checklist, (in Spanish only), to help data controllers carry out data protection impact assessments, Data Guidance reports. The list allows a quick check and prior consultation to ensure all the necessary aspects have been taken into account when carrying out and documenting an impact assessment. In particular:

• those responsible who plan to carry out a prior consultation must complete and submit the said list to the AEPD to verify that it contains the minimum content required;
• if after carrying out the DPIA, and after having adopted measures, the risk is still high, the person in charge must carry out prior consultation with the AEPD before carrying out this processing of personal data, etc.

You can download the full list here. The document also complements AEPD’s risk management and DPIA guide.

The French regulator CNIL published its strategic plan for 2022-2024. The new orientations are divided into three priority areas: a) promoting control and respect for the rights of individuals, b) promoting the GDPR as a trusted asset for organizations, c) prioritizing targeted regulatory actions on subjects with high privacy stakes. Similarly, the CNIL specifies its priority control topics for 2022: commercial prospecting, use of cloud computing, and remote working monitoring. Each year the CNIL conducts several hundred checks, (384 in 2021). Usually, the three themes chosen as priorities for the year represent approximately one-third of the checks carried out:

• Unsolicited commercial prospecting is one of the irritants of French daily life and is a recurring subject of complaints and calls to the CNIL hotline.
• The massive use of teleworking during the Covid-19 pandemic has led to the development of specific tools, allowing employers to ensure closer monitoring of employees’ daily tasks and activities. Many believe that it will become widespread and will continue even when the health situation has returned to normal.
• The use of the cloud is constantly growing in the private and public sectors, followed by massive transfers of data outside the EU to countries that do not provide an adequate level of protection or are vulnerable to data breaches in the event of incorrect configuration.

Data breaches, investigations and enforcement actions: cookie audit, Grindr’s appeal, Danish Capital Region’s data breaches, criminal conviction data

Latvia’s data inspectorate announced the results of cookie audits of websites belonging to 26 companies, IAPP News reports.  Auditors looked for comprehensive information on the user and if the appropriate consent of the website user was obtained, including the use of marketing, statistical and analytical cookies. In total, at least one or more non-compliances with the requirements of the GDPR and Latvia’s Information society services Act were found on the websites inspected. The highest number of non-compliances was found for obtaining appropriate consent from a website user in cases where it is mandatory to obtain it:

• none of the websites examined provided adequate consent, 
• in most cases only partial consent was obtained from the website user,
• in 4 cases it was considered that no consent was obtained at all. 

The least inconsistencies were found in the evaluation of the cookie policy/terms of use available on the website regarding the inclusion of the minimum information required. Official notices were sent to three organizations to evaluate and eliminate non-compliances according to the findings by April, and for the rest by August. 

Grindr has appealed against the 6,5 mln euro fine imposed by the Norwegian data protection authority Datatilsynet. Grindr is a location-based social networking app marketed towards gay, bi, trans, and queer people. In 2020, the Norwegian Consumer Council filed a complaint against Grindr claiming unlawful sharing of personal data with third parties for marketing purposes. The data shared was GPS location, IP address, Advertising ID, age, gender, and the fact that the user in question was on Grindr. Datatilsynet concluded that Grindr disclosed user data to third parties for behavioral advertisement without a valid legal basis. Datatilsynet will now assess Grindr’s appeal and consider whether there are grounds to rescind or alter the decision. The Norwegian Consumer Council will also be given the opportunity to express an opinion. If the decision is not rescinded or altered, the case will be sent to the Privacy Appeals Board for processing. Decisions from the Privacy Appeals Board cannot be further appealed, but depending on the circumstances, the parties can file a lawsuit before the courts against the validity of such a decision.

The Danish data protection authority has used criticism, injunctions, and warnings to the Capital Region after two security breaches. Both incidents were reported by the Danish Health and Medicines Authority in 2020 and 2021. In both cases, a data exchange service from the health platform, (for which the Capital Region of Denmark was the data controller), was involved and a couple of thousand medication prescriptions for patients were affected. The security breaches arose on the basis that the integrations between two systems enabling an update in one affect the integrity of the display of information in another. After reviewing both reported breaches, the Danish data protection agency has expressed serious criticism of the Capital Region for:

• not having qualified relevant test scenarios in order to better identify dependencies on other IT systems,
• not having carried out the necessary tests before the changes were made,
• not informing the Danish Health and Medicines Authority about the security breaches when the incidents were established.

The Danish data protection agency has ordered the region to prepare and introduce a process that ensures that known integrations with other systems do not create incorrect information in these, but also to detail mapping of the internal IT architecture and the IT environment in collaboration with the parties involved. 

The Spanish regulator AEPD fined Amazon Road Transport 2 mln euros for unlawful processing of criminal conviction data, Data Guidance reports. A union representative filed a claim with the AEPD that for the hiring of self-employed contractors, Amazon Road Transport Spain requested certificates of the absence of a criminal record, specifically requiring the consent of the candidates, so that this data could be transferred to the group companies and their supplier located outside the EEA. Amazon Road Transport claimed that when obtaining a negative certificate, data relating to criminal convictions or offenses was not processed, since the certificate did not contain any data relating to the commission of crimes, and as such, does not fall under Art 10. of the GDPR. The regulator refused to accept their interpretation of the GDPR. The AEPD found that Amazon Road Transport was not diligent, as it failed to implement adequate procedures for the collection and processing of personal data relating to a criminal conviction. The company also has to cease requiring the above certificates, delete all the information of the certificates already provided, bring its processing in compliance with Art. 6 and 10 of the GDPR. At the same time, it was not in violation of Art. 7, and 49.1 of the GDPR, (as explicit consent of a data subject can be used as a derogation for restricted international transfer).

Data security: best practices

The European Union Agency for Cybersecurity, (ENISA), and CERT- EU published a joint set of cybersecurity best practices for public and private organisations. There is a substantial increase of cybersecurity threats for organisations in the EU. Three factors are at play in such a trend: a) ransomware remains a prime threat, putting millions of organizations at risk; b) criminals are increasingly motivated by the monetisation of their activities; c) attacks against critical infrastructure are rising exponentially and other economic sectors, as well as society at large, can be exposed. The publication is mainly intended for decision-makers, (both in IT and general management), and security officers, (CISOs). It is also aimed at entities that support organisational risk management. Recommendations are provided in no particular order. Organizations should prioritize their actions according to their specific business needs:

• Ensure remotely accessible services require multi-factor authentication, (MFA).
• Ensure users do not re-use passwords, encourage users to use MFA whenever supported by an application, (eg, on social media).
• Ensure all software is up-to-date.
• Tightly control third-party access to your internal networks and systems. 
• Pay special attention to hardening your cloud environments before moving critical loads to the cloud. 
• Review your data backup strategy and use the so-called 3-2-1 rule approach.
• Change all default credentials, employ appropriate network segmentation.
• Conduct regular training.
• Create a resilient email security environment.
• Protect your web assets from denial-of-service attacks.
• Block or severely limit internet access for servers, etc. 

Big Tech: Texans’ biometric data, employee spying software, Clearview AI image collection expansion

Texas’s Attorney General Ken Paxton is suing Meta for its use of facial recognition technology to harvest the biometric data of millions of Texans without their consent, Reuters reports. The lawsuit claims 20.5 million Texans use Facebook, and data was captured illegally “billions” of times. The plaintiffs are reportedly seeking hundreds of billions of dollars in civil damages. In 2020 Facebook settled a similar suit in Illinois for 650 million dollars, and last November a blog post announced the system was being axed and any data collected destroyed.

Controversial facial recognition specialist Clearview Ai is going the other way, according to the Washington Post. It revealed Clearview had called on investors for 50 million to collect “100 billion” faces within a year to make “every person on earth identifiable”. Clearview, which collects images from social media and other websites without their or the subjects’ consent works mainly for law enforcement but is seeking to expand into monitoring gig economy workers. Facebook, Google, Twitter and YouTube have all demanded Clearview stop, to no avail. The French, Australian, and UK privacy regulators have already ruled against its practices.

China’s Sangfor Technologies has come under scrutiny for software that spies on company employees and attempts to predict when they will quit, IAPP News reports. The Shenzen-listed company’s “resignation analysis system” monitors employee browsers for job ads, recruitment emails, and social media websites. Ex-employees have been going public about how their employers fired them when they job hunted online, and how they knew exactly what they had been doing on their computers. The story has found an echo on Chinese social media and forums, with many finding the software an infringement of personal privacy.

The post Weekly digest February 14 – 20, 2022: regulating the cloud in the EU, GDPR as a trusted asset appeared first on TechGDPR.