Stay up to date! Sign up to receive our fortnightly digest via email.

Software testing

To help businesses and authorities address a range of security threats, the Danish data protection authority has chosen to include a new position in its list of security measures, (in Danish). It concerns security-focused software testing, which can find flaws in recently created applications. The software’s intended functionality is what the “customer” usually desires. A product could, nonetheless, have unexpected or undesired capabilities.

Unwanted functionality is at the same time unnecessary and thus is generally not used, (creates hidden security issues). People with malicious intentions can also search for unnecessary/unwanted functionalities to misuse. Increasingly complex IT systems and integrations between IT systems increase the likelihood of errors/vulnerabilities, even if there is a focus on security during development. 

Furthermore, a lot of software is created using pre-made components that are either created by other parties or are a part of “developer tools,” and it is unknown how much attention these third parties pay to security needs. Therefore, the only method to guarantee that the new software is designed with a focus on security may be through testing or requirements for the supplier’s testing. Testing documentation can also play a critical role in proving if sufficient precautions have been taken to prevent security breaches.

Whistleblowing and anonymity

The most recent EU whistleblower legislation is explained in Iuslaboris’ blog article using the example of the Netherlands. In particular, midsize employers, (50+ employees), are now also subject to the new and stricter obligations, (of the Dutch Whistleblower Protection Act 2023), regarding internal reporting processes for whistleblowers:

• The employer is generally free to choose an anonymous reporting mechanism, such as specialised software. 
• A report is made anonymously, but it needs to be made to a properly designated officer.
• That officer must then discuss with the reporting person how they wish to communicate during the process.
• If the reporting person’s identity is partially revealed, the officer is responsible for making sure that any parties not involved in the inquiry are not informed. 
• It’s also advisable to explain the breach of anonymity to the individual who filed the report.  
• The reports might be looked into at the group level of the organisation, (even if the parent company is located in another country).

Email management and metadata

IT programs and services for e-mail management, marketed by suppliers in cloud mode, may collect metadata, by default, in a preventive and generalised way. This sometimes places limitations on an employer wishing to modify the basic settings of the program to disable the systematic collection of such data in the work context or to reduce the retention period of the same. The fundamental right to secrecy of the content of the e-mail correspondence, including the external data of the communications and the attached files, protects the essential core of the dignity of individuals and the full development of their personality in social formations. 

Metadata may include the email addresses of the sender and recipient, the IP addresses of the servers or clients involved in the routing of the message, the times of sending, retransmission or reception, the size of the message, the presence and size of any attachments and, in certain cases, details about the management system of the email service used along with the subject of the message sent or received. The same metadata should not be confused with the information in the e-mail messages, (integrated into them although not immediately visible to users), in their “body part”, which remains under the exclusive user control. 

Thus, all data controllers are reminded to verify that the collection and storage of logs take place in compliance with the principles of correctness and transparency and that workers have been adequately informed on the processing of personal data relating to electronic data communications concerning them, (specifying data retention times, any controls, etc).

More official guidance

Data subject requests: The Latvian data protection regulator explains how a data controller should act if a request from a person as a data subject has been received: 

• Verify the data subject’s identity, (additional information can be requested).
• Find out what rights the person intends to exercise when sending the request.
• Develop a request form that formulates possible requests.
• Observe the response deadlines.
• Act accordingly if an unreasonable or disproportionate request is received.
• Take into account the restrictions on the exercise of the rights of data subjects. 
• Document the request processing progress; and 
• Cooperate with the Data State Inspectorate if necessary.  

Information sharing in health emergencies at work: The Guernsey data protection authority explains how to think in advance about sharing workers’ information in a health emergency. It covers any situation where you believe that someone is at risk of serious harm to themselves, or others, because of their mental or physical health. This can include potential loss of life. Also, the same obligations apply to processing information about your workers’ mental or physical health. 

In a health emergency, data protection does not act as a barrier to necessary and proportionate information sharing. Where there is a risk of serious harm to the worker, or to others, you should share necessary and proportionate information without delay with relevant and appropriate emergency services or health professionals. You must ensure that your workers are aware of any policy for sharing personal information in a health emergency and that it is available to them.

This policy also could become part of your Data Protection Impact Assessment on the everyday handling of your workers’ health information. 

Meta AI training postponed in the EU/EEA

Meta was scheduled to train and improve its AI applications on users’ content from Facebook and Instagram next week. At the request of the Irish Data Protection Commission, (the lead supervisory authority), this has been postponed until further notice. Earlier this month, Meta announced it would begin using publicly available content from European users of Facebook, Instagram and Threads to train an AI app. The reason for the processing is allegedly legitimate interest, and users could object to using their content if they wished. Numerous complaints about Meta’s new practice were lodged with the European supervisory authorities, including in Norway, Austria, France and others. 

Meanwhile, the Hamburg Data Protection Commissioner, (HmbBfDI), published recommendations regarding AI training with personal data by Meta. Users worldwide should be aware that this cannot be reversed once a large language model has been trained with personal data. Individuals can object to this in the settings on the profile page under the Privacy Policy. Persons who do not have an account with a Meta service may also be affected by the processing of personal data by Meta for AI training purposes, as Meta also uses data from so-called third-party providers. 

In the future, Meta’s AI-supported tools could become available for both users and companies. 

Wikipedia vs GDPR

The Italian privacy regulator Garante recently ruled that the processing of personal data carried out by Wikipedia falls under the GDPR, and the rules on journalistic activity and the expression of thought apply to the published contents. The decision came after the complaint of an interested party whose request for deletion of a biographical article relating to a judicial matter by the Wikipedia Foundation was not satisfied. The regulator ordered the de-indexing of the article.

The US non-profit believes it does not offer a service to users in the EU and is therefore not bound to compliance with the GDPR: it just “hosts” the contents inserted by the community of volunteers. In reality, explains Garante, Wikipedia constantly addresses and verifies the quality standards of the content and creates versions of the site dedicated to users from one or more EU countries.  

More enforcement decisions

Cookies without consent: An Amsterdam court held that LinkedIn, Microsoft and Xandr must cease the placement of cookies without user consent, the Data Guidance reports. The plaintiff visited 52 websites, of which 19 installed cookies on their device either without their knowledge or after it was expressly denied. The website provider bore certain duties even in cases where third parties are accountable for the installation of cookies on the users’ devices. The court decided that the above companies’ partnerships with third-party operators resulted in the cookies in question. They did not, however, prevent third parties from placing cookies without authorisation.

Recruiting company deletion requests: Meanwhile, the Dutch data protection authority has imposed a fine of 6,000 euros on the recruitment company Ambitious People Group. The company did have a method for requests to delete data. Yet in practice, things went wrong several times. The data remained in the database after the people requested their removal. The company also kept approaching these people about vacancies. The data in question included names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience.

Security gaps: As part of an unsolicited audit by the Lower Saxony data protection authority, 20 companies have closed security gaps in their Microsoft Exchange servers. There is sometimes only a very short period between the release of a security update and the exploitation of vulnerabilities, and sometimes the first waves of attacks on customers’ and employees’ data have already occurred beforehand. Therefore: 

• Anyone who commissions an IT service provider to operate an Exchange server must ensure that the contract also includes regular patching of the server. 
• Companies must ensure that they can patch their servers immediately if critical security vulnerabilities arise.

Data security

Affordable data security: An opinion article by the Estonian data protection regulator suggests that small and medium-sized companies perceive data protection mainly as a source of costs and worries. However, the practice shows that mitigating risks associated with the cyber security aspects of data protection may not be as scary and expensive as it may seem at first glance. Most familiar and valid recommendations for your web security would include: 

• updating the software on your devices and IT infrastructure, (hosting providers offer automated application installation)
• adopting multi-factor authentication, (user log-ins and web hosting control panel),
• auditing accounts, (access control), and
• disposing of unused and unnecessary applications and files on the web server.

Privacy vulnerabilities of AI systems:  A luslaboris law blog looks at cyber security obligations under the EU AI Act – against model poisoning, model evasion, confidentiality attacks, and model flaws. One example is privacy attacks. Once the AI system is operational bad actors can use legitimate means to obtain personal data. It may be possible for bad actors to ask a large language model many queries which enable the actor to reverse engineer personal data about a particular individual in the aggregate data set. The same techniques can be used to access proprietary or confidential information relating to the AI system’s architecture, enabling attackers to extract sufficient information about an AI system to reconstruct a model. 

Hospital system under attack

BBC News reports that London hospitals are still grappling with the aftermath of a cyber attack that has led to many hours of extra work for their staff. A critical incident was declared on 4 June after a ransomware attack targeted the services provided by pathology firm Synnovis. Healthcare facilities are experiencing significant disruptions to their services, including blood transfusions, and blood sample processing is being done by hand in the labs. The results are added into the system “line by line” after being double-checked. It was also necessary to move some patients who needed emergency surgery to different institutions and cancel other operations.

Privacy research

The Norwegian data protection regulator revealed the results of a nationwide survey on the population’s relationship to privacy. The vast majority of people in the survey have refrained from downloading an app because they are unsure of how their data will be used. Young people are used to giving up large amounts of personal data, and they use a far greater range of services than older age groups do. Most people believe that AI will challenge privacy by collecting too much personal data and using it. There is broad support that the authorities should take an active role in the regulation of artificial intelligence, but fewer believe that this will be possible. 

The post Data protection digest 3 – 17 Jun 2024: software testing, email management, affordable data security appeared first on TechGDPR.

Self-determination and AI

Digital self-determination of a user: The Swiss Federal Data Protection Commissioner FDPIC stresses that the current data protection legislation is directly applicable to AI used in the economic and social life of the country. In particular, the Data Protection Act in force since 1 September is directly applicable to all AI-based data processing. To this end,  the FDPIC reminds manufacturers, providers and operators of such applications of the legal obligation to ensure that the data subjects have as much digital self-determination as possible when developing new technologies and planning their use:

• the user has the right to know whether they are talking or writing to a machine, 
• whether the data they have entered into the system is further processed to improve the machine’s self-learning programs or for other purposes, and
• to object to automated data processing or to demand that automated individual decisions be controlled by a human being.

The law also requires a data protection impact assessment in the event of high risks. On the other hand, the use of large-scale real-time facial recognition or global surveillance and assessment of individuals’ lifestyles, otherwise known as “social scoring”, is prohibited.

Legal processes

The Data Act: On 9 November, the European Parliament adopted the text of the European Data Act. Next, it must be approved by the Council. The act makes more data available for use and sets up rules on who can use and access what data for which purposes across all economic sectors in the EU. This law applies to:

• the manufacturers, suppliers and users of products and related services placed on the market in the Union;
• data holders that make data available to data recipients in the Union;
• data recipients in the Union to whom data are made available;
• public sector bodies that request data holders to make it available for the performance of a task carried out in the public interest and the data holders that provide data in response to such a request;
• providers of data processing services offering such services to customers in the Union.

According to the updated text, to promote the interoperability of tools for the automated execution of data-sharing agreements, it is necessary to lay down essential requirements for smart contracts which professionals create for others or integrate into applications.

FISA 702: Meanwhile, the US Congress unveils the Government Surveillance Reform Act. The bill reauthorizes Section 702 of the Foreign Intelligence Surveillance Act for four more years, allowing intelligence agencies to continue to use the powers granted by that law, but with new protections against documented abuses and new accountability measures. For instance, it prevents warrantless searches, ensures foreigners are not targeted for spying on Americans they communicate with and prevents the collection of domestic communications. It also includes a host of reforms to government surveillance authorities beyond Section 702, including requiring warrants for government purchases of private data from data brokers.

EDPB documents

Tracking tools: The EDPB addresses the applicability of Art. 5(3) of the ePrivacy Directive to different tracking solutions. The advent of new tracking technologies to both replace existing tracking tools (due to the discontinuation of third-party cookie support) and generate new business models has emerged as a key data protection problem. The recommendations define four main elements: “information,” “terminal equipment of a subscriber or user,” “gaining access,” and “stored information and storage.” A partial list of use cases includes a) URL and pixel tracking, b) local processing, c) IP-only tracking, d) intermittent and mediated IoT reporting, and e) unique identifier.

Official guidance

Synthetic data: Synthetic data could function as a privacy-enhanced technology, as it allows the application of data protection by design. This synthesis can be performed using sequence modelling, simulated data, decision trees or deep learning algorithms. Creating synthetic data from real personal data would itself be a processing activity subject to the GDPR. It is therefore necessary to consider the regulatory provisions, in particular, the principle of proactive responsibility and the assessment of a possible re-identification risk. In some cases, data sets may be too complex to obtain a correct understanding of their structure or it may be difficult to mimic outliers from real data, undermining analytical value for specific use cases. In such situations, alternative or complementary PETs should be used, such as anonymisation and pseudonymisation. 

Health apps: German data protection body DSK has published a position paper on cloud-based health applications (in German). Since 2020, the Digital Health Applications Ordinance has regulated certain digital health applications to ensure the legal requirements for data protection and data security. However, several other health applications are not covered by these regulations. Thus, the following must be taken into account when using a wide range of health apps: 

• Data processing roles must be clearly defined in each case. Manufacturers, doctors and other medical service providers as well as cloud services come into consideration. 
• The use of application with a privacy-friendly design without the cloud functions and possibly without linking to a user account.
• The app manufacturers or operators must fulfil the rights of data subjects to information, correction, deletion, restriction of processing and data portability.
• The processing must be limited to the necessary extent, and be compatible with the purpose of the application. 
• A data protection legal basis is required for the use of personal data for research purposes.

More from supervisory authorities

Chatbots: The data protection authority of Liechtenstein explains the essence of chatbots – a software-based dialogue system that enables text or voice-based communication. From a technical perspective, there are different types of chatbots, ranging from simple rule-based systems to artificial intelligence AI systems. European data protection authorities are currently dealing with the issue of whether AI-based solutions meet the requirements of data protection law. At the same time, chatbot systems are often offered as cloud services, where GDPR rules will always apply, (legal basis, information obligation, handling of cookies, storage of chatbot data, processing of sensitive data, and data reuse). 

Similarly, the Hamburg Data Protection Commissioner offers a checklist for the use of LLM-based chatbots, (in English). Recommended steps would include internal regulations for employees, involvement of a data protection officer, creation of an organisation-owned account, and no transmission of any personal data to the AI. Overall, the results of a chatbot request should be treated with caution. You can also reject the use of your data for training purposes, and opt-out of saving previous entries.

Explainable AI: A transparent AI system provides insight into how AI systems process data and arrive at their conclusions, providing an understanding of the “reasoning” that led to the conclusions/decisions, explains the EDPS. Greater accountability will lead to a better assessment of the risks that data controllers need to carry out. At the same time, many efforts to improve the explainability of AI systems often lead to explanations that are primarily tailored to the AI researchers themselves, rather than effectively addressing the needs of the intended users. Read the deep dive into the risks of opaque AI systems here. 

Enforcement decisions

Simplified procedures:  The French privacy regulator CNIL has issued ten new decisions under its new simplified sanction procedure, introduced in 2022. Some cases focus on geolocation and continuous video surveillance of employees. The CNIL pointed out that the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is an excessive infringement of employees’ right to privacy unless there is special justification. Similarly, the prevention of accidents in the workplace does not justify the implementation of continuous video surveillance of workstations and is neither appropriate nor relevant. 

Telemarketing: The Italian data protection authority has imposed a fine of 70,000 euros on a coffee-producing company for promoting its brand through unwanted phone calls. Furthermore, the purchase order was considered as proof of consent to marketing. Users’ data was acquired in various ways: through the form on the website, through word of mouth from customers, and through contact lists collected by third-party companies, without having acquired the consent of the users. The company will now have to delete data acquired illicitly and activate suitable control measures so that the processing of users’ data occurs in compliance with privacy legislation throughout the entire supply chain.

Similarly, the Czech data protection authority imposed a fine of approx. 326,000 euros for sending commercial communications in favour of third parties. Since 2015, a transport company distributed commercial messages for the benefit of third parties to the email addresses of its customers, without obtaining the prior consent of the recipients, and without the possibility of rejecting these commercial communications in any way. It should be emphasized that the company did not offer its products or services, so it was not entitled to use the so-called “customer exception”, (to offer similar products or services). 

Data breaches

Processor’s obligations: The Danish Data Protection Authority has expressed criticism in a case where a data processor, Mindworking, had not ensured adequate security when developing a web application that was targeted at real estate agents. In particular, it was not secured against unauthorised persons inspecting the source code and thus being able to access personal data on the platform, (linked to a specific property that was for sale). The information could be accessed by users after they had logged in with a username and password. The user could access the information by pressing a function key and activating so-called “Dev tools”. The regulator concluded that the data processor should have carried out relevant tests of the platform before commissioning it, (Art. 32 of the GDPR).

Data security

Data breach: Finland’s data protection authority reminds organizations that they must assess the seriousness of a data security breach from the point of view of the data subjects. As a rule, the data controller must notify the authority if the breach may cause a risk to the rights and freedoms of natural persons, (even if all the information about the incident is not yet completely clear), within 72 hours. Thus, the controller must accurately assess the seriousness of the possible effects on the data subjects affected by the violation. The purpose is to assess the seriousness of the effects on the data subjects, not the consequences on the controller. Data subjects also must be notified of a high-risk situation without undue delay, (even if the high risk is eliminated by measures taken after the breach). 

Password dilemma: Almost everyone uses bad passwords, often unconsciously, states the Dutch data protection authority. The standard password requirements of 8 characters with enforced punctuation and numbers encourage this. These lead to short passwords full of human patterns. People are also very predictable if they try to use long passwords. Instead of something completely random, they quickly choose a year, their favourite sports team or another simple adjustment, such as starting with a capital letter. It is therefore recommended to use long passwords, which are so random that a hacker must try all options to retrieve the password, which are slower, and hence less profitable.

Big Data

DSA and minors’ safety: The European Commission has sent Meta and Snap requests for information under the Digital Services Act, following their designation as Very Large Online Platforms. Companies have until 1 December to provide more information on risk assessments and mitigation measures to protect minors online, in particular about the risks to mental health and physical health, and on the use of their services by minors. Under Art. 74 of the DSA, the Commission can impose fines for incorrect, incomplete, or misleading information in response to a request for information. 

Medical research data reuse: Sensitive health information donated for medical research by half a million UK citizens has been allegedly shared with insurance companies for years according to The Guardian. An investigation found that data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease. UK Biobank, set up in 2002 and described as a ‘crown jewel’ of British science, claims that it only allows access to bona fide researchers for health-related projects in the public interest, whether employed by academic, charitable, or commercial organisations and that participants were promptly informed. Read the full analysis here.

The post Data protection digest 1 – 15 Nov 2023: AI application must ensure digital self-determination of data subjects appeared first on TechGDPR.

Legal processes and redress

China privacy laws updates: The Chinese Cyberspace Administration has issued administrative measures for personal data compliance audits for public input. In the case of high-risk processing operations or security incidents, the department in charge of personal data protection, (under the new PIPL legislation), may order the organisation to delegate the compliance audit to a professional institution. Similarly, businesses can perform their audits or entrust them to a recognised professional institution. However, no more than three consecutive compliance audits for the same organisation may be performed by the same institution. Companies that process more than one million people’s personal information must complete it at least once a year. 

China has considerably tightened controls on information sharing in recent years, particularly data transfers abroad, on the grounds of national security.

China generative AI: In parallel, China passed innovative legislation to govern generative AI. Interim Measures for the Management of Generative AI Services go into effect on 15 August. They apply to broad public services in China and hold firms accountable for the output of their platforms. The data used to train the systems will have to fulfil certain stringent conditions, not addressed in previous legislation, Deacons lawyers clarify:

• Providers of generative AI must take responsibility for network information security, personal data protection, and produced content quality. 
• Service providers are liable for the created material and are obliged to ban and report unlawful and illegally linked information. 

Technology created in research institutes or destined for export will be excluded. 

Swiss privacy law revised: On 1 September, the revised federal data protection act will come into force. The current law remains in force until 31 August. Major innovations will include criminal aspects of breaches of obligations, reinforced duty for data controllers to provide information to data subjects, data protection impact assessment for high-risk processing both in public and private sectors, fees for private data processors, regulators’ additional duties and powers, and more. 

India comprehensive privacy law: The Digital Personal Data Protection Bill 2023 passed in parliament before receiving presidential assent. It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon the consent of an individual.  Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the state. The main criticisms of the bill include:

• The bill exempts data processing on grounds of national security which may lead to data collection, processing, and retention beyond what is necessary. 
• The bill also does not grant the right to data portability and the right to be forgotten. 
• The bill allows the transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in certain countries.
• The bill does not regulate risks of harm arising from the processing of personal data.

More analyses by PRS Legislative Research Institute are available here. 

Official guidance

Google Analytics: The use of tools like Google Analytics does not only require legal transfers to the United States, (following the announcement of the US adequacy decision by the European Commission), states the Danish data protection authority. In addition to third-country transfers, there are a large number of requirements in the GDPR that must be complied with. Among other things, you need to establish a legal basis for data processing, define data processing roles and conclude data sharing agreements, fulfil data subject rights, and much more.

Rights to data portability and restriction of processing: The wide range of digital services often leads to the desire or need to change a service provider, so it is important to be aware that we have data transfer rights. However, the Latvian data protection agency reminds us that such an option is available only if: a) the personal data processed by the organisation is based on your consent or the concluded contract; b) the information has been provided by the person themself; c) data refers to the person who requests data transfer.

Similarly, a person may face a situation where they need not delete personal data, but limit its processing. A situation may arise when an organisation holds personal data which is either inaccurate or out of date. If a person believes that their data is being processed illegally, they can also ask for its deletion or restriction of processing. There might be cases when the company does not need your personal data, but you need them to keep it, (eg, video surveillance records that a store normally deletes after a certain period of time but agrees to keep separately for police investigation needs). 

Finally, you can always ask to limit the processing of your data if you doubt that the legitimate interests of the controller are more important than your right to data protection. 

Harmful online design: The UK Information Commissioner’s Office and Competition and Markets Authority are calling for businesses to stop using harmful website designs that can trick consumers into giving up more of their data than they would like. It includes:

•  overly complicated privacy controls, 
• default settings that give less control over personal information, and
•  bundling privacy choices together in ways that push consumers to share more data.

Where consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition. Lack of consumer control over cookies is a common example of harmful design. 

Parental control and connected devices: The French data protection regulator CNIL has issued an opinion on decrees implementing parental control over means of access to the Internet including the different functionalities that parental control devices will have to integrate on connected devices – smartphones, computers, video game consoles – blocking the download of applications and blocking access to content installed on terminals. Its activation must be offered free of charge, from the first commissioning of the device. They must also integrate the principles of personal data protection by design and by default. The CNIL has recommended two mandatory features, which could be activated according to the maturity of minors, to protect them when browsing the web:

• blacklists to block access to sites or categories of sites previously determined by parents; and
• whitelists to limit browsing to only previously authorized sites (for the youngest category). 

Enforcement decisions

TikTok in the EU: The EDPB settles dispute on TikTok processing of children’s data. The binding decision addresses the objections of the Irish, (lead), supervisory authority regarding the personal data processing of registered minors, (including those under 13 years old). The objections centred on whether there had been an infringement of data protection by design and default about age verification, and other design practices. The binding decision might result in a fine and other reprimands for the social media giant, which will become known in the next few weeks. 

AI at schools:  In Canada, a case detailed by Osler’s lawyers considers the privacy of children in educational institutions when they are exposed to AI tools. In collaboration with a consulting firm, a school district developed an algorithm to target students who were at high risk of dropping out: a machine learning methodology analyses hundreds of types of raw data from a student database to generate a set of predictive indicators. The purpose limitation for such data processing was violated, according to the investigation commission. 

When the data was initially obtained, students and their parents were not informed and hence did not consent to the use of the data to build predictive indications of dropout risk. Even though the information was used for a purpose that was compatible with the school board’s goals of ensuring academic achievement, the regulator ordered the school to delete the tool’s existing output. It also requested that the school board do a privacy impact study before deploying the Tool. More information on the case may be found in the original publication. 

Police data leak: According to BBC News, the Northern Ireland Police Service has apologised for inadvertently disclosing the personal information of all 10,000 of its personnel. In response to a Freedom of Information request, the organisation provided the identities of all police and civilian staff, as well as their locations and functions. The FOI request requested a breakdown of all employee levels and grades from the PSNI. However, in addition to publishing a table indicating the number of personnel holding jobs such as constable, the PSNI also released a spreadsheet. This contained the surnames, initials, and other information of over 10,000 officers.

Carbon copy and sensitive data: The UK Commissioner’s Office has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. Both the Patient and Client Council and the Executive Office disclosed personal details by using inappropriate group email options. In the first case, the organisation sent an email to 15 people, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option. The people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. In the second case, following the report of the historical institutional abuse inquiry, the organisation sent an e-newsletter to 251 subscribers using the ‘to’ field. People included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging with the compensation scheme.

DDoS attack: The UK Information Commissioner also issued a reprimand to My Media World/ Brand New Tube. An unauthorised third party gained access to ITS’s systems and exfiltrated the personal data of 345,000 UK data subjects. The company has been unable to determine the specific cause of the incident concluding on separate occasions that a server misconfiguration and a DDoS attack were responsible for the access to their systems. The company also did not have any evidence of appropriate technical and organisational measures to protect users’ data. The nature of the data affected included the names, email addresses and passwords of users. The organisation must now ensure they have:

• appropriate contracts in place with any third-party providers which set out the roles and responsibilities of each party, 
• maintained records of processing activities, and
• regular scans and testing of their environment, record outcomes and address any issues promptly. 

More security best practices recommended to organisations by ICO can be found here and here. 

Data security

Connected beacons: Connected tags, which have been around for several years, make it possible to locate and find the objects to which they are attached. While technology is useful for finding lost objects, states the French data protection regulator, many media stories show that they can be misused to track the location of people without their knowledge. Only the owner can detect the beacon and therefore track its movements. However different measures have been put in place by manufacturers of connected beacons to allow you to detect them in case of doubt.

If you have an iPhone, you’ll get a notification when an AirTag you don’t own moves with you for a period of time. A feature will then allow you to connect to the AirTag to make it ring. If you have the latest version of Android, you will automatically receive a notification when a separate AirTag from its owner moves at the same time as you for a while. If you do not have a smartphone, the AirTag will beep its position if it is too far from its owner for a certain time. 

The use of a connected beacon to follow a person without their consent is a criminal offence, punishable by one year’s imprisonment and a fine of 45,000 euros. More information on how to detect and disable the tags is in the original publication. 

Big Tech

Meta compulsory fine: The Norwegian data protection authority has imposed a compulsory fine on Meta – approx. 90,000 euros per day. The background is that Meta does not comply with the Norwegian data protection authority’s ban on behaviour-based marketing on Facebook and Instagram. However, Meta has petitioned the Oslo district court for a temporary injunction against the ban. 

The ban does not prohibit personalised marketing on Facebook or Instagram as such. Meta can, for example, target marketing based on information that users enter on their profile, such as place of residence, gender and age, or interests that users themselves state that they want to see marketing about. The decision also does not prevent Meta from showing behaviour-based marketing to users who give valid consent to it.

Google user tracking: A US court denied Google’s request to dismiss a lawsuit alleging that the company violated the privacy of millions of individuals by secretly tracking their internet usage, Reuters reports. The plaintiffs claimed that Google’s analytics, cookies, and applications allowed the Mountain View, California-based business to follow their activities even when they used Google’s Chrome browser in “Incognito” mode and other browsers in “private” mode. Since June 2016, Google users have been covered by the case. It demands at least 5000 euros in damages for each user. 

Connected vehicles: Finally, the California privacy protection agency announced a review of data privacy practices by connected vehicle manufacturers and related technologies. These vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle. 

The post Data protection digest 31 July – 14 August 2023: privacy laws development, AI evaluations at school, and security of connected devices appeared first on TechGDPR.

Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs

The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.

The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing. 

The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools  to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.

Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.

The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others. 

The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias. 

Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices

In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros. 

The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets. 

The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.

Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”  

A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.

Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege

The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.  

The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details,  and sometimes their telephone number.

Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.

In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in ​​finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.

The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of. 

The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also,  professional legal privilege cannot be applied retrospectively.

Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world

The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them. 

The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.

Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.

The NIST IoT Cybersecurity Program also released two new documents:

• The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
• Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector. 

Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app

Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack. 

Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights. 

Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.

World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.

The post Data protection & privacy digest 13 – 26 Sept 2022: Google Analytics clash, caller identification, commercial practices & GDPR appeared first on TechGDPR.

Official guidance: data subject complaints, new business, identity cards, traffic licenses, TCF/OpenRTB, education platforms, insolvency claims, data sent by mistake, dpos

The UK Information Commissioner’s Office offers a brief guide on how to deal with data subject complaints, (your staff, contractors, customers), when you are a small business. The main steps are as follows: 

• Respond as soon as possible, in plain language, to let the customer know you’ve received their data protection complaint and are looking into it. 
• Let them know when they can expect further information from you and give them a point of contact. Include information about what you’ll do at each stage.
• Send them a link to a complaints procedure, (if there is one). 
• Check the complaint has come from an appropriate person. 
• Check all the details of their complaint against the information you hold.
• Ask for additional information if necessary. 
• Update them so they know you’re working to resolve the issue. 
• Record all your actions, due dates, and 
• Keep copies of relevant documents and conversations.

Starting a new business? The Jersey data protection regulator offers a quick guide on customer information, employee details, contact or payment details for suppliers and contractors, and other data points you’ll need to take responsibility for when getting a new business venture off the ground. The measures may include training your staff, limiting administrative rights, minimising data collection and storage, locking sensitive data, drafting a privacy policy, regular software updates and more. But even simple actions like turning off the ‘auto-complete’ function for email addresses or avoiding email forwarding may save you from personal data breaches. 

Financial institutions, for a range of services such as setting up and maintaining a bank account, electronic banking services, granting a loan or even a transfer order, make copies of our identity documents. The Polish data protection authority UODO assumes that such copying is not allowed in any situation. For instance, the country’s banking law allows processing information contained in identity documents, but this does not give the right to make copies. In many cases, it is enough to show an identity document for inspection. On the other hand, anti-money laundering and financing of terrorism legislation entitles financial institutions to make copies of identity documents. Before applying financial security measures, institutions must assess whether it is necessary to process the personal data of a natural person contained in the copy of the identity card for these purposes. According to the principles of purpose limitation and data minimisation, personal data must be collected for specific, explicit and legitimate purposes, using relevant criteria and limited to what is necessary for the purposes for which they are processed.

The Hungarian data protection authority NAIH issued a notice on data management related to the reading of the bar code on traffic licenses at filling stations. According to the submissions received by the regulator, in order to sell fuel at the official price, a fuel provider reads bar codes on vehicle registrations, (or records the registration number of the vehicle), and stores it in its system. The data is then forwarded for tax control purposes. In relation to data management, information was not available for customers at the filling stations, and the employees were not able to provide any meaningful information. The NAIH started an ex-officio investigation into the lawfulness of the processing, and to see if the tax authority and fuel providers had complied with Art. 13 of the GDPR. 

The Latvian data protection authority DVI recently issued a series of recommendations, (in Latvian), including:

• To evaluate the use of TCF and OpenRTB systems. Following the Belgian regulator’s decision, the transparency and consent system created by IAB Europe and the real-time bidding system were recognised as non-compliant. The decision stipulates that personal data obtained through TCF must be deleted immediately. This means that organisations using the tools, (website/app operators, advertisers and online ad technology companies), must stop using the tool, (unless it uses non-personal data).
• What to do if another person’s data has been received by mistake, (Do not open, do not publish, use minimal research to identify the sender, who should be notified, let the sender solve this situation himself, etc.).
• Safe use of online platforms used during the educational process.
• The processing of personal data by insolvency administrators in the register of creditors’ claims, and
• Functions and tasks of a data protection specialist.

Legal processes: EU Data Act, Quebec Bill 64, California privacy laws, China cross-border transfers

The Czech Presidency of the EU Council brought more clarity on the proposed Data Act, namely the part that refers to public sector bodies’ access to privately held data, Euractiv.com reports. Public authorities might request data, including the relevant metadata, if its timely access is necessary to fulfil a specific task in the public interest, (eg, local transportation, city planning and infrastructural services). At the same time, safeguards for requests involving personal data have been added, as the public body will have to explain why the personal data is needed and what measures are taken to protect it. The top priority should be anonymisation, or at least aggregation and pseudonymisation, of collected data.

In Quebec, the first amendments from Bill 64, (modernises data protection legislative provisions), to the Quebec Privacy Act and the Quebec IT Act will come into force on 22 September. They create obligation for a person carrying on an enterprise to protect personal information and automatically designates the person exercising the highest authority within the enterprise as the main responsible. Other provisions create mandatory reporting of confidential incidents, biometric information database registration no later than 60 days before it is put in service, notification of any processes used to verify/confirm an individual’s identity based on biometric data, and allow disclosure of personal data necessary for commercial transactions, (eg, mergers, leasing).

In California a new privacy rights act, the CPRA, will take effect on 1 January 2023, while the new California privacy protection agency is consulting on draft regulations, with special attention on the draft American Data Privacy and Protection Act and its possible preemptive effect on California privacy laws. Other key regulatory issues include data processing agreements, programs on exercising data subjects rights, data minimisation and valid consent requirements, and prohibition of  “dark patterns”.

China will enforce cross-border data transfer rules starting from 1 September. Consequently, many critical industries like communication and finance or transportation will face additional checks under the countries’ latest cybersecurity, data security and personal information protection legislation. Companies seeking to transfer personal data on 100,000 or more people, (10,000 or more for sensitive data), handle the personal data of 1 million or more people, as well as operators that transfer the personal information of at least 100,000 cumulative individuals a year will undergo security reviews. Business will have to explain to government investigators the purpose of transfer, the security measures in place, and the laws and regulations of the destination country. More details on the new regulatory framework can be found in this guidance (by KPMG China).

Enforcement actions: commercial prospecting, employee’s consent, smart TV reset, Chromebook ban, PHI disposal, medical results without encryption

A famous French hotel group was slapped with a 600,000 euro fine from the privacy regulator CNIL for carrying out commercial prospecting without the consent of customers, when making a reservation directly with the staff of a hotel or on the website. The consent box to receive the newsletter was prechecked by default. Also a technical glitch prevented a number of people from opposing the receipt of such messages for several weeks. As the processing in question was implemented in many EU countries, the EDPB was asked to rule on the dispute concerning the amount of the fine. The CNIL was then asked to increase the sum so that the penalty would be more dissuasive.

Guernsey’s data protection authority has issued a reprimand, (recognition of wrongdoing), to HSBC Bank’s local branch for inappropriate reliance on consent. An employee felt obliged to consent to providing sensitive information about themselves in connection with what they believed was a possible internal disciplinary matter. They then made a formal complaint. The authority’s opinion is that reliance on “consent” where a clear imbalance of power exists is inappropriate, as it is difficult for employers to demonstrate that consent was freely given. Whilst in this case the controller ceased processing as soon as concerns were raised, they nonetheless continued to use consent as justification for the processing. How to manage data protection in employment? See in Guernsey’s latest guide.

The Danish data protection authority expressed serious criticism of retailer Elgiganten A/S that had a returned television stolen during a break-in at their warehouse, which had not been reset to zero for the plaintiff’s personal data. This meant that a third party gained access to the TV and thus to information from streaming services that the plaintiff was logged into, as well as the browsing history. Before the break-in, the company had carried out a risk assessment for theft of their products and assessed the risk to be high, so the warehouse was secured by locks, a high wall, surveillance cameras and motion sensors. The burglar gained access by simply punching a hole in the wall. 

The Danish data protection authority is maintaining its ban on Chromebook use by a Helsingør municipality, on the grounds of high risks for individuals. The regulator stated that the decision does not prohibit the use of Google Workspace in schools – but the specific use of certain tools in the municipality is not justifiable regarding children’s information. The Municipality assessed that Google only acts as a data processor, but in the opinion of the regulator, it acts in several areas as an independent data controller, processing personal data for its own purposes in the US. 

The Danish regulator ruled that the municipality cannot reduce the risk to an acceptable level without changes to the contract basis and the technology the municipality has chosen to use. Although the decision specifically relates to the processing of personal data in Helsingør Municipality, the regulator encourages other municipalities to look at the same areas in relation to unauthorised disclosure and transfers to unsafe third countries.

The recent HIPAA settlement, (over 300,000 dollars), offers lessons on data disposal and the meaning of Protected Health Information, (PHI), workplaceprivacyreport.com reports. A dermatology practice reported a breach last year when empty specimen containers with PHI labels were placed in a garbage bin on the practice’s carpark. The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen. The workforce should have been trained to follow disposal policies and procedures. These requirements can include: shredding, burning, pulping, or pulverizing records so that PHI is rendered essentially unreadable; store labelled prescription bottles in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI. 

The Belgian data protection authority also fined a laboratory 20,000 euros for insufficient security measures, DPIA, and privacy policy (Art. 5, 12-14, 32 and 35 of the GDPR), Data Guidance reports. Namely:  

• the laboratory webpage allowed doctors to remotely consult the medical results of patients without employing any encryption;
• the laboratory failed to conduct a DPIA for the large-scale processing of health data;
• while rejecting that the health data had been processed on a large-scale, it had failed to clarify what criteria they were using to determine this;
• the laboratory failed to include a privacy policy on their webpage related to the  maintenance of the abovementioned medical results.

Data security: cyber security breaches landscape, personal data bought by FBI, social engineering on healthcare

The UK government published an in-depth qualitative study with a range of businesses and organisations which have been affected by cyber security breaches. The findings help businesses and organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. It also supports the government to shape future policy in this area. The guide also contains 10 practical case studies on: understanding the level of existing cyber security before a breach, determining the type of cyber attack , understanding how businesses and organisations act in the immediate, medium, and long-term aftermath of a breach, etc.

Top US Democrats in Congress demand the FBI and Department of Homeland Security detail their alleged purchases of Americans’ personal data, Gizmodo.com reports. They suspect federal law enforcement agencies of using commercial dealings with data brokers and location aggregators to sidestep warrant requirements in obtaining Americans’ private data. Reportedly data points may include, among others, records of internet browsing activity and precise locations. The demand includes the release of of documents and communications between the agencies and data brokers with whom they may have dealings or contracts.

The US Health Sector Cybersecurity Coordination Center published guidance on the impact of social engineering on healthcare. Social engineering is the manipulation of human psychology for one’s own gain. “A social engineer can manipulate staff members into giving access to their computers, routers, or Wi-Fi; the social engineer can then steal Protected Health Information, (PHI), Personal Identifiable Information, (PII), or install malware posing a significant threat to the Health sector”, says the study. It also answers the questions on phases, types of social engineering attacks, (eg, tailgating, vishing, deepfake software, smishing, baiting and more), the personality traits of a social engineer, data breaches and steps to protect your organisation.

Big Tech: US mobile carriers, Google location data, Cambridge Analytica settlement, TikTok iOS app, Oracle class action

The US Federal Communications Commission will investigate mobile carriers’ compliance with disclosure to consumers how they are using and sharing location data, Reuters reports. Top mobile carriers like Verizon, AT&T, T-Mobile, Comcast, Alphabet’s Google Fi and others were requested to detail their data retention and privacy policies and practices. Recent enforcement of anti-abortion legislation in many states also raised concern that the police could obtain warrants for customers’ search histories, location and other information that would reveal pregnancy plans. Last month Google responded to this by promising to delete location data showing when users visit an abortion clinic.

The Federal Court of Australia ordered Google to pay 60 million dollars for misleading consumers about the collection and use of personal location data. Google was guilty of misleading and deceptive conduct, breaching Australian Consumer Law. The conduct arose from representations made about two settings on Android devices – “Location History” and “Web & App Activity”. Some users spotted that the Location History default setting changed from from “off” to “on”. Another misleading practice was telling some users that having the Web & App Activity setting turned “on” would not allow Google to obtain, retain or use personal data about the user’s location.

Facebook agreed to settle a lawsuit seeking damages for allowing Cambridge Analytica access to the private data of tens of millions of users, The Guardian reports. Facebook users sued the tech giant in 2018 after it emerged that the British data analytics firm, connected to former US president Donald Trump’s successful 2016 campaign for the White House, gained access to the data of as many as 87 million of the social media network’s subscribers. Reportedly, if owner Meta had lost the case it could have been made to pay hundreds of millions of dollars.  

Reportedly, when you open any link on the TikTok iOS app, it’s opened inside their in-app browser. While you are interacting with the website, TikTok subscribes to all keyboard inputs, (including passwords, credit card information, etc.), and every tap on the screen, like which buttons and links you click. Such discovery was made by a software engineer Felix Krause. You can read more technical analysis of the most popular iOS apps that have their own in-app browser in the original publication. 

Finally, the Irish Council for Civil Liberties, (ICCL), started a class action against Oracle in the US for its worldwide surveillance machine. Oracle is an important part of the tracking and data industry. It claims to have amassed detailed dossiers on billions of people, and generates over 42 billion dollars in annual revenue. Oracle’s dossiers may include names, addresses, emails, purchases online and in the real world, physical movements, income, interests and political views, and a detailed account of online activity. For example, one database included a record of a man who used a prepaid debit card to place a 10 euro bet online. Oracle also coordinates a global trade of people’s dossiers through the Oracle Data Marketplace, claims the ICCL. You can view the full complaint here.

The post Data protection & privacy digest 16 – 29 Aug 2022: data subject complaints, inappropriate reliance on consent & Smart TV reset appeared first on TechGDPR.

Legal processes: DSA and DMA, China’s data exporters, ransom payments, CASPs

Last week, the European Parliament adopted the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. The DSA sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society. The new obligations include:

• New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection.
• Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces.
• Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content, (so-called recommender systems); users will be able to challenge content moderation decisions.
• Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. So-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.
• Very large online platforms and search engines, (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission, (preventing systemic risks, independent audits). They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

At the same time, the DMA sets obligations for large online platforms acting as “gatekeepers”, (platforms whose dominant online position make them hard for consumers to avoid), on the digital market to ensure a fairer business environment and more services for consumers. To prevent unfair business practices, those designated as gatekeepers will have to:

• allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
• allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

• Rank their own services or products more favourably, (self-preferencing), than other third parties on their platforms;
• Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
• Process users’ personal data for targeted advertising, unless consent is explicitly granted.

Once formally adopted by the Council in July, (DMA), and September, (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication. Their application will start through 2023-2024. 

Meanwhile, China’s cyberspace regulator, (CAC), clarified that rules requiring data exports to undergo security reviews would be effective from Sept. 1, the first time it has given a start date for a new regulatory framework that will affect hundreds, if not thousands, of Chinese companies, Reuters reports. The measures, according to Data Guidance’s report, provide the cases in which a data exporter must submit a data exit security assessment to the CAC through the provincial cybersecurity and informatisation department where:

• the data processor provides important data overseas;
• the data processor is a critical information infrastructure operator and the data processor processes the personal information of more than 1 million people;
• the data processor processes the personal information of 100,000 people or the sensitive information of 10,000 people since 1 January of the previous year; or
• other situations required to declare data export security assessments as provided by the CAC.

The data export security assessment adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment. In addition, the measures outline that a data processor’s pre-assessment should focus on, among other things, the responsibilities and obligations that overseas recipients are subject to, the risk of data being tampered, destroyed, or leaked, and whether data export related contracts fully stipulate the responsibility and obligation of data security protections. The full legal text, (in Chinese), is available here. 

The UK National Cyber Security Centre, (NCSC), and Information Commissioner’s Office, (ICO), say it is incorrect for organisations to assume paying ransoms is a) the right thing to do and they do not need to engage with the ICO as a regulator, or b) will gain benefit from it by way of reduced enforcement. Thus both organisations in a joint statement advise solicitors not to advise clients to pay ransomware demands should they fall victim to a cyber-attack. Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The European Parliament and Council negotiators also reached a provisional deal on a new bill aiming to ensure that crypto transfers, (like bitcoins and electronic money tokens), can always be traced and suspicious transactions blocked. The legislation is part of the new EU anti-money laundering package and will be aligned with the Markets in Crypto-assets rules, (MiCA). The agreement extends the so-called “travel rule”, already existing in traditional finance, to cover transfers in crypto assets. This rule requires that: 

• Information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. 
• Crypto-assets service providers, (CASPs), will be obliged to provide this information to competent authorities if an investigation is conducted into money laundering and terrorist financing.
• There are no minimum thresholds nor exemptions for low-value transfers, as originally proposed. Regarding protecting personal data, including a name and an address required by the travel rule, negotiators agreed that if there is no guarantee that privacy is upheld by the receiving end, such data should not be sent.
• Before making the crypto-assets available to beneficiaries, providers will have to verify that the source of the asset is not subject to restrictive measures or sanctions, and there are no risks of money laundering or terrorism financing.

The rules would also cover transactions from so-called un-hosted wallets, (a crypto-asset wallet address that is in the custody of a private user,) when they interact with hosted wallets managed by CASPs. In case a customer sends or receives more than 1000 euros to or from their own un-hosted wallet, the CASP will need to verify whether the un-hosted wallet is effectively owned or controlled by this customer. The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf.

Official guidance: employees location, insurance applications, local authorities, commercial interest vs. consent

The Finnish data protection ombudsman asked service providers in the public sector for a report on use of the location data function in computers used by employees in the municipal sector. The background for the report was a notification of a data security breach filed by a hospital district, when settings that allowed the collection of location data were switched on in employees’ Windows 10 workstations and remote work laptops, although there was no intention to collect the data. As a result, the regulator found that:

• The hospital district did not have a need required by law for processing employees’ location data.
• The hospital district did not appropriately review what data it intended to collect. 
• Since the employees’ location data were unnecessary for the employer and collected unintentionally, these data should not have been processed. In order to ensure data protection by default, the hospital district should have reviewed the basic settings of the system and noticed that the location function was switched on before deploying the workstations. 
• Since the location function was switched on, employees’ personal data were delivered to Microsoft as well.

The regulator ordered the erasure of any historical data, location logs and other personal data created during use of the location data function. 

The Finnish ombudsman has also investigated the procedures of insurance companies when they request the health information of insurance applicants and insured persons from health care providers in order to determine the insurance company’s responsibility. Deficiencies were found, especially in the appropriate demarcation of the information requested from the health care provider and in the legality of processing. The insurance companies justified the processing of the policy applicant’s health data on the grounds of data protection, according to which the insurance institution can process client or claimant’s health data that is necessary to determine the liability of the insurance institution.

The regulator states that the provision of the data protection law in question only applies to the processing of the data of the insured and the claimant. Insurance companies cannot process the insurance applicant’s health information or request personal information from the health care provider during the insurance application phase, based on the regulations, because the contract has not yet been concluded. It is possible to process health data under certain conditions if the person has given valid consent. However, it requires that the person is told precisely what information is collected about them and for what purposes it is used. Asking for consent in a general way without detailing the information and purposes of use therefore does not meet the requirements of the data protection regulation.

The French data protection regulator CNIL published a guide on the obligations and responsibilities of local authorities with regard to data protection. The study was conducted at the end of 2021. Focusing on communities smaller than 3,500 inhabitants, which represent 91% of municipalities in France, this study aimed to understand digital usage, identify risks/obstacles and data needs. It appeared that the majority of respondents are not aware of the legal framework in force, with the exception of the GDPR. The provisions relating to competences and responsibilities in the field of digital security are little or not known to local elected officials and territorial agents, who consider cybersecurity regulations to be particularly complex.

The purpose of this guide is to inform local elected officials and territorial agents about the obligations related to: a) the protection of personal data; b) the implementation of local teleservices; c) hosting of health data. This guide also recalls the different types of legal liability to which local authorities and their public institutions are exposed in the event of cyberattacks and damage related to: administrative responsibility, civil liability, criminal liability.

The European Commission says that the Dutch data protection authority AP is hindering free enterprise in the EU by interpreting privacy legislation too strictly. The legal battle refers to the dispute between the AP and streaming service VoetbalTV. The service broadcasted video images of amateur matches via the internet for, among others, players, trainers and fans. More than 150 clubs used it, until the AP imposed a fine of 575,000 euros on the service in  2019. Football TV then went bankrupt.

According to the AP, the profit motive of the company could never constitute a ‘legitimate interest’ for the broadcasting of the images without the individual consent of players and the public. According to Brussels, the Dutch supervisory authority did not strike the right balance between the right to data protection on the one hand and the freedom of undertaking on the other. Additionally, in 2020, a Dutch court reportedly ruled that VoetbalTV did not have to pay the fine, as personal data may sometimes also be processed when there is only a commercial interest. The AP had appealed against this decision.

Investigations and enforcement actions: website security, data protection requests, employment certificate, cookies, account deletion, health data

As part of one of its priority themes, “the cybersecurity of the French web”, the CNIL has carried out a series of online checks of twenty-one websites of French public sector bodies, (municipalities, university hospitals, ministries, etc.), and the private sector, (e-commerce platforms, IT solution providers, etc.). The verifications carried out by the CNIL therefore focused mainly on technical and organisational flaws: 

• unsecured access, (HTTP), to websites, (many actors), implemented obsolete versions of the TLS protocol to ensure the security of data in transit, used certificates and non-compliant cryptographic suites for exchanges with the servers of controlled sites;
• lack of devices to trace abnormal connections to servers;
• use of insufficiently robust passwords and procedures to renew them that do not sufficiently secure their transmission and retention.

The bodies on notice have a period of three months to take any measure to ensure an appropriate level of security.

The Finnish company Otavamedia was penalised for shortcomings in the implementation of data protection rights. Between 2018 and 2021, eleven cases concerning Otavamedia were brought to the office of the data protection commissioner. Among other things, the complainants had not received an answer to their requests or inquiries regarding data protection rights. According to the report provided by Otavamedia, some of the data protection requests had not been implemented due to a technical problem with the e-mail control in connection with the change of digital service providers. During the error situation, the messages that arrived in the e-mail box reserved for data protection matters were not forwarded to the customer service staff. The situation was discovered only after the data protection authority’s request for clarification. 

Otavamedia should have taken care to test the e-mail box, as it is the main electronic contact channel of data subjects in data protection matters. Additionally, the registrants had the opportunity to make requests to Otavamedia regarding their own information using a printable form. The person’s signature was required on the form for identification purposes. The regulator considers that with this method of operation, Otavamedia collected an unnecessarily large amount of data for identification purposes. Otavamedia does not process signature information in other contexts, which is why it was not possible, for example, to compare signatures with previously held information.

In the first half of 2022, the Czech office for personal data protection UOOU monitored compliance with the GDPR in connection with the setting of the processing of cookie files by various operators of web portals and pages, based on both complaints received and the monitoring plan. Among the main shortcomings detected by the regulator are: 

• Use of non-technical cookies without consent.
• A disproportionately long period of validity of cookies in relation to their purpose.
• Absence of the choice for expressing disagreement with the non-technical cookies in the first layer of the cookie bar.
• Wrong categorisation of cookies.
• Absence of information about specific cookies used.
• The difference in the visibility of the consent and non-consent buttons for the use of non-technical cookies.
• Information about cookies in a foreign language.
• The cookie bar makes it difficult or impossible to read the website.

The Polish supervisory authority UODO was notified of potential inaccuracies related to the processing of personal data by a manufacturing company, (Esselmann Technika Pojazdowa). The company made an informed decision not to notify a breach involving an important document of one of its employees to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. In the course of explanatory actions by the regulator the loss of a document from the personal file of a company employee – an employment certificate – was revealed. The certificate of employment contains a lot of important information about the person, including:

• the period(s) of employment;
• the procedure and legal basis for the termination or expiry of the employment relationship;
• parental and child care leave taken;
• information on the amount of remuneration and qualifications obtained – at the employee’s request;
• information on enforcement seizure of remuneration.

Taking the above into account, the Polish regulator imposed a fine of approx 3,500 euros.

The Irish data protection authority DPC published its recent decision concerning Twitter International Company. In 2019, the complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of could have a substantial effect, and that the type of processing meets the definition of cross border processing. As a result, the DPC ordered Twitter, pursuant to Article 58 of the GDPR, to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. 

Data relating to health enjoys enhanced protection and, subject to the exceptions provided for by the law, dissemination is prohibited. Administrative transparency cannot violate people’s privacy. For these reasons, the Italian privacy regulator ‘Garante’ sanctioned the Roma local health authority 46,000 euros. It had published in clear text on its website all the names and data relating to the health of the subjects who had requested civic access in 2017 and 2018. In most cases, the documents concerned the health records of the persons concerned, including medical records, disability assessments, tests, technical reports, etc. The first serious violation detected by the Authority, which took action ex officio, was therefore the dissemination of data on the health of the subjects concerned, information relating to both their physical and mental state, including the provision of health care services.

Data security: cybersecurity threat landscape

The European Union Agency for Cybersecurity provided simple steps to map the cybersecurity threat landscape. The methodology aims at promoting consistent and transparent threat intelligence sharing across the EU, (including but not limited to public bodies, policy makers, cybersecurity experts, industry, vendors, solution providers, SMEs). The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, the methods and tools used as well as the stakeholders involved. Building on the existing modus operandi, this methodology provides directions on the following:

• defining components and contents of each of the different types of CTL;
• assessing the target audience for each type of CTL to be performed;
• how data sources are collected;
• how data is analysed;
• how data is to be disseminated;
• how feedback is to be collected and analysed.

The methodology consists of six main steps with predicted feedback and associated to each of these steps: direction, collection, processing, analysis and production, dissemination, feedback. You can download the the full methodology guide here.

Big Tech: Apple’s new lockdown mode, Chinese CCTV in UK

Apple’s latest iOS 16 security tool can defend against a state-sponsored cyberattack on your iPhone, cnet.com reports. In short, new Lockdown Mode increases security capabilities on iOS 16, iPadOS 16, and macOS Ventura by limiting certain functions that may be vulnerable to attack: 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enrol into mobile device management, (MDM), while Lockdown Mode is turned on.

Meanwhile, a cross party group of UK MPs have called for a ban on two Chinese surveillance camera brands widely used in Britain, according to Yahoo News. The AI-enabled cameras are capable of facial detection, gender recognition and behavioural analysis and offer advanced features such as identifying fights or if someone is wearing a face mask. The two brands — Hikvision and Dahua — are widely used by government bodies in the UK, by 73% of councils across the UK, 57% of secondary schools in England, and six out of 10 NHS Trusts. Reportedly, Hikvision and Dahua are now banned from trading in the US over security concerns and evidence of their widespread use in so-called “re-education” camps in China. The MP’s call for action also includes “an independent national review of the scale, capabilities, ethics and rights impact of modern CCTV in the UK”.

The post Weekly digest 4 – 10 July 2022: DSA and DMA adopted, setting standards on EU digital service providers appeared first on TechGDPR.

Official guidance: credential stuffing, patient privacy, use of drones

The latest report from international data protection and privacy authorities has identified credential stuffing as a significant and growing cyber threat to personal information. A credential stuffing attack is a cyber-attack method that exploits an individual’s tendency to use the same credentials (e.g. username/email address and password combination) across multiple online accounts. The attacks are automated and often large-scale, using stolen credentials (e.g. that are leaked in connection with data breaches and made available on the ‘dark web’), to unlawfully access users’ accounts on unrelated websites. 

Successful credential stuffing attacks may result in fraud or other means of financial loss, as attackers may, for example, make purchases using the compromised account or transfer funds to their own account. Upon establishing a secure foothold, an attacker may attempt to obtain further access to data and systems through the harvesting of other visible or accessible credentials. Such attacks may also be used to cause intangible harm such as reputational damage by spreading disinformation or making false statements about an individual whilst using their compromised account. 

The guidance by international privacy authorities provides measures to detect, prevent and/or mitigate the risk from credential stuffing (guest checkouts, strong passwords and usernames, and their alternatives, multi-factor authentication, secondary passwords and pins, device fingerprinting, identifying leaked passwords, rate-limiting, account monitoring and lockout, incident response plans and user notifications, and more).

The US Department of Health issued guidance to protect patient privacy in wake of the Supreme Court decision where the right to safe and legal abortion was taken away. In general, the guidance addresses:

• how federal law and regulations protect individuals’ private medical information, (known as protected health information or PHI), relating to abortion and other sexual and reproductive health care – making it clear that providers are not required to disclose private medical information to third parties; and

• the extent to which private medical information is protected on personal cell phones and tablets, and provides tips for protecting individuals’ privacy when using period trackers and other health information apps.

According to recent reports, many patients are concerned that such apps on smartphones may threaten their right to privacy by disclosing geolocation data which may be misused by those seeking to deny care. The guidance also addresses the circumstances under which the Health Insurance Portability and Accountability Act, (HIPAA), permits disclosure of PHI without an individual’s authorisation. It explains that disclosures for purposes not related to health care, such as disclosures to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care. 

Switzerland’s data protection commissioner FDPIC issued an annual 2021-2022 report, noting widespread indifference towards protecting citizens’ data and a growing disregard for privacy. The deficiencies in processing sensitive personal data that have become more frequent on health platforms, and the tendency, now also perceptible in Europe, to discredit the public’s right to encrypt their data as an abuse of freedoms, are evidence of this development. In relation to freedom of information, the FDPIC continues to see an increase in the number of requests for access and for mediation, which poses problems in meeting the legal deadlines in view of the pandemic-related backlog of work. You can read the detailed report here. 

The Irish data protection commission issued a guide on the use of drones. Similar to body-worn cameras drones can effectively turn into a mobile surveillance system and are highly likely to capture the personal data of passers-by, (data subjects). These guidelines have been developed for drone operators for purposes other than public law-related use and also to answer queries from the perspective of data subjects. Regardless of the nature, (professional or recreational), of your activity, under EU law regulating unmanned aircraft, the collection of information related to an identifiable person through the operation of a data collection system mounted on a drone potentially constitutes personal data processing. 

When buying your equipment, you must check whether the device has been produced with data protection obligations in mind. For example, in order to comply with data minimisation, data collection systems mounted on drones should be capable of being switched on and off when appropriate and their visual angle limited in accordance with your purposes. In order to comply with the transparency principle, the drone should have adequate signaling such as lights or buzzers. It is also your responsibility to ensure that appropriate security of processing: check whether the video footage is stored on the device itself, on a portable storage medium, or on a cloud storage service, and take steps to mitigate any additional risk of loss or theft of personal data, such as encrypting data before it is transferred from the device to cloud storage.

Legal processes: criminal activity data

After the amended Europol Regulation entered into force on 28 June, the EDPS expressed its concerns that the amendments weaken the fundamental right to data protection. The new document “expands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets”, the EDPS states. Consequently, data relating to individuals that have no established link to criminal activity may be treated in the same way as the personal data of individuals with a link to criminal activity. Putting in place strong safeguards, says the regulator, is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that the EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. 

Investigations and enforcement actions: bulk emails, sales prospecting calls, unnecessary cookies, unauthorised logins

The UK Information Commissioner’s Office issued a monetary penalty to an NHS foundation trust. It used Outlook to send bulk emails to 1,781 Gender Identity Clinic service users. The accident happened despite the fact that the trust had in place some measures including a suite of policies. In particular, the “Email, Text and Internet Use Procedure” states: “To avoid inadvertently sharing other people’s email addresses, recipients should be selected in the ‘Bee’ box, not the ‘To’ box”. Data security and protection training was available to all staff with measures in place to update this at timely intervals. Here are some facts of the case:

• The trust’s intention was to send a bulk email relating to an art competition to approximately 5,000 patients. 
• The distribution list was extracted from the trust’s electronic patient record system using a specific set of search criteria which ensured recipients were active patients and had consented to be contacted by email in certain circumstances. 
• The output report produced from the system was then manually split into batches of around 1,000 addresses each. 
• In two batches the email addresses were copied from the output report and entered into the “To” field instead of the “Blind carbon copy” field. The recipients of each email could therefore see the email addresses of the other recipients of that email. 
• Four of the emails were returned as undeliverable and so potentially 1,777 emails were delivered and opened. 
• The staff member who sent the email noticed the error straight away and attempted, albeit unsuccessfully, to recall both the emails. They also contacted the trusts’ Information Management and Technology Service Desk to report the breach. 

The French Council of State validated the 2020 sanction pronounced by the state privacy regulator CNIL against Amazon. In December 2020, the CNIL imposed a fine of 35 million euros against the company, in particular for having placed advertising cookies on the computers of users of the sales site “Amazon.fr” without prior consent or satisfactory information, (in violations of Art. 82 of the Data Protection Act (transposing the “e-Privacy” directive). In addition, the CNIL noted that when users went to the “Amazon.fr” site after clicking on an advertisement published on another website, the same cookies were deposited but without any banner being displayed. Finally, the Council of State considers that the size of the fine imposed by the CNIL is not disproportionate with regard to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.

The CNIL also issued a fine of 1 mln euros against TOTALENERGIES ÉLECTRICITÉ ET GAZ. The regulator has received several complaints concerning the difficulties encountered by people when dealing with a French energy producer and supplier, their requests for access to their data, and opposition to receiving sales prospecting calls. The company offered, on its website, a subscription form for an energy contract in which the user acknowledged giving his consent for the use of his personal data in order to subsequently receive commercial offers, without having the possibility of opposing it. Therefore, by completing this form, the user,  had no means of opposing the reuse of his data for commercial prospecting purposes for similar products or services.

In 2020 Norway’s parliament the Storting was exposed to data breaches, and in January this year, the Norwegian data protection authority Datatilsynet announced a fine of approx 200,000 euros for a lack of security measures. The regulator assessed Storting’s comments and maintains the notified fine. The data breach was related to an unauthorized login to the email accounts of an unknown number of Storting representatives and employees in the administration and group secretariats. The regulator has placed particular emphasis on the fact that the Storting had not established two-factor authentication or similar effective security measures to achieve adequate protection.

Data security: mobile devices at work

America’s NIST’s publication explains how to organise enterprise mobile data security and avoid getting hacked. According to the agency, most phishing attempts come by email, while other attacks—including text messages — are also on the rise. Ultimately, phishing attacks are not just limited to laptops or desktops, mobile phones can be the target of phishing attacks as well. 

URL filtering, multi-factor authentication and mobile threat defense can help protect against phishing attacks. In environments that use multi-factor authentication, if a phishing attacker successfully gains a user’s password, they can still be denied access to enterprise information because they do not have the second factor required for authentication. For more information on phishing protection and other mobile device security and privacy enhancements for your organisation, refer to NIST publication on corporate-owned personally-enabled mobile devices and personal mobile devices to perform work-related activities.

Big Tech: misconfigured data storage containers, French “trusted cloud” in partnership with Google

According to Reuters, the US supermarket chain Wegmans agreed to pay 400,000 dollars and upgrade its security practices over a data breach that exposed the personal information of more than 3 million consumers nationwide. Reportedly, the company was accused of storing customer information in cloud storage containers hosted on Microsoft Azure that were left open because they had been misconfigured, leaving the data vulnerable to hackers. “Customers’ email addresses and Wegman’s account passwords were exposed for about 39 months, while customers’ names, mailing addresses, and data tied to their driver’s license numbers were exposed for about 30 months”, states the article quoting the New York Attorney General Letitia James.

Meanwhile, French defense company Thales has introduced a new firm within its group – S3NS in partnership with Google Cloud to offer state-vetted cloud computing services for the storage of some of the country’s most sensitive data, Reuters reports. The new company is the result of a government plan under which France acknowledged US technological superiority. Some of France’s biggest banks and healthcare organisations are among 40 potential customers of the new company. S3NS will offer from the second half of 2024 its “trusted cloud” that will ultimately combine full performance, services and applications of Google Cloud technology while allowing protection against extraterritorial foreign laws and in compliance with the requirements of the “Trusted Cloud” label of France’s Information Systems Security Agency.

The post Weekly digest 27 June – 03 July 2022: credential stuffing, misconfigured cloud storage, mobile devices at work, drones & privacy appeared first on TechGDPR.

Enforcement actions: Google, Facebook, FreeMobile, Myheritage, credit assessment by mistake, access rights misconduct

France’s data protection regulator CNIL has fined Alphabet’s Google a record 150 mln euros for making it difficult for users to refuse online trackers known as cookies. Meta’s Facebook was also fined 60 mln euros for the same reason. The CNIL noted that the facebook.com, google.fr and youtube.com sites do not allow users to refuse cookies as simply as to accept them. They offer a button allowing cookies to be accepted immediately. However, to refuse them several clicks are necessary. Since, on the internet, the user expects to be able to consult a site quickly, the fact of not being able to refuse cookies as simply as possible, can influence them to give consent. The two companies have three months to comply with its orders or face an extra penalty payment of 100,000 euros per day of delay. These include the obligation for Google and Facebook to provide French internet users simpler tools for refusing cookies.

The CNIL also imposed a fine of 300,000 euros on Free Mobile, (a wireless service provider), for failing to respect individuals rights and to ensure the security of users’ data. The CNIL has received many complaints concerning the difficulties encountered by individuals in a) getting responses to their requests for access, b) objecting to receiving commercial prospecting messages, or c) being billed after subscriptions had been cancelled. Also, the mobile operator transmitted by email, in clear text, the passwords of users when they subscribed to an offer, without these passwords being temporary or the company requiring them to be changed. All the above infringes Art. 12, 15, 21, 25 and 32 of the GDPR. 

The Norwegian data protection authority has fined Elektro & Automasjon Systemer, (EAS), 20,000 euros for carrying out an individual’s credit assessment without a legal basis (Art.6 of the GDPR). The data subject in this case had no customer relationship or other connection to EAS’s business. The EAS admitted that the credit check took place by accident, due to the general manager’s lack of understanding of a credit assessment tool, the DataGuidance reports. Although EAS did not store the credit information, the damage occurs the moment sensitive data was collected and processed. A credit rating is the result of compiling personal information from many different sources: individuals’ personal finances, payment remarks, voluntary mortgages and debt ratio. The aggravating factors were a lack of technical and organisational measures, and internal controls and guidelines for when and how a credit assessment can be carried out.

The Spanish data protection regulator the AEPD published a couple of similar decisions, (in Spanish), against deficiencies regarding cookie and privacy policies, including:

• the owner of a website, who did not provide users with a cookie banner on the main page that allowed an immediate “Reject all” option. It also lacked clear information on user tracking through registration forms, questionnaires and in the comments section, as well as through embedded content from other sites. Also, the privacy policy wrongly identified the data controller. 
• against Myheritage LTD for similar deficiencies regarding the website’s cookie policy on its Spanish website: the use of non-necessary cookies, no possibility of rejecting them, and a lack of information on cookies used. Additionally, the AEPD found that MyHeritage omitted two pieces of information in its privacy policy – the possibility of exercising the right to data portability and the right to file a claim with the supervisory authority, DataGuidance reports. 

The AEPD also issued a warning to a company for non compliance with individual rights to access the data and to receive a legally established reply. Under the threat of a fine, the company was forced to complete the process, notify the claimant whether the procedure was approved or denied, or indicate the reasons for which the request was not applicable.

Official guidance: employees access rights, data breach notification, real-world data in clinical study

The French CNIL published its guide, (in French), on the right of employees to access their data.  It allows a person to know if data concerning him is being processed and then to obtain the information in an understandable format. This may include the objectives pursued by the use of the data, the categories of data processed, and the other bodies  obtaining the data. This process also makes it possible to check the accuracy of the data and, if necessary, to have it corrected or erased. The rules for the procedure always include:

• verifying the identity of the applicant, (the demand for supporting documents or information must not be abusive, irrelevant and disproportionate to the request);
• responding to the request free of charge;
• the right of access relates to personal data and not to documents. However in the case of email combining both is possible – metadata, (time stamp, recipients, etc.), & the content of the email;
• the right of access must not infringe the rights of third parties, (business and intellectual property secrecy, right to privacy, secrecy of correspondence are regularly invoked by employers to refuse to respond favorably to employees);
• the anonymisation or pseudonymisation of data relating to third parties constitutes good practice;
• different rules exist to protect third party interests depending on the role of the person making the request, (when they are a sender or receiver of the information, or they are mentioned in the content of the document).

Emails identified as personal or whose content turns out to be private despite the absence of any mention of personal character, are subject to special protection, the employer not being authorized to access them. Also, an employer may refuse to act on a request for the communication of emails relating to a disciplinary investigation and the content of which, even redacted, could allow the requester to identify persons of whom they should not be aware.

The EDPB published practice-oriented guidelines on examples regarding Personal Data Breach Notification. Its aim is to help data controllers in deciding how to handle data breaches, what factors to consider during risk assessment, and suggest organisational and technical measures for preventing and mitigating the impacts of hacker attacks. The document complements the  Article 29 Working Party Guidelines and reflects the common experiences of the supervisory authorities across the EEA since the GDPR became applicable.The paper includes 18 case studies from such sectors as hospitals, banking, HR:

• ransomware, (with or without proper backup/exfiltration, data exfiltration attacks on job application data, hashed passwords, credential stuffing);
• internal human risks, (by employees, trusted third parties);
• lost or stolen devices, (encrypted or unencrypted), and paper documents;
• mailing mistakes, and social engineering, (identity theft, mail exfiltration).

The UK Medicine and Healthcare product regulator, the MHRA, has published its guidance on the use of real-world data (RWD) in clinical studies . RWD is the vast amount of data collected on patients in electronic health records, disease and patient registries, from wearable devices, specialised/secure websites as opposed to being specifically collected in a clinical study. Among many quality provisions the guide demands that the sponsor, (data controller), include a protocol in the study describing the tools and methods for selection, extraction, transfer, and handling of data and how it has been or will be validated. It is essential that processes are established to ensure the integrity of the data from acquisition through to archiving and sufficient detail captured to allow for the verification of these activities, and across different centers and countries. Thus, it is important to establish which privacy and security policies apply to the use of the database, interoperability issues, restrictions on the transfer, storage, use, publication and retention of the data, etc. Identical processes would need to be in place for any additional data collected outside of the main source database.

Legal processes and redress: pilot consent e-service, genetic information privacy, medical records snooping incident

The Estonian Information System Authority, the RIA, announced its new consent service that allows companies to ask the state for an individual’s data. An e-service, developed and managed by the RIA, allows a person to give permission to the Estonian State to share their personal data with a certain service provider. First it is being used in the installment application process. If a person gives their consent in the consent service environment, the bank will check the solvency of the person from the database of the Tax and customs board, on the basis of which a data-based decision to allow the person to pay in installments can be made. It will be possible to see all given consents and revoke them at any time. The consent service is currently available to Estonian citizens and requires a valid strong authentication tool (ID-card, Mobile-ID, or Smart-ID).

In California, the Bill for Genetic Information Privacy Act takes effect in January, Data Guidance reports. The Act applies to direct-to-consumer genetic testing companies, and requires such companies to comply with, among many things, consumer’s revocation of consent, take reasonable measures to ensure that the information cannot be associated with a consumer or household, publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except for required by law compliance checks on the procedure. It must contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household, etc.

The Norwegian Supreme Court recently gave a hospital the right to dismiss an employee who had “snooped” on the medical record of her partner’s ex-wife, and a patient in the same hospital, Lexology website reports. The employee read several documents in the ex-wife’s medical record to avoid meeting her and to find out in which ward she was staying. Before the employer became aware of the snooping incident, the employee held that the ex-wife knew that she had looked at her medical record as she had sent a text message to her, which resulted in a heated exchange. The court concluded that the snooping was a serious and gross breach of duty and trust, and that there were means other than accessing medical records to obtain such information. 

The court assesses, among other things, whether the employer had based its decision on information that the company was aware of at the time of dismissal. In the case at hand, the employer had not referred in its reasoning to the text messages or that the employee had failed to notify the employer of the unauthorized access to medical files. The court held that both – were natural in the extension of the violation of the snooping ban. The hospital was therefore still allowed to use this information, even though it did not include it in its reasoning immediately after the employee’s dismissal.

Data security: healthtech vendors

In the US a tech vendor Ciox Health recently reported an email breach that affects dozens of health entities. In its notice, the healthcare information management vendor said an unauthorized person accessed one employee’s email account, potentially downloading emails and attachments, containing all sorts of patient data. However, the employee did not have direct access to any healthcare provider’s or facility’s electronic medical record system. In total, the HIPAA Breach Reporting Tool showed about 700 major health data breaches affecting 45 mln individuals in 2021. Vendor incidents were responsible for nearly 47% of the individuals affected. Among the most critical measures that tech healthcare providers could implement are comprehensive business associate agreements, say US legal experts. The attestation questions in them may include, but are not limited to:

• Does your organization require annual training for workforce members?
• Do you undergo an annual risk analysis to evaluate the requisite technical, administrative, and physical safeguards?
• Do you have business associate agreements in place with all required persons?
• Is your data encrypted both at rest and in transit?

Also, covered entities should continually monitor industry trends, reassess their business associate/vendor relationships, and keep their board informed about any potential risks.

Big Tech: No-cookie data transfer, cryptominer Norton360, China’s credit scoring and oversees listings, Fisher-Price toy failed privacy

Google’s new patent describes how its Technology enables transfer data without cookies. MediaPost website reports. The US Patent and Trademark Office granted Google a patent describing a web browser-based application programming interface that can control the authorization of data transmissions within a network and attribute a click without using cookies. The system can reduce the number of transmissions that do not result in content for the client device – saving bandwidth and computational resources for the client device. The website can transmit small packets of data to the client device when it visits a website. They can include preferences or session information or can be used to authenticate and maintain a session between the client device and the device hosting the website, according to the patent. The full patent document is available here.

According to the KrebsonSecurity blog, Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers: “Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove”.  Reportedly, there is no way to fully opt out of the program, and the user actually has to dig into NCrypt.exe in their computer’s directory to delete it. Meanwhile, some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

China’s central bank said it will adjust the legal framework around financial credit-scoring if needed, state media reported, an indication authorities may tweak guidelines for fintech firms on the amount and type of user data they can collect. The People’s Bank of China has just implemented new rules around what kinds of data can be collected for credit scoring and clarified what kind of businesses the rules would apply to. It also urged companies to apply for credit scoring licenses and to refrain from excessive collection of user data. AI, blockchain, cloud computing and big data have been developed rapidly over recent years in China, prompting governmental concerns about how private individuals could be affected  by the technology, Reuters reports.

China will also order cybersecurity reviews for platform firms seeking overseas listings. The Cyberspace Administration of China said the new rules come into effect on Feb. 15 and apply to platform companies with data on more than 1 million users. However, based on the rules, it remains unclear which types of companies would be affected. The regulator would also implement new rules on March 1 on the use of algorithm recommendation technology to increase oversight of news providers that use the technology to disseminate information. The rules will give users the right to switch off the service if they choose. 

Finally, researchers identified a vulnerability in children’s Bluetooth-connected phones, IAPP News reports. Security researchers at Pen Test Partners found that US Fisher Price Chatter uses Bluetooth Classic with no secure pairing process. When powered on, it just connects to any Bluetooth device in range. Thus, someone nearby could also use the Chatter telephone to speak to and listen to a child in your home, or to bug the neighbors. The attacker can make the Chatter phone ring, so an unsupervised child is likely to answer. While developer Mattel said the Bluetooth pairing times out once a connection occurs or if none is made, TechCrunch claims its attempts found the pairing process did not time out after more than one hour.

The post Weekly digest January 3 – 9, 2022: CNIL fines Google and Facebook for making rejecting cookies difficult appeared first on TechGDPR.