Legal processes and redress: gatekeeper obligations, US adequacy decision, Google litigation, UK data protection reform, Quebec privacy laws

Gatekeeper in the EU: The European Commission has designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – under the Digital Markets Act. They will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. This includes a list of do’s and don’ts: 

• allowing third parties to inter-operate with the gatekeeper’s own services,
• enabling end users to unsubscribe from the gatekeeper’s main platform services as simply as they subscribe to them, 
• giving companies that advertise on a gatekeeper’s platform access to the gatekeeper’s performance measurement tools and information, allowing advertisers and publishers to undertake their independent verification of advertising hosted by the gatekeeper, and
• a ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without effective consent having been granted. 

EU-US DPF application: The German Data Protection Conference publishes application instructions for the EU-US Data Privacy Framework. The document contains, on the one hand, information for data exporters, those data controllers and processors who transfer data to the US. On the other hand, individuals can find out what legal protection and complaint options they have. This includes links to numerous materials, for example from the EDPB. At this point, the adequacy decision applies to EU law. However, given the previous adequacy decisions for the US that were declared invalid, many want to know whether the new adequacy decision will suffer the same fate as Safe Harbor and the Privacy Shield. 

In addition to the planned evaluations by the EU Commission, which can result in adjustments or a repeal, there are options for a judicial review of the new adequacy decision. For instance, on 6 September, a French member of parliament, who is also a member of the data protection authority CNIL, requested that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for the US security purposes. 

Google taken to court: Alphabet’s Google is facing a class action in the Netherlands brought by non-profit organisations, demanding Google stop its constant surveillance and profiling of consumers and the sharing of data in online ad auctions, and also pay damages to consumers. Allegedly, through its services and products, the tech giant:

• Collects users’ online behaviour and location data on an immense scale, without having provided adequate information about it and without users’ consent.
• Through the use of ‘invisible’ third-party cookies, Google continues to collect data through others’ websites and apps, even when someone is not using its products or services. 
• Continually collects users’ physical locations, even when they are not actively using their devices and think they are ‘offline’. 
• Shares users’ data, including highly sensitive data concerning health, ethnicity and political affiliation, with hundreds of parties through its online advertising platform, (a recent study shows that in Europe, the real-time bidding industry exposes people’s data 376 times a day.) 

In total, Alphabet’s Google faces approximately 25 billion euros in damages claims and regulatory administrative fines over its ad tech practices in Europe, Reuters sums up.

UK data protection amendments:  By the end of the year, the UK government will amend the UK’s data protection legislation by updating the ‘fundamental rights and freedoms’ definition, so it will refer to rights recognised under UK law, rather than retained EU law rights. There is no direct equivalent to the right to the protection of personal data in UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, and the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in the UK’s domestic legislation, states the explanatory memorandum. 

Quebec privacy amendments: On 22 September, the latest set of amendments (Bill 64) to Quebec’s Privacy Act will come into force. Some of the major updates include strengthened privacy rights for individuals and several controller requirements, such as a new consent and cookies management framework, privacy policies, risk assessments, rules on automated decisions, cross-border transfers, and monetary penalties. Previously companies were also obliged to designate privacy officers, conduct mandatory breach reporting, and register their biometric information systems while receiving some exceptions to the consent requirement, (under commercial transactions and research and statistical purposes). 

Official guidance: ‘sharenting’, online exams, smart data sandbox, right to object

‘Sharenting’ children’s data: The Italian data protection authority has prepared tips for parents to limit the online dissemination of content concerning their children. The neologism, coined in the US, derives from the English words “share” and “parenting”. It has been a phenomenon that has been under the attention of the Guarantor for some time, especially due to the risks it entails on the digital identity of the minor and therefore on the correct formation of their personality. When something appears on a screen, not only can it be captured and reused without our knowledge by anyone for improper purposes or illicit activities, but it contains more information than we think, such as geolocation data. If you decide to publish images of your children, it is important to at least try to follow some precautions, such as:

• make the minor’s face unrecognizable, (by simply covering the faces with the emoticon “smiley”);
• limit the visibility settings of images on social networks only to people who know each other or who are trustworthy and who do not share without consent in the case of sending via an instant messaging program;
• avoid creating a social account dedicated to the minor;
• read and understand the privacy policies of the social networks on which we upload photographs, videos, etc.

Online proctoring: The use of digital distance learning by public and private higher education institutions is becoming more widespread. With the remote monitoring devices used in this context being intrusive by nature, the French data protection regulator CNIL reiterates the obligations under the GDPR: For instance, institutions organising examinations, as well as any subcontractors, (e.g. remote monitoring solution providers), should assure candidates that their data will not be used for any purpose other than taking and proctoring a remote examination. Also, examination modalities allowing remote validation of skills without the use of remote monitoring devices should be given priority where possible. 

In general, taking proctored exams remotely should be an opportunity for students, not an obligation. In this case, a face-to-face alternative should be offered to candidates, (except in specific cases, such as a health crisis or for institutions that have made distance learning the very essence of their organisation). Students should be informed as soon as possible of the conditions for implementing remote monitoring so that they can make their choice with full knowledge of the facts. Institutions and organisations should ensure that devices used for remote monitoring are compatible with the equipment available to students, that they do not pose security risks to students and that the necessary software can be easily installed and uninstalled. Read the full guidance, (in French), here. 

Smart Data: The UK Information Commissioner’s Office has published the Regulatory Sandbox Final Report for Smart Data Foundry. The sandbox specifically targets projects operating within challenging areas of data protection. Smart Data Foundry’s product is comprised of two parts. The first is the research facility, and the second is the innovation service which provides synthetic data for further research opportunities. There are broadly speaking two approaches to the creation of these synthetic datasets:  

• Using simulation – known as ‘agent-based modelling’ – where data is generated from approximations and predictions of behaviour using characteristics given to a computer-generated population to understand how they would interact. This processing does not use personal data beyond some aggregate information generated from real data to test and improve parameters. This is the synthetic data approach that Smart Data Foundry is already using. 
• Using ‘learning-based’ synthetic data generation to create synthetic doubles of existing datasets utilising differential privacy and modern learning-based approaches which aim to learn all the meaningful patterns in data, and use this learnt knowledge of patterns in the original data to generate new data that exhibit similar patterns, without recreating any input data. 

To understand key data protection considerations in such scenarios, read the full report. 

Right to object to data processing: The right to object gives a person the opportunity to request the termination of the processing of their data if it is processed for the following purposes: a) for legitimate interests of the data controller including marketing, as well as in the case of automated decision-making, b) in the public interest and c) for scientific or historical research and statistics. To exercise your right to object, you should:

• Identify the data controller, (It can be a natural person, company, organisation or state administrative body.)
• Contact the controller in writing, (recommended), and clearly state that you are exercising your right to object to the processing of your data. Please specify which processing operations you object to.
• State the reason. The reason and the characteristics of your special situation require the manager to evaluate the necessary changes in data processing and whether, by continuing data processing, you as a data subject will not have your rights infringed. 
• Wait for the answer. The administrator is obliged to respond to your request within a month. This must either stop the processing of your data to which you have objected or provide a valid reason for continuing the processing.

Enforcement decisions: fertility apps, Chinese academic database, Meta ban in Norway, waste collection and the GDPR

Fertility apps checks: The Information Commissioner’s Office is reviewing period and fertility apps available in the UK as new figures show more than half of women have concerns over data security. A poll commissioned by the regulator revealed women said transparency over how their data was used and how secure it was were bigger concerns than cost and ease of use when it came to choosing an app. The poll showed a third of women have used apps to track periods or fertility. The research also showed over half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up. While some found the adverts positive, 17% described receiving these adverts as distressing. The ICO is now urging users to come forward to share their experiences through a survey in a call for evidence. 

Chinese academic database: The China Cyberspace Administration announced that the China National Knowledge Infrastructure, (CNKI),  has been fined approx. 6 million euros for illegally collecting and processing personal information. The operators collected users’ personal information without consent on the 14 CNKI-related apps that failed to publicly disclose or state collection and usage rules, did not provide an account cancellation function, and illegally kept their information after the users closed their accounts. CNKI is one of the biggest Chinese academic information gateway websites. It has over 1,600 institutional clients in 60 countries and regions, as well as 32,000 institutional customers from diverse sectors on the Chinese mainland. Top universities, research institutions, government think tanks, corporations, hospitals, and public libraries are among the primary consumers.

Waste disposal and the GDPR: A fine of 45,000 euros was imposed by the Italian privacy agency on a Sicilian municipality for having installed cameras to control the collection of waste. The municipality had appointed two companies, also sanctioned by the guarantor, to purchase, install and maintain fixed cameras, and to collect and analyse the videos relating to violations. The authority’s intervention follows reports from a citizen who complained about receiving some fines for having disposed of unsorted waste incorrectly. 

The monitoring was carried out without the citizens having been adequately informed of the presence of the cameras and the processing of the data. The municipality had placed a sign directly on the dumpster, which was not easily visible and lacked the necessary information. Furthermore, the municipality had not identified the data retention periods and had not appointed, before the start of the processing, the two aforementioned companies as data processors.  

Meta ban confirmed: The Norwegian data protection authority won against Meta in court. In July, the regulator made an emergency decision on a temporary ban on behaviour-based marketing on Facebook and Instagram, which involves very intrusive monitoring of users. The regulator therefore decided on a compulsory fine of approx. 90,000 euros per day if the ban was breached. The penalty was set to start on 14 August. However, Meta has petitioned the Oslo District Court for a temporary injunction. In the ruling, the court stated that the Norwegian data protection authority’s decision was valid and that there was no reason to stop it. In addition to this case, Meta has submitted several administrative complaints against the Norwegian Data Protection Authority’s decision. Those processes are ongoing. 

DNA data and transparency obligations: The US Federal Trade Commission finalised an order with 1Health.io, that settles charges that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent. The company failed to keep its promises to only share consumers’ sensitive data in limited circumstances, to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information, and to remove such data from its servers upon consumers’ request. 

Data security: automotive industry

Automotive cybersecurity: The Federal Office for Information Security in Germany published a report on the status of cybersecurity in the automotive industry. The greatest damage in the automotive industry comes from cybercriminal “double extortion” – ransomware and data leaks. The report contains:

• Assessments of the cybersecurity of production systems and processes.
• Advice on exploiting security vulnerabilities for car theft and unauthorized opening of vehicles.
• Description of attacks on vulnerabilities in the communication protocol or other security mechanisms used to control charging processes between electric vehicles and their charging stations.
• Assessments of new legal regulations and standardization activities.
• Outlook on technological and regulatory developments that will be important in the coming years, (the industry is affected by the EU NIS 2 Directive as a critical sector).

According to the Associated Press’s recent publication, automakers are failing the privacy test, and owners have little or no control over the data collected. The nonprofit Mozilla Foundation’s newest “Privacy Not Included” study states that security requirements are a major worry considering manufacturers’ record of vulnerability to hacking. The minimal privacy criteria were not fulfilled by any of the 25 automobile companies whose privacy notices were assessed in Europe and North America. This outcome is significant for over a dozen other product categories, including fitness trackers, reproductive health applications, smart speakers, and other connected household products. 

Big Tech: ads-free Facebook and Instagram, the Privacy Sandbox

Paid Facebook and Instagram: Meta may allow Facebook and Instagram users in the EU to pay to avoid ads as a response to scrutiny from privacy regulators. Those who pay for the subscriptions would not see ads while Meta would also continue to offer free versions of the apps with ads in the EU. Previously users had effectively agreed to allow their data to be used in targeted advertising when they signed up to the services’ terms and conditions until the lead Irish regulator ruled it could not process personal information in that way. Therefore Meta also proposed offering EU users a new opt-in consent mechanism for receiving targeted ads. Reportedly, it would be updated to offer users a “yes or no” option for opt-ins across its platforms. 

Privacy Sandbox ‘availability’: Finally, the Privacy Sandbox for the Web reaches general availability on Chrome for relevance and measurement APIs. General availability means advertising providers and developers can now scale usage of these new technologies within their products and services, as these are now available for the majority of Chrome users. Google also rolled out new Ad privacy controls in Chrome that allow people to manage how the Privacy Sandbox technologies may be used to deliver the ads they see. These controls allow users to tailor their experience by customising what ad topics they’re interested in, what relevance and measurement APIs they want enabled, and more. Starting in Q4 of 2023, Google will enable the industry to bolster their testing efforts with the ability to simulate the deprecation of third-party cookies for a percentage of its users. Then, in Q1 of 2024, it will turn off third-party cookies for 1 per cent of all Chrome users for effectiveness testing.

The post Data protection digest 1 – 14 September 2023:  gatekeeper obligations, synthetic datasets, automotive cybersecurity appeared first on TechGDPR.

Legal processes: EU-US privacy framework, DMA, CCPA/CPRA, right to be forgotten

The Baden-Württemberg data protection commissioner warns that Joe Biden’s executive order with regard to the EU-US privacy framework is an important step, but it creates legal ambiguity. It addresses the requirements of the CJEU’s “Schrems II” judgment by adapting, among other things, the extensive access to EU residents data in the context of US national security and the complaints and appeals procedure. Nonetheless, it represents an internal instruction to the government and subordinate authorities and is not a law that has been passed by parliament, and is not legally enforceable, especially for EU citizens. In addition, it is not clear how the executive order relates to other existing US regulations such as the Cloud Act. Other ambiguities are as follows:

• The legal concept of proportionality differs in the EU, so that it remains unclear when, from the US’s point of view, access for national security remains permissible.
• Significant requirements are placed on the filing of a complaint by EU data subjects, so that it is still possible to filter out “undesirable” complaints.
• The newly created Data Protection Review Court, (an appeal body for complainants), will be set up by order of the Minister of Justice, which may contradict its judicial independence.
• The CJEU not only demanded legal remedies against state spying, but also the end of surveillance without cause, (the system change demanded by the court does not exist at present).

The European Commission will now have to decide whether there is equivalent protection of personal data in the US. The draft decision is expected in spring 2023. More legal research on the topic is promised by the NOYB privacy foundation, whose founder Max Schrems started the legal battle in 2013. 

Where various controllers rely on the single consent of a data subject, it is sufficient that the data subject contacts any one of them, states the CJEU’s recent ruling. The controller of personal data must, by means of appropriate technical and organisational measures, inform the other controllers that have provided the data or have received such data of the withdrawal of the consent of the data subject. Equally, the controller is required to take reasonable steps to inform third parties such as internet search engine providers of a request for erasure. The case related to Telenet, a Belgium telephone service operator, which passes on the contact details of its subscribers, (with their consent), to providers of directories, including Proximus. One of Telenet’s subscribers asked not to be included in directories published by Proximus and third parties; nonetheless, their contact details appeared online.  

The EU Digital Markets Act, (DMA), entered into force on 1 November. The new regulation will put an end to unfair practices by companies that act as gatekeepers in the online platform economy. In many cases the rules intercept and reinforce fundamental privacy and data protection concepts, such as:

• Provide business users with access to the data generated by their activities on the gatekeeper’s platform.
• Ban on tracking end users outside of the gatekeepers’ core platform for the purpose of targeted advertising, without effective consent having been granted.
• The interoperability obligation to ensure that the levels of service integrity, security and encryption offered by the gatekeeper will not be reduced, (eg, text messages/audio/video calls between individual or group users). End users will equally have the choice to use or refuse such an option, where their provider has decided to interoperate with a gatekeeper.

The DMA will also facilitate direct actions for damages by those harmed by the conduct of non-complying gatekeepers. After the entry into application on 2 May 2023, potential gatekeepers will have to notify their core platform services to the Commission within 2 months if they meet the quantitative thresholds.

The California privacy regulator released modified proposed regulations for compliance with the California Consumer Privacy Act, as amended by the California Privacy Rights Act. It also seeks public comments on the improved text until 21 November. The adaptations relate to:

• the notice of collections, (on how to disclose third parties that the business allows to collect personal information from the consumer),
• right to limit the use/disclosure of sensitive personal information, (without the purpose of inferring characteristics about a consumer),
• limits to responding to consumer requests due to “disproportionate effort”,
• requests to correct personal information,
• data minimisation, (business’s collection, use, retention or sharing of personal information must be reasonably necessary and proportionate to achieve the relevant purposes).

Official guidance: anonymisation for SMEs, data breach reporting, direct marketing, employment practices, DP icons, dark commercial patterns

The Spanish data protection agency AEPD has published a basic anonymisation guide, (in Spanish), for data controllers, data processors and data protection specialists. It is especially aimed at serving SMEs and startups when they have to deal with the anonymisation of small data sets. The document explains the difference between the concepts of anonymisation, de-identification, and re-identification. The guide is complemented by a free tool, (downloadable via this link), for organisations to transform simple data sets by applying anonymisation techniques.

The AEPD has also launched a tool which aims to help data controllers decide whether to report a personal data breach to the supervisory authority, following Art. 33 of the GDPR, (available in English). This tool can also be used by data protection officers, data processors, or consultants to obtain adequate information with which to advise controllers. Once finished, the data provided during the process are deleted, and the AEPD does not have access.

The UK privacy regulator ICO updated its guidance on direct marketing using electronic mail. The Privacy and Electronic Communications Regulations 2003, (PECR), takes its definition of direct marketing from the UK Data Protection Act 2018 and covers the sending of electronic mail for direct marketing purposes to particular individuals. The guide does create a few exceptions for: a) some types of online advertising, (eg, advertisements placed on websites not using cookies or similar technologies), b) direct marketing using social media, (eg, advertising messages shown on news feeds), and c) mail sent for administrative or customer service purposes, (if they do not contain any promotional content). Read the full guidance here.

The ICO also released a draft guidance on employment practices: information about workers’ health, (sickness and injuries, disability, drug tests, health monitoring, etc). It is some of the most sensitive personal information you might process about your workers. Data protection law applies whenever you process information about your workers’ health. Notably, the term ‘worker’ relates to all employment relationships, whether this includes employees, contractors, volunteers, or gig and platform workers. 

The Baden-Württemberg data protection authority in Germany released free-of-charge data protection icons, aimed at making privacy notices by data controllers clearer and easier to understand. For example, data subjects can see at a glance on which legal grounds data processing is based. The icons can be downloaded here.

The OECD has published a paper on dark commercial patterns. These practices are commonly found in online user interfaces including cookie consent notices. Many consumer and data protection authorities have taken enforcement actions and consumer organisations have filed complaints about their use, states the OECD. However, enforcement cases to date predominantly relate to a limited set of dark patterns commonly recognised by regulators. This indicates possible gaps in the law, available evidence, or enforcement capacity.

Investigations and enforcement actions: learning records, bank cards’ contactless data, HTTP protocol, employee login information, adult domains

The ICO has issued a reprimand to the Department for Education (DfE), following the prolonged misuse of the personal data of up to 28 million children. An investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trustopia, an employment screening firm, to check whether people opening online gambling accounts were 18. At the time of the breach, 12,600 organisations had access to the learning records service database, including schools, colleges, higher education institutions, and other education providers. This allowed organisations to verify a number of functions including the academic qualifications of potential students or check eligiblity for funding. Trustopia had access to the database for two years and had carried out searches on 22,000 learners for age verification purposes. Trustopia has never provided any government-funded educational training.

The US FTC is taking action against the online alcohol marketplace Drizly, (an Uber subsidiary), and its CEO over allegations that the company’s security failures led to a data breach exposing the personal information of about 2.5 million consumers. In 2018, a Drizly employee posted company cloud computing account login information on the software development and hosting platform GitHub. As a result of this security breakdown, hackers were able to use Drizly’s servers to mine cryptocurrency until the company changed its login information for its cloud computing account.

The FTC is also taking action against education technology provider Chegg Inc. for its lax data security practices that exposed sensitive information about millions of its customers and employees. Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.  Notably multiple Chegg employees fell for a phishing attack, and a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing the personal information of approximately 40 mln customers).The FTC’s proposed order requires the company to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

Spain’s AEPD fined Burwebs S.L and Techpump Solutions, (owners of various internet domains with adult content), 75,000 euros and 525,000 euros respectively for multiple violations of the GDPR, Data Guidance reports. In the case of Burwebs, the AEPD found:

• All personal data of registered users is stored indefinitely.
• No provision regarding the consent of holders of parental authority or guardianship on profiles of minors registered as users.
• The process for opening an account on the domains does not employ additional data or procedures to confirm the applicant’s identification in addition to the supporting papers initially used.
• Privacy policy does not inform users of the possibility of revoking consent at any time before the initial provision of consent, and fails to inform users of the period for which their personal data will be retained.
• The total absence of “privacy by design”.
• Records of processing activities does not list all the procedures, (eg, retention of unregistered user data).
• In addition to cookie walls that block access to websites and require users to approve relevant cookies, its applicable webpages lack information on the usage of cookies. 

In the case of Techpump Solutions, the AEPD found identical data processing violations to the above case, plus:

• Transfers of personal data to companies within the same group occurring, despite the privacy policies claiming that such a process will not occur. 
• Indefinite storage of the personal data of those who used the relevant webpages, until website users request the withdrawal of consent. 
• No clear or affirmative consent mechanism exists to acquire user personal data.  
• The majority of the company resides outside of Spain, and the information in its privacy policy is in English, a foreign language for the target audience. 
• Frequent collection of personal information, including IP addresses, without explaining the circumstances to users.

Both companies were given one month to apply all the corrective measures.

The Greek data protection authority has fined four banks, (Eurobank, National bank,  Alfa Bank, and Piraeus), 20,000 euros each for the retention on the chip of customers’ Mastercards information on their last 10 transactions. The data can be read “contactless”. The banks, without informing clients, issued replacement cards with the feature. 

A 15,000 euro fine by the Italian privacy regulator Garante was issued against a company for not having adequately protected customer data. The access to the company’s website dedicated to “online services” took place via the “http” network protocol, not encrypted and not secure. Various data was passed through this channel, including authentication credentials, names, social security numbers, e-mail addresses, telephone numbers, and billing data. The company violated important principles of “privacy by design”, and “integrity and confidentiality” of the data processing. 

Data security: crucial TOMs, digital footprint, cybersecurity and privacy annual report by NIST

America’s NIST has published its latest Cybersecurity and Privacy Annual Report. It is organised into eight key areas: cryptographic standards and validation, cybersecurity measurement, education and workforce, identity and access management, privacy engineering, risk management, trustworthy networks, and trustworthy platforms. The NIST conducted research and demonstrated practical applications in several key priority areas, including post quantum cryptography, cybersecurity in supply chains, zero trust, and control systems cybersecurity. The NIST also initiated research in some new areas, including exploring the cybersecurity of genomics data.

The UK ICO warned that organisations are leaving themselves open to cyber attacks by ignoring crucial technical and organisational measures like updating software and training staff, (Art. 32 of the GDPR). The warning comes with a 4.4 million pound fine to Interserve Group. An employee forwarded a phishing email, which was not quarantined by the system, to another employee who opened it and downloaded its content –  data of up to 113,000 current and former employees was encrypted and rendered unavailable. 

The Latvian DVI explains a digital footprint and how to protect it. A user can leave it either actively or passively, but once shared, the digital footprint is relatively permanent. It can determine a person’s digital reputation, which is now as important as a person’s offline reputation. Cybercriminals can also use your digital footprint for purposes such as phishing or creating a fake identity. In one of the examples, the active digital footprint is formed when a credit card of a specific service provider is used, while the passive digital footprint is formed by analysing the flow of money in the account and the purposes for which one spends one’s financial resources. Thus:

• Remember to carefully familiarise yourself with the privacy policies of the websites where you intend to consume the offered goods or services. Additionally, 
• Every time you sign in to a third-party website using, for example, your Facebook credentials, you give that company permission to obtain your user data — potentially putting your personal information at risk. 
• Perform regular searches for your name and related personal information in search engines.
• Enforce the privacy settings of your online accounts, and minimise the amount of personal data shared, (eg, location). 
• Regularly update software. 

Big Tech: TikTok employees’ access to data, Medibank’s refusal to pay ransom, Amazon’s Alexa recording

TikTok informed its EU users that their data can be accessed by employees outside the continent, including in China – to ensure their experience of the platform is “consistent, enjoyable and safe”. The other countries where European user data could be accessed by TikTok staff include Brazil, Canada and Israel as well as the US and Singapore, where European user data is stored currently, The Guardian reports.

Medibank, Australia’s biggest health insurer, said no ransom payment will be made to the criminal responsible for a recent data theft, (around 9.7 million current and former customers). The company believes there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. Plus, paying a ransom could encourage the hacker to extort customers directly, hurting more people.  Australian companies have been hit by a string of cyber attacks in recent weeks prompting the government to think about significant increases in penalties for repeated or serious privacy breaches, with amendments to privacy laws. 

Finally, Amazon must produce millions of documents in response to discovery requests in a potential class action over the marketing of its Alexa-enabled devices, Bloomberg Law reports. Plaintiffs allege that Amazon sold its Alexa-enabled devices to consumers using unfair and deceptive advertising, and illegally record conversations. The plaintiffs need discovery concerning Amazon’s intent in marketing Alexa devices, complaints received by the company, and how Alexa-enabled devices function. Amazon estimated it would have to produce 4.4 million documents in response to the plaintiffs’ requests.

The post Data protection & privacy digest 25 Oct – 8 Nov 2022: EU-US privacy framework ambiguity, data breach reporting, right to be forgotten appeared first on TechGDPR.

Legal processes: DSA and DMA, China’s data exporters, ransom payments, CASPs

Last week, the European Parliament adopted the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. The DSA sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society. The new obligations include:

• New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection.
• Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces.
• Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content, (so-called recommender systems); users will be able to challenge content moderation decisions.
• Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. So-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.
• Very large online platforms and search engines, (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission, (preventing systemic risks, independent audits). They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

At the same time, the DMA sets obligations for large online platforms acting as “gatekeepers”, (platforms whose dominant online position make them hard for consumers to avoid), on the digital market to ensure a fairer business environment and more services for consumers. To prevent unfair business practices, those designated as gatekeepers will have to:

• allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
• allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

• Rank their own services or products more favourably, (self-preferencing), than other third parties on their platforms;
• Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
• Process users’ personal data for targeted advertising, unless consent is explicitly granted.

Once formally adopted by the Council in July, (DMA), and September, (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication. Their application will start through 2023-2024. 

Meanwhile, China’s cyberspace regulator, (CAC), clarified that rules requiring data exports to undergo security reviews would be effective from Sept. 1, the first time it has given a start date for a new regulatory framework that will affect hundreds, if not thousands, of Chinese companies, Reuters reports. The measures, according to Data Guidance’s report, provide the cases in which a data exporter must submit a data exit security assessment to the CAC through the provincial cybersecurity and informatisation department where:

• the data processor provides important data overseas;
• the data processor is a critical information infrastructure operator and the data processor processes the personal information of more than 1 million people;
• the data processor processes the personal information of 100,000 people or the sensitive information of 10,000 people since 1 January of the previous year; or
• other situations required to declare data export security assessments as provided by the CAC.

The data export security assessment adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment. In addition, the measures outline that a data processor’s pre-assessment should focus on, among other things, the responsibilities and obligations that overseas recipients are subject to, the risk of data being tampered, destroyed, or leaked, and whether data export related contracts fully stipulate the responsibility and obligation of data security protections. The full legal text, (in Chinese), is available here. 

The UK National Cyber Security Centre, (NCSC), and Information Commissioner’s Office, (ICO), say it is incorrect for organisations to assume paying ransoms is a) the right thing to do and they do not need to engage with the ICO as a regulator, or b) will gain benefit from it by way of reduced enforcement. Thus both organisations in a joint statement advise solicitors not to advise clients to pay ransomware demands should they fall victim to a cyber-attack. Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The European Parliament and Council negotiators also reached a provisional deal on a new bill aiming to ensure that crypto transfers, (like bitcoins and electronic money tokens), can always be traced and suspicious transactions blocked. The legislation is part of the new EU anti-money laundering package and will be aligned with the Markets in Crypto-assets rules, (MiCA). The agreement extends the so-called “travel rule”, already existing in traditional finance, to cover transfers in crypto assets. This rule requires that: 

• Information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. 
• Crypto-assets service providers, (CASPs), will be obliged to provide this information to competent authorities if an investigation is conducted into money laundering and terrorist financing.
• There are no minimum thresholds nor exemptions for low-value transfers, as originally proposed. Regarding protecting personal data, including a name and an address required by the travel rule, negotiators agreed that if there is no guarantee that privacy is upheld by the receiving end, such data should not be sent.
• Before making the crypto-assets available to beneficiaries, providers will have to verify that the source of the asset is not subject to restrictive measures or sanctions, and there are no risks of money laundering or terrorism financing.

The rules would also cover transactions from so-called un-hosted wallets, (a crypto-asset wallet address that is in the custody of a private user,) when they interact with hosted wallets managed by CASPs. In case a customer sends or receives more than 1000 euros to or from their own un-hosted wallet, the CASP will need to verify whether the un-hosted wallet is effectively owned or controlled by this customer. The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf.

Official guidance: employees location, insurance applications, local authorities, commercial interest vs. consent

The Finnish data protection ombudsman asked service providers in the public sector for a report on use of the location data function in computers used by employees in the municipal sector. The background for the report was a notification of a data security breach filed by a hospital district, when settings that allowed the collection of location data were switched on in employees’ Windows 10 workstations and remote work laptops, although there was no intention to collect the data. As a result, the regulator found that:

• The hospital district did not have a need required by law for processing employees’ location data.
• The hospital district did not appropriately review what data it intended to collect. 
• Since the employees’ location data were unnecessary for the employer and collected unintentionally, these data should not have been processed. In order to ensure data protection by default, the hospital district should have reviewed the basic settings of the system and noticed that the location function was switched on before deploying the workstations. 
• Since the location function was switched on, employees’ personal data were delivered to Microsoft as well.

The regulator ordered the erasure of any historical data, location logs and other personal data created during use of the location data function. 

The Finnish ombudsman has also investigated the procedures of insurance companies when they request the health information of insurance applicants and insured persons from health care providers in order to determine the insurance company’s responsibility. Deficiencies were found, especially in the appropriate demarcation of the information requested from the health care provider and in the legality of processing. The insurance companies justified the processing of the policy applicant’s health data on the grounds of data protection, according to which the insurance institution can process client or claimant’s health data that is necessary to determine the liability of the insurance institution.

The regulator states that the provision of the data protection law in question only applies to the processing of the data of the insured and the claimant. Insurance companies cannot process the insurance applicant’s health information or request personal information from the health care provider during the insurance application phase, based on the regulations, because the contract has not yet been concluded. It is possible to process health data under certain conditions if the person has given valid consent. However, it requires that the person is told precisely what information is collected about them and for what purposes it is used. Asking for consent in a general way without detailing the information and purposes of use therefore does not meet the requirements of the data protection regulation.

The French data protection regulator CNIL published a guide on the obligations and responsibilities of local authorities with regard to data protection. The study was conducted at the end of 2021. Focusing on communities smaller than 3,500 inhabitants, which represent 91% of municipalities in France, this study aimed to understand digital usage, identify risks/obstacles and data needs. It appeared that the majority of respondents are not aware of the legal framework in force, with the exception of the GDPR. The provisions relating to competences and responsibilities in the field of digital security are little or not known to local elected officials and territorial agents, who consider cybersecurity regulations to be particularly complex.

The purpose of this guide is to inform local elected officials and territorial agents about the obligations related to: a) the protection of personal data; b) the implementation of local teleservices; c) hosting of health data. This guide also recalls the different types of legal liability to which local authorities and their public institutions are exposed in the event of cyberattacks and damage related to: administrative responsibility, civil liability, criminal liability.

The European Commission says that the Dutch data protection authority AP is hindering free enterprise in the EU by interpreting privacy legislation too strictly. The legal battle refers to the dispute between the AP and streaming service VoetbalTV. The service broadcasted video images of amateur matches via the internet for, among others, players, trainers and fans. More than 150 clubs used it, until the AP imposed a fine of 575,000 euros on the service in  2019. Football TV then went bankrupt.

According to the AP, the profit motive of the company could never constitute a ‘legitimate interest’ for the broadcasting of the images without the individual consent of players and the public. According to Brussels, the Dutch supervisory authority did not strike the right balance between the right to data protection on the one hand and the freedom of undertaking on the other. Additionally, in 2020, a Dutch court reportedly ruled that VoetbalTV did not have to pay the fine, as personal data may sometimes also be processed when there is only a commercial interest. The AP had appealed against this decision.

Investigations and enforcement actions: website security, data protection requests, employment certificate, cookies, account deletion, health data

As part of one of its priority themes, “the cybersecurity of the French web”, the CNIL has carried out a series of online checks of twenty-one websites of French public sector bodies, (municipalities, university hospitals, ministries, etc.), and the private sector, (e-commerce platforms, IT solution providers, etc.). The verifications carried out by the CNIL therefore focused mainly on technical and organisational flaws: 

• unsecured access, (HTTP), to websites, (many actors), implemented obsolete versions of the TLS protocol to ensure the security of data in transit, used certificates and non-compliant cryptographic suites for exchanges with the servers of controlled sites;
• lack of devices to trace abnormal connections to servers;
• use of insufficiently robust passwords and procedures to renew them that do not sufficiently secure their transmission and retention.

The bodies on notice have a period of three months to take any measure to ensure an appropriate level of security.

The Finnish company Otavamedia was penalised for shortcomings in the implementation of data protection rights. Between 2018 and 2021, eleven cases concerning Otavamedia were brought to the office of the data protection commissioner. Among other things, the complainants had not received an answer to their requests or inquiries regarding data protection rights. According to the report provided by Otavamedia, some of the data protection requests had not been implemented due to a technical problem with the e-mail control in connection with the change of digital service providers. During the error situation, the messages that arrived in the e-mail box reserved for data protection matters were not forwarded to the customer service staff. The situation was discovered only after the data protection authority’s request for clarification. 

Otavamedia should have taken care to test the e-mail box, as it is the main electronic contact channel of data subjects in data protection matters. Additionally, the registrants had the opportunity to make requests to Otavamedia regarding their own information using a printable form. The person’s signature was required on the form for identification purposes. The regulator considers that with this method of operation, Otavamedia collected an unnecessarily large amount of data for identification purposes. Otavamedia does not process signature information in other contexts, which is why it was not possible, for example, to compare signatures with previously held information.

In the first half of 2022, the Czech office for personal data protection UOOU monitored compliance with the GDPR in connection with the setting of the processing of cookie files by various operators of web portals and pages, based on both complaints received and the monitoring plan. Among the main shortcomings detected by the regulator are: 

• Use of non-technical cookies without consent.
• A disproportionately long period of validity of cookies in relation to their purpose.
• Absence of the choice for expressing disagreement with the non-technical cookies in the first layer of the cookie bar.
• Wrong categorisation of cookies.
• Absence of information about specific cookies used.
• The difference in the visibility of the consent and non-consent buttons for the use of non-technical cookies.
• Information about cookies in a foreign language.
• The cookie bar makes it difficult or impossible to read the website.

The Polish supervisory authority UODO was notified of potential inaccuracies related to the processing of personal data by a manufacturing company, (Esselmann Technika Pojazdowa). The company made an informed decision not to notify a breach involving an important document of one of its employees to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. In the course of explanatory actions by the regulator the loss of a document from the personal file of a company employee – an employment certificate – was revealed. The certificate of employment contains a lot of important information about the person, including:

• the period(s) of employment;
• the procedure and legal basis for the termination or expiry of the employment relationship;
• parental and child care leave taken;
• information on the amount of remuneration and qualifications obtained – at the employee’s request;
• information on enforcement seizure of remuneration.

Taking the above into account, the Polish regulator imposed a fine of approx 3,500 euros.

The Irish data protection authority DPC published its recent decision concerning Twitter International Company. In 2019, the complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of could have a substantial effect, and that the type of processing meets the definition of cross border processing. As a result, the DPC ordered Twitter, pursuant to Article 58 of the GDPR, to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. 

Data relating to health enjoys enhanced protection and, subject to the exceptions provided for by the law, dissemination is prohibited. Administrative transparency cannot violate people’s privacy. For these reasons, the Italian privacy regulator ‘Garante’ sanctioned the Roma local health authority 46,000 euros. It had published in clear text on its website all the names and data relating to the health of the subjects who had requested civic access in 2017 and 2018. In most cases, the documents concerned the health records of the persons concerned, including medical records, disability assessments, tests, technical reports, etc. The first serious violation detected by the Authority, which took action ex officio, was therefore the dissemination of data on the health of the subjects concerned, information relating to both their physical and mental state, including the provision of health care services.

Data security: cybersecurity threat landscape

The European Union Agency for Cybersecurity provided simple steps to map the cybersecurity threat landscape. The methodology aims at promoting consistent and transparent threat intelligence sharing across the EU, (including but not limited to public bodies, policy makers, cybersecurity experts, industry, vendors, solution providers, SMEs). The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, the methods and tools used as well as the stakeholders involved. Building on the existing modus operandi, this methodology provides directions on the following:

• defining components and contents of each of the different types of CTL;
• assessing the target audience for each type of CTL to be performed;
• how data sources are collected;
• how data is analysed;
• how data is to be disseminated;
• how feedback is to be collected and analysed.

The methodology consists of six main steps with predicted feedback and associated to each of these steps: direction, collection, processing, analysis and production, dissemination, feedback. You can download the the full methodology guide here.

Big Tech: Apple’s new lockdown mode, Chinese CCTV in UK

Apple’s latest iOS 16 security tool can defend against a state-sponsored cyberattack on your iPhone, cnet.com reports. In short, new Lockdown Mode increases security capabilities on iOS 16, iPadOS 16, and macOS Ventura by limiting certain functions that may be vulnerable to attack: 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enrol into mobile device management, (MDM), while Lockdown Mode is turned on.

Meanwhile, a cross party group of UK MPs have called for a ban on two Chinese surveillance camera brands widely used in Britain, according to Yahoo News. The AI-enabled cameras are capable of facial detection, gender recognition and behavioural analysis and offer advanced features such as identifying fights or if someone is wearing a face mask. The two brands — Hikvision and Dahua — are widely used by government bodies in the UK, by 73% of councils across the UK, 57% of secondary schools in England, and six out of 10 NHS Trusts. Reportedly, Hikvision and Dahua are now banned from trading in the US over security concerns and evidence of their widespread use in so-called “re-education” camps in China. The MP’s call for action also includes “an independent national review of the scale, capabilities, ethics and rights impact of modern CCTV in the UK”.

The post Weekly digest 4 – 10 July 2022: DSA and DMA adopted, setting standards on EU digital service providers appeared first on TechGDPR.

Legal processes: crypto-asset transfers, Belgian DPA’s independence

EU lawmakers backed tougher rules for tracing transfers of bitcoin and other cryptocurrencies, Reuters reports. Now the EP as a whole should vote on it during the plenary session in April. Companies that make crypto-asset transfers would need to collect details of senders and recipients to help authorities to prevent money laundering, terrorist financing, and other crimes. Under the new requirements agreed by MEPs:

• Providers would have to verify that the source of the asset is not subject to restrictive measures and that there are no risks of crime.
• All transfers will have to include information on the source of the asset and its beneficiary, information that is to be made available to the competent authorities. 
• The rules would also cover transactions from so-called unhosted wallets, (a crypto-asset wallet address that is in the custody of a private user). 
• No minimum thresholds and exemptions for low-value transfers.
• Technological solutions should ensure that the transfers can be individually identified. 

However, the rules would not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf. Currently, there are no rules in the EU allowing crypto-asset transfers to be traced or the provision of information on the originator/beneficiary.

The Belgian data protection authority, (DPA), is concerned about legal developments that could threaten its independence. These include a preliminary draft law to amend the current DPA law, and the lack of resources allocated to it. The opinion has been forwarded to the Court of Audit, the Council of State, the European Commission and the other European supervisors assembled in the EDPB. The draft law notably introduces:

• parliamentary interference in the internal organisation of the DPA and in the setting of its priorities,
• the renewal of the mandate of its members conditional on a positive evaluation by the House of Representatives. 

Finally, the GDPR requires that every supervisor has the necessary resources at their disposal to perform their tasks. However, the DPA’s requests for additional human and financial resources, substantiated by the Court of Audit and an external study, have so far been largely ignored. The DPA points out that the gap with its European counterparts is therefore widening. Read the full opinion here.

Data security: EU institutions, Russian technology risks

EU bodies must step up their cybersecurity preparedness, according to the European Court of Auditors’s special report. Significant cybersecurity incidents in EU institutions increased more than tenfold between 2018 and 2021. It can take weeks if not months to investigate and recover from them. One example was the cyberattack on the European Medicines Agency, where sensitive data was leaked and manipulated to undermine trust in vaccines. So far there is no legal framework for information security and cybersecurity in EU bodies. They are not subject to the broadest EU legislation on cybersecurity, the 2016 NIS directive, or to its proposed revision, the NIS2 directive. There is also no comprehensive information on the amount spent by EU bodies on cybersecurity. To this end, the auditors recommend that binding cybersecurity rules should be introduced, and the amount of resources available to the CERT-EU and the ENISA should be increased.

The UK National Cyber Security Center, the NCSC, has updated its guidance on the use of Russian technology products and services following the invasion of Ukraine. The experts state they have not seen and do not expect the massive global cyber attacks that some had predicted. However, the NCSC has previously seen Russia acting against UK interests, and also acting through proxy compromises to get to UK entities (eg, SolarWinds Orion software, and UK telecoms networks). Additionally, Russian law already contains legal obligations on companies to assist the Federal Security Service, and the pressure to do so may increase in a time of war, the NCSC believes. 

The NCSC advises certain organisations to specifically consider the risk of Russian-controlled parts of their supply chain, (public sector, high-profile organisations, services related to critical national infrastructure, etc), if you contract directly with a Russian entity, or it just so happens that the people who work for a non-Russian company are located in Russia: “You may choose to remove Russian products and services proactively, wait until your contract expires, (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk”. Finally, the ongoing global sanctions could mean that Russian technology services, (and support for products), may have to be stopped at a moment’s notice. Read the NCSC guides to improve security for enterprises, and for individuals. 

Official guidance: DPO compliance provisions

The Polish data protection authority UODO refreshes its inspection report, (in Polish), on compliance provisions relating to designation, position and tasks of the DPO. In most cases, the verification of the reported cases did not provide grounds for the application of corrective powers for undertakings. Only in a few cases did the regulator find irregularities in the scope of a conflict of interest, or failure to consult the DPO on data processing operations. Several cases of violations related to the performance of a DPO‘s function required the UODO to take corrective actions, including the issuing of an order to appoint a DPO as well as an administrative fine. The regulator has also published 27 DPO-related self-audit questions to be directed to controllers and processors, both in the public and private sectors.

Investigations and enforcement actions: facial recognition system, agile development environment, Klarna bank fine

The Danish data protection agency has made a decision in a case concerning the use of a facial recognition system to control access to the company’s facilities. Based on the information provided by FysioDanmark Hillerød, (physiotherapeutic treatment), the regulator assessed that the system – which was based on the data subject’s consent – could be used. However, the regulator warned the company that it would probably be in breach of the GDPR if it used the system without the consent of customers. Furthermore, the agency warned that it would probably be in breach if the company did not ensure that the system was not used with persons who had not given their consent.

The Danish data protection agency also criticised a data controller who did not check whether personal data had been stored by mistake in IT environments. In the related case, an employee of the Danish Health and Medicines Authority, (HMA), in violation of internal guidelines and procedures, had stored a data set – containing pseudonymised personal information – in a development environment, (Microsoft Azure DevOps), where they were not allowed to be stored. The data set contained pseudonymised confidential data about citizens which could be “decoded” by trusted employees, regardless of whether they had a work-related need for it. The HMA did not discover it until a year later. 

The regulator found that the HMA had not complied with the rules on processing security. The agency emphasized that data controllers must generally establish controls – either manual or automatic, and it is not sufficient to have guidelines and procedures without regularly checking whether they are followed in practice. The regulator also emphasized that this was a so-called “agile development environment”, where there is a known risk that personal data will be stored by mistake.

Meanwhile, Sweden’s data protection authority fined Klarna bank approx 724,000 euros for several breaches of the GDPR, namely:

• it has continuously changed the information provided on how the company handles personal data;
• did not provide information on the purpose for which and on the basis of which legal basis personal data was processed in one of the company’s services;
• provided incomplete and misleading information about who were the recipients of different categories of personal data when data was shared with Swedish and foreign credit information companies;
• did not provide information as to which countries outside the EU/EEA personal data were transferred to, or on where and how the individual could obtain information on the protection measures that applied to the transfer to third countries;
• provided insufficient information about the data subjects’ rights, including the right to delete data, the right to data portability and the right to object to how one’s personal data is processed.

Data breaches: “emergency data requests”

Hackers increasingly are using compromised US government and police department email accounts to obtain sensitive customer data from mobile providers, ISPs and social media companies, KrebsOnSecurity, (in-depth security news and investigation blog), warns. At issue are forged “emergency data requests,” (EDRs). Tech companies usually require a search warrant or subpoena before providing customer or user data, but any police jurisdiction can use an EDRs to request immediate access to data without a warrant, provided the law enforcement entity attests that the request is related to an urgent matter of life and death. In the recent example, fraudulent EDRs were a tool used by members of LAPSUS$, the data extortion group that recently hacked Microsoft, NVIDIA, Okta and Samsung. Also tracked were the activities of a teenage hacker from the UK who was reportedly arrested multiple times for sending fake EDRs.   

Big Tech: TikTok class action, Chrome’s Privacy Sandbox, interoperability vs end-to-end encryption

A case filed in 2019 against TikTok has finally been settled, the Chinese giant and its Musical.ly offshoot agreeing a 1,1 million dollar deal with the US District Court for the Northern District of Illinois. The case, a class action, claimed the plaintiffs’ rights under the Children’s Online Privacy Protection Act had been violated by TikTok and Musical.ly tracking, collecting, and disclosing personally identifiable data of users under 13 without parental consent.

Alphabet’s Chrome is rolling out the next stage of testing for its Privacy Sandbox, appealing to developers to get on board and send feedback, and offering support. APIs are key, and global testing of Topics, FLEDGE and Attribution Reporting APIs is immediately available on Chrome Canary. Industry associations are also being encouraged to contribute. Chrome will also be testing updated Privacy Sandbox settings and controls, allowing people more visibility and management of the use of their personal preferences.

Trouble ahead for Europe’s new Digital Markets Act predicts an analyst in The Guardian. In privacy terms there’ll be limits on large companies, (45 million users or 10,000 business users), combining personal data from various sources for targeted advertising, and most critically, an insistence that the largest messaging systems become “interoperable’. Resolving the major technical problems preventing this could see end-to-end encryption abandoned, which in security terms raises many issues and may actually facilitate abuse. 

Instead of a challenge some are seeing interoperability as an opportunity, like Twitter-financed Bluesky. It is developing a new operating standard for social media, based on an open protocol. New board member and Twitter co-founder Jack Dorsey says the idea could take years to become a reality, but would offer social media users greater control and choice. The company has made its first key hires and is developing a prototype.

The post Weekly digest March 28 – April 3, 2022: EU crypto-asset transfers to be traced and identified, with some exceptions appeared first on TechGDPR.

Legal processes: new EU-US data transfer deal, Digital Markets Act, China’s algorithmic rules

The EU and US have announced a new preparatory data transfer deal, seeking to end the legal uncertainty in which thousands of companies found themselves after the CJEU threw out two previous agreements due to America’s governmental surveillance practices, Reuters reports. It will take months to turn the provisional agreement into a final legal deal, as the US will need to prepare their executive order, and then the EU must complete internal consultation in the Commission and within the EDPB. So far the White House has released a fact sheet on the new deal, which addresses the CJEU ‘Schrems II’ decision concerning US law governing signals intelligence activities:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Earlier last week, EU privacy experts raised their concerns over the lack of details of the deal. Austrian privacy activist Max Schrems, who started a long-running dispute with Meta/Facebook, (resulting in the invalidation of the EU-US Privacy Shield data transfer framework), stated: “The final text will need more time, once this arrives we will analyze it in-depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it.”  The legal stance over transatlantic data flows has led, in recent months, to European data protection agencies issuing orders against flows of personal data passing via products such as Google Analytics, Google Fonts, and Stripe, along with long-standing and multilayered complaints against Meta/Facebook, TechCrunch sums up.

Meanwhile, sweeping new digital rules targeting US tech giants will likely come into force in October, EU antitrust chief Margrethe Vestager informed. The rules proposed a year ago in the Digital Markets Act set out a list of dos and don’ts for Amazon, Apple, Meta, Google, Microsoft, and others. Fines for violations will range reportedly from 10% of a company’s annual global turnover to 20% for repeat offenders who could face an acquisition ban. Companies that are designated as online gatekeepers, (intermediation services, social networks, search engines, operating systems, advertising services, cloud computing, video-sharing services, web browsers and virtual assistants), which control access to their platforms and the data generated there will have six months to comply with the new rules:

• additional requirements on the use of data for targeted or micro-targeted advertising and the interoperability of services; 
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage; 
• ensures whistleblowers are able to alert competent authorities to actual or potential infringements of this regulation and protect them from retaliation, etc.

In China, the provisions  on the administration of algorithmic recommendations in the Internet Information Service became effective as of March, Chinalawupdate blog reports. It refers to the application of any algorithmic technology, including without limitation, generation and synthesis, individualized push, sorting and selection, searching and filtering, and scheduling and decision-making, to provide information to users. Among many provisions, it requires:

• algorithmic system and mechanism review, science and technology ethics review,
• user registration, information release review, data security protection,
• anti-telecom network fraud, security evaluation, monitoring, and incident emergency plan,
• informing users about its provision of algorithmic recommendation service, and notifying the public, in an appropriate manner, of the basic principles, the purpose and intention, and the main operation mechanism, 
• providing users with options that are not customized based on the users’ individual characteristics, or the option to conveniently close the algorithmic recommendation service, etc.

Official guidance: workplace monitoring

The Norwegian data protection authority Datatilsynet has issued workplace monitoring guidance, (in Norwegian). These activities must take into account important data protection criteria such as providing information about the treatment to jobseekers and employees, facilitating data subject rights, deleting the information when no longer necessary, and having satisfactory information security and internal control of their data. One of the examples, automatic forwarding of e-mails is considered continuous monitoring of the employee’s use of electronic equipment and is not allowed. Monitoring of an employee’s use of electronic equipment is prohibited, and can only exceptionally take place if the purpose is to administer the company’s computer network or detect or solve security breaches in the network. The guide also contains provisions for background checks during the recruitment process, access to e-mail and other electronically stored materials, and camera surveillance in the workplace.

Data breaches and enforcement actions: online retailer, third party provider, school’s trade union, insurance company

An American online retailer of stock and user-customized on-demand products CafePress to pay half a million dollars for FTC violations, DLA Piper reports. The online platform failed to secure consumers’ sensitive personal data collected through its website and covered up a major breach. This included:

• Storing personal information in clear, readable text.
• Maintaining lax password policies that allowed, for example, users to select the same word, including common dictionary words, as both the password and user ID.
• Failing to log sufficient information to adequately assess cybersecurity events.
• Failing to comply with existing written security policies.
• Failing to implement patch policies and procedures.
• Storing personal information indefinitely without a business need to do so, etc.

In 2019, a major data breach exposed millions of emails and passwords, addresses, security questions, and answers as well as a smaller number of social security numbers, partial payment card numbers, and expiration dates of the customer accounts. This information was later discovered for sale on the dark web. The company patched the vulnerability but allegedly failed to properly investigate the breach and notify the affected customers. Read more analysis of the case by the Workplace Privacy Report article.

The US authentication firm Okta has admitted that hundreds of customers may have been impacted by a prolific hacking group’s attack via a third-party provider, Infosecurity Magazine reports. Ransom group Lapsus shared screenshots, which purportedly showed “superuser” access to an internal Okta desktop in January. The attackers did have access to a third-party support engineer’s laptop for a five-day window. Okta initially said the matter with the sub-contractor was investigated and contained, BBC reports. Similarly, none of Okta’s clients such as Cloudflare, FedEx, Thanet has reported any issues.

Cyprus’s data protection commissioner fined English school 4,000 euros for failure to implement sufficient technical and organisational security measures to prevent a data breach, Data Guidance reports. The investigation related to the unauthorized access and use of the email addresses of the students’ parents and guardians, by the school’s staff union ESSA. In particular, a school professor who was also the president of the ESSA, sent an email to all parents/guardians and to the staff, for purposes other than those for which said email addresses were originally collected, and without the parents/guardians being informed of such use. The regulator ruled that irrespective of the responsibility of the school professor and the ESSA, the English school, as a data controller, did not apply sufficient security measures following Art. 32 of the GDPR. ESSA, as a separate joint controller, was also fined 5,000 euros. 

The Icelandic data protection authority ruled in a case about an insurance company’s processing of personal data following a claim for compensation. There were complaints about the insurance company’s disclosure of the plaintiff’s personal data to an expert who prepared a report on the speed and impact of a traffic incident that the plaintiff had encountered. There were also complaints about the insurance company’s use of the report in question when assessing the claim for compensation against the company. The plaintiff contested that the insurance company was not authorized to administer the further use of the report data and that it did not take care to inform the individuals or obtain their consent. Although the data protection authority concluded that the above processing activities were in accordance with the law, based in particular on a contract (Art. 28 of the GDPR). Since the complainant was not informed or educated about the transfer of the data to the specialist and its processing, the regulator found that the company did not comply with the information and transparency obligations (Art.13 of the GDPR). 

Data security: pseudonymisation in the health sector

The European Union Agency for Cybersecurity has published guidance on deploying pseudonymisation techniques in the health sector. From a cybersecurity point of view, the confidentiality, availability, and integrity of medical data and relevant infrastructure are considered essential in order to be able to provide timely, appropriate, and uninterrupted medical care. This is also highlighted by the NIS Directive which categorizes the health sector as an operator of essential service and calls for minimum security requirements to ensure a level of security appropriate to the level of risks presented. Furthermore, the GDPR distinguishes, in Art. 9, data concerning health as a special category of data, and sets out additional requirements and stricter obligations for processing and protecting such data. Lastly, the Medical Devices Regulation imposes requirements regarding the safety, quality, and security of medical devices in order to achieve a high common level for safety. Case studies in the report include:

• exchanging patient’s health data,
• Clinical Trials,
• patients-sources monitoring of health data. 

Big Tech: data brokers, smartphone health monitoring, China’s crackdown on Bing algorithms

The legal implications of personal data usage by the data brokerage industry has been analysed by the Guardian. A new lawsuit reportedly involves two companies in this vast network: X-Mode, a data broker, and NybSys, one of X-Mode’s customers. The lawsuit claims people’s exact location data was sold through a chain of industry players, rather than the summary or analysis of that information, without knowledge or permission from   X-Mode. Data brokers collect personal data from a variety of sources, including social media, public records and other commercial sources or companies. These firms then sell that raw data, or inferences and analysis based on that data – such as a user’s purchase and demographic information – to other companies, like researchers or advertisers.

Google wants to use smartphones to monitor health, saying it would test whether capturing heart sounds and eyeball images could help people identify issues from home, Reuters reports. The company is investigating whether the smartphone’s built-in microphone can detect heartbeats and murmurs when placed over the chest allowing early detection of heart valve disorders, etc. Google also plans to test whether its artificial intelligence software can analyse ultrasound screenings taken by less-skilled technicians, as long as they follow a set pattern.

Microsoft’s Bing, the only major foreign search engine available in China, said a government agency has required it to suspend its auto-suggest function in the country for a week, Reuters reports. It is a second case for Bing since December, and arrives amid an ongoing crackdown on technology platforms and algorithms from Beijing. Since August, China’s top cybersecurity authorities have published draft rules dictating how internet platforms can and cannot make use of algorithms. These came into effect this month.

The post Weekly digest March 21 – 27, 2022: EU and US reach preliminary data transfer agreement, but experts have doubts appeared first on TechGDPR.

Legal processes: EU Digital Strategy, IoT, biometrics policing program, US surveillance ads

The EU Parliament moved on the implementation of the Digital Services Act, (part of the EU Digital Strategy), that regulates platforms for a safer online space for users. MEPs gave the green light to open negotiations with member states. The Parliament introduced several changes to the Commission’s proposal, exempting micro and small enterprises from certain obligations, including on:

• Targeted advertising: more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. 
• Refusing consent shall be no more difficult or time-consuming than giving consent. 
• If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”.
• Targeting or amplification techniques involving the data of minors or special categories of data for the purpose of displaying ads will be prohibited.
• Recipients of digital services and organisations representing them must be able to seek redress for damages.
• Platforms should be prohibited from using user deceiving or nudging techniques.
• Very Large Online Platforms should provide at least one recommender system that is not based on profiling. 

The EU Commission published its latest competition sector inquiry report into the consumer Internet of Things, IoT. Among the main areas of potential concerns are:

• The role of voice assistants and smart devices as intermediaries for data generation and collection, which would allow them to control user relationships. 
• The extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services by providers of voice assistants. 
• The access to and accumulation of large amounts of data allow voice assistant providers to improve their market position. 

The IoT inquiry urges companies to review their commercial practices, as its findings will inevitably add to the ongoing legislative process on the EU Digital Markets Act, (part of the EU Digital Strategy) . Read the report and the staff working document for more detailed information. 

According to Human Rights Watch, Greece’s new biometrics policing program can undermine privacy, create risks of profiling and other abuses. The police reportedly would use hand-held devices to gather biometric information, fingerprints, faces, from people on a vast scale and cross check it against police, immigration, and private sector databases primarily for immigration purposes. Human Rights watch believes that a) the Greek police should use their authority to stop people and require them to show identity documents only when based on a reasonable suspicion that the person is involved in an illegal activity, b) the police should put in place systems to check the validity of identity documents without detaining people or gathering personal biometric data. In 2019 the Greek police signed a contract with Intracom Telecom to help create the “smart policing” program. Since 2020, the Hellenic Data Protection Authority (DPA) has been investigating its lawfulness. The launch of the program was planned for 2021, but has been delayed a couple of times.

The Banning Surveillance Advertising Act was introduced in the US House of Representatives. The draft legislation prohibits advertising networks and facilitators from using personal data to target ads, with the exception of broad location targeting to a recognized place (such as a municipality). The bill also prohibits advertisers from targeting ads based on protected class status information, such as race, gender, and religion, and personal data purchased from data brokers. However, it makes explicit that contextual advertising, which is advertising based on the content a user is engaging with, is allowable. It also provides authorisations for the FTC or the state attorneys general to enforce violations of the Act. Read the full draft law here and detailed section-by-section summaries here. 

Official guidance: Bluetooth security, clinical trials Code of Conduct, the right to access, housing, processor/EU representative

The US National Institute of Standards and Technology, NIST, publishes its updated guide on Bluetooth security. Bluetooth wireless technology is used primarily to establish wireless personal area networks, and has been integrated into many types of business and consumer devices. The Bluetooth specifications define several security modes, and each version of Bluetooth supports some, but not all,  and some – do not require any security at all. The updated NIST guide provides exhaustive information on the security capabilities of Bluetooth and gives step-by-step management, technical and operational recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. 

The European Federation of Pharmaceutical Industries and Associations, EFPIA, confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance has progressed to the final phase of review by data protection authorities prior to formal submission to the EDPB for approval. The EFPIA believes that a GDPR Code of conduct will:

• Enable the sector to align on key data protection positions, providing more consistency, clarity and certainty for clinical research. 
• Bring more certainty to third parties (patients, ethical committees and hospitals). 
• Clarify the linkages between the GDPR and other key sectoral legislation such as the Clinical Trials Regulation.
• Respond to the Commission’s policy ambition for the European Health Data Space to improve data governance, etc.

The EDPB adopted guidelines on the right of access that enables individuals to get knowledge on how and why their personal data is processed by organisations. Among others, the guide provides clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of 6 weeks and made available on the EDPB website once these have been completed.

The Bavarian data protection authority for the private sector, BayLDA, is examining the area of ​​housing management and, in particular, self-disclosure of prospective tenants, the DataGuidance reports. The BayLDA clarified that when contact is made and a viewing appointment is arranged, information about the prospective tenant’s occupation and income is not yet required. Only if the person viewing the flat continues to be interested, it is permissible to ask about the number of people moving in, the prospective tenant’s occupation and income. If at the end of the selection process the landlord would like to conclude a tenancy agreement with the person, then the submission of a self-disclosure from a credit agency may also be requested before the conclusion of the agreement.

The Croatian data protection authority AZOP analyzes the possibility for a processor to perform the role of a controller’s EU representative. The regulator states that in order to ensure that the processor in the given scenario is not in conflict in terms of two duties, it would be advisable to establish processes and practices in the work environment that will promote effective control, management and resolution of conflicts of interest, (eg, open communications and dialogues related to ethics, education of its employees). At the same time, the establishment of these procedures and excessive control of the processor, in terms of the representative’s remit, in practice could be unenforceable and counterproductive, which would result in distrust of the controller. Thus, the regulator concludes that performance of two functions in the same person would represent a possible conflict of interest, and should be prevented.

Data breaches, Investigations and Enforcement actions: aggressive telemarketing, Red Cross, demonstrators, IT solutions’ failed security

The Italian data protection authority, “Garante”, fined Enel Energia, (multinational manufacturer and distributor of electricity and gas), 26,5 mln euros for aggressive telemarketing, consumer data used without consent and failure to comply with the accountability principle. The decision was issued following hundreds of complaints by users who had received unsolicited calls, some of them based on pre-recorded messages. Others had found it difficult to exercise their data protection rights and had encountered problems handling their data in connection with the supply of utility services both on the company’s website and through the app released to manage power consumption. Enel Energia was ordered to bring all processing by its sales network into compliance with suitable arrangements, to implement further technical and organisational measures to handle data subjects’ requests, in particular, the right to object to processing for promotional purposes, and to provide feedback on those requests by no later than 30 days.

A massive cyber-attack targeted Red Cross Red Crescent data on 500,000 people. from files at an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly. The attack compromised confidential information on highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. In response the ICRC had to shut down the Restoring Family Links systems. The organisation asks those responsible for the attack not to share, sell, leak or otherwise use this data.

The Portuguese data regulator CNPD fined Lisbon city municipality 1.25 mln euros in a case related to the processing of personal data of participants in demonstrations. The mayor’s office had committed 225 breaches of demonstrators’ personal data between 2018 and 2021, namely, when their details were shared with the embassies of several countries, BBC reports. More than 100 other breaches that occurred since 2012 were not covered as they pre-dated the GDPR. Some of the breaches reportedly could have attracted fines of up to 20 mln each, but the regulator had refrained from imposing these due to the effect of the pandemic on public finances. When the story broke in June 2021, the data protection officer and cabinet in charge of handling protesters’ data was dismissed, and an external audit of the city hall’s data protection policies was ordered to take place, Reuters reports.

The Maltese data protection authority, IDPC, issued its decision on the personal data breach suffered by a C-Planet (IT Solutions). In 2020 the regulator was informed about a security incident encountered by the company. The investigation concluded that C-Planet, in its capacity as controller, was processing the personal and special categories of data that were impacted by the breach, in violation of articles 5, 6, 9 and 14 of the GDPR. C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Additionally, the controller failed to notify the breach to the regulator within the deadline and to communicate the same to the affected data subjects. The IDPC imposed a proportionate fine of 65,000 euros on the microenterprise, taking into account its turnover, and ordered the erasure of the personal data which had been processed in an unlawful manner.

Data security: C-ITS, Smart Cities, Remote identity proofing

The German Federal Office for Information Security published its Technical Guidance on Cooperative Intelligent Transport Systems, C-ITS, (available in English). Among many provisions it describes trust and privacy management concerning the establishment and maintenance of identities and cryptographic keys. Because links between a vehicle and its user can be either directly or indirectly deduced, the impact on privacy of the road users should be minimized through:

• Pseudonymity: a C-ITS station may use a resource or service without disclosing its identity but can still be accountable for that use. 
• Unlinkability: Unlinkability denotes that a C-ITS station may make multiple uses of resources or services without others being able to link them together. 

Classically, authenticity and integrity are ensured by means of a security architecture with support of a Public Key Infrastructure. In C-ITS pseudonymity and unlinkability are incorporated and balanced with integrity and authenticity by means of separation of duties and commonly changing pseudonym certificates, so-called Authorization Tickets. Read the full C-ITS guide here. 

The German Federal Office for Information Security also published its  recommendations for action on information security in Smart Cities and Smart Regions, (in German). Smart cities and regions also use the potential of digitization for municipal services of general interest, for example in the provision of services in the public interest, such as local public transport or waste disposal. Information security, especially of the underlying municipal  IoT infrastructures, is of crucial importance. The target group is municipal decision-makers and those responsible for operations, such as a chief digital officer of a municipality or a manager for a municipal IoT project. The recommendations are also structured based on the lifecycle of an IoT infrastructure . You can see the full guide here.

Meanwhile the EU agency for Cyber Security, ENISA, published an explainer on Remote identity proofing. Online users expect access to various services anytime and anywhere. The need to securely onboard and prove a customer’s identity remotely is therefore becoming critical for organisations. Identity and technology providers have implemented both active and passive security controls which mostly involve the use of video and operator intervention ((eg, biometric acquisition, liveness checks, ID acquisition, authenticity checks, face comparison). Video allows a greater number of security checks and operators help artificial intelligence to identify any new types of attack. Although many have faith in facial recognition technology, algorithms cannot understand and detect new fraud techniques, (eg, deep fakes), on their own. Therefore, humans are needed to clean and tag data enabling quality training that will result in better performance and the mitigation of adversarial attacks.

Audits: Emailmovers Ltd

Following a test data purchase initiative run by the UK Information Commissioner Office, (ICO), Emailmovers Ltd, (EML), were investigated as serious concerns were identified about their data protection compliance. The investigation resulted in an enforcement notice followed by a consensual audit of the company systems. The checks took one week. The scope of the audit focused on the processing of personal data within EML’s marketing database and covered the following key control areas: governance, sourcing personal data, transparency and lawful basis for processing, data supply and sharing, individual rights. The ICO identified both good practices, (proactive approach,  training, managerial involvement in decision making), and areas for improvement, (defining retention periods, maintaining a record of processing activity and decisions taken, notifying recipients of personal data about the existence and outcomes of individual rights), which can be read in the audit documentation.  

AI: taxonomy and business models

The European Institute of Innovation and Technology published two reports on Artificial Intelligence business models and taxonomy in Europe. Both reports give in-depth recommendations on how to streamline knowledge, experience and expertise in AI deployment as well as connect, share and encourage an open innovation environment with policy leaders, industrial experts and innovator communities, (AI application providers, infrastructure providers and adopters). The trust ecosystem on Ethical AI includes but is not limited to such dimensions: 

• human agency and oversight;
• technical robustness and safety (Including resilience to attack and security, fall back plan and general safety, accuracy, reliability and reproducibility); 
• privacy and data governance (Including respect for privacy, quality and integrity of data, and access to data); 
• transparency (Including traceability, explainability and communication); 
• diversity, non-discrimination and fairness (Including the avoidance of unfair bias, accessibility and universal design, and stakeholder participation), and more.

Big Tech: Apple AirTags, Google’s age-appropriate policy

Police across the US are reporting cases where stalkers have used Apple AirTags to target their victims, according to the Guardian. Paired with the FindMy app, the attachable coin-sized gadget was designed so you would never lose anything again, but slipped into a bag or coat pocket it is the perfect tracking device for criminals. Other international police forces have also reported similar abuse of the AirTag, and associated car theft. While the AirTag’s several anti-abuse features mean it is less dangerous than other stalkerware available, an additional problem is the inconsistency of police response. A 2021 Norton report claims stalkerware is growing fast, jumping in 2020 and the first half of last year.

Google has fallen foul of the rules of the UK’s Children’s code, introduced last September, which sets online services 15 privacy and design standards to protect minors. Google said it would immediately improve enforcement of an age-sensitive ad policy after Reuters reported age-sensitive advertising for high-risk financial instruments, adult toys and alcohol was evading Google’s filters and safeguards. Campaigners 5 Rights Foundation, which reviewed Reuters findings, say all tech companies should do more to ensure compliance with the new rules and consumers should beware of “safety washing” as there were still too many cases, indicating companies had yet to get serious about implementing changes.

The post Weekly digest January 17 – 23, 2022: EU Digital strategy, smart transport and cities, AI taxonomy, Bluetooth security appeared first on TechGDPR.

Grindr’s privacy fine in focus

Norway’s data protection authority has handed Grindr, the world’s largest social networking app for LGBTQ people, an over 6 mln euro privacy fine for disclosure of user data to third parties behavioural ads without a legal basis. The offenses were committed before April 2020, when its terms of use and consent management platform were updated. In 2020, the Norwegian Consumer Council filed a complaint against US-based Grindr, saying the app had illegally shared users’ GPS locations, IP addresses, ages, gender, and use of the app. Last week the regulator stated that Grindr shared such data through software development kits included in the Grindr app, often used to facilitate communication between the apps and the advertising vendors. At the same time, Grindr failed to comply with the most of the requirement for freely given, specific, informed and unambiguous consent and its withdrawal for such data sharing:

• users were forced to accept the privacy policy through the previous CMP in its entirety to use the app;
• the consents for sharing data with its advertising partners that Grindr collected were bundled with acceptance of the privacy policy as a whole (users were not asked specifically if they wanted to allow their data to be shared with third parties ads);
• the information about the sharing was not properly communicated to users;
• refusing consent was dependent on the user’s patience and technological understanding, and it did not demonstrate a fair, intuitive and genuine free choice.

Grindr argued that users who pressed “Cancel” when asked to accept the privacy policy, could upgrade to the paid version. However, the regulator  pointed out, at the time of registration the users were not given the choice to opt for the paid version of the app. The user would first have to go through the above described consent mechanism. It was only after this process that the user could decide to upgrade to the paid version. 

Grindr also argued that its advertising partners – in the event they would ever theoretically receive sensitive personal data – must “blind” themselves pursuant to Art. 25 of the GDPR, (Data protection by Design and by Default). Participants in the ad tech ecosystem would likely only receive a “blinded” app-ID and not the corresponding app name. However, in a different statement, Grindr also recognised that “all apps and all websites that serve advertising necessarily share the identity of the app and/or the website with their advertising partners. Simply put, it is highly unlikely any advertiser would purchase advertising on an unknown app or an unknown website.” 

The Norwegian regulator however stated that even if the app-ID in some instances was “blinded”, the recipient could still receive keywords relating to the Grindr app. As an example, OpenX, who Grindr consider to be its processor, appended keywords “gay”, “bi” and “bi-curious” in ad calls. This would have a similar effect to disclosing that the data subject is a Grindr user, and also constitute processing of personal data “concerning” an individual’s “sexual orientation” (Art. 9 of the GDPR). Read a 70-page fine notice of the Grindr case (available in English) with more facts and relevant GDPR provisions explained.

Data breaches, investigations and enforcement actions: ransomware attack, Clearview AI, children’s data

In Finland, a psychotherapy Center was issued a privacy fine over a failure to properly secure the processing of personal data and to report a security breach. The company notified the data protection commissioner in September 2020. The company found a blackmail message: the patient database has been uploaded to the attacker’s servers and a ransom was demanded to recover the lost data. A sample of the patient database was attached to the threat letter. Later it became clear that the hacking had probably already taken place in 2018, and another hack took place in 2019 due to the poor protection of the patient information system. The data protection impact assessment carried out by the respondent also did not meet the requirements of Art. 35 (7) of the GDPR. Finally, the company did not have a documented notification procedure in place at the time of the security breaches.

French regulator CNIL has ordered US-based Clearview AI, a facial recognition company that has collected billions of publicly-available images worldwide, to stop illegal use of biometric data from people in France and delete it within two months. The UK Information Commissioner’s Office, which worked with the Australians on the Clearview investigation, also said last month it intended to fine Clearview 17 mln pounds for alleged breaches of data protection law.

California-based online advertising platform OpenX Technologies will be required to pay 2 mln dollars to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked. The FTC’s investigation reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13. However, these apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC. 

Legal processes and redress: LED, DMA, DSA, US/AU Cloud Act 

The EDPB published its contribution to the EU Commission’s evaluation of the Data protection Law Enforcement Directive (LED). It is a piece of EU legislation, parallel to the GDPR, which also came into effect in 2018. LED aims at supporting the possibility of police authority co-operation through the exchange of personal data. Previously, EU legal instruments in this area have been limited to data protection rules for EU agencies, large scale IT systems established under EU law or cross-border exchanges of personal data in the context of police and judicial cooperation in criminal matters. However, new legislative and technological developments in the processing of data for law enforcement purposes have increased the workload of EDPB members. Also, data protection authorities may often have to balance their resources between supervision of the GDPR and the LED, noting: “more crucial than the number of available staff are the skills of the experts, who should cover a very broad range of issues – from criminal investigations and police cooperation to big data analytics and AI”.

The EU Parliament is ready to start negotiations with the Council on the Digital Markets Act (DMA). The text, now approved by MEPs, blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours. Core services will include not only social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services, but also web browsers, virtual assistants and connected TV. The approved text also includes additional requirements on:

• the use of data for targeted or micro-targeted advertising and the interoperability of services, (eg, number-independent interpersonal communication services, social network services);
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage. 

The text approved will be Parliament’s mandate for negotiations with EU governments, planned to start in the first semester of 2022. The Digital Services Act (DSA) – a parallel proposal to regulate online platforms dealing with, among other issues, profiling algorithms, deceiving or nudging techniques to influence users’ behaviour through “dark patterns” – is due to be put to the vote in plenary in January. Read also the latest analysis of the DSA’s possible effect for EU residents’ fundamental rights and freedoms by Baker McKenzie. 

Meanwhile, Australia and the US signed a Cloud Act deal to help law enforcement agencies demand data from tech giants, the Guardian reports. It will allow Australian and US law enforcement agencies to use existing warrants to demand information from overseas-based companies and communications service providers, reducing the time taken to obtain information. “It means companies including email providers, telcos, social media platforms, and cloud storage services could soon find themselves answering warrants from law enforcement agencies based in the US or Australia rather than their home jurisdiction”, the Guardian reports.

Official guidance: SMEs, developers, biometrics, cookies

The French regulator CNIL published a new version of its GDPR guide for developers (in French). The new content relates in particular to the use of cookies and other online tracers and on audience measurement solutions. It also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL, and presents examples of measures that would have made it possible to avoid them. In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project from identifying and minimizing the personal data collected to preparing for the exercise of data subjects rights, managing the retention periods, and technical implementation of legal bases.

The CNIL is also continuing its action plan to ensure compliance by companies that use cookies. Since May 2021 the CNIL has sent out around 60 formal notices. Online checks have revealed that a number of organizations still do not allow online users to refuse cookies as easily as to accept them. The CNIL decided to send 30 new formal notices. The recent checks observe that:

• cookies, subject to consent, were automatically placed on the user’s terminal equipment before acceptance;
• information banners are still not compliant because they do not allow the user to refuse cookies as easily as accepting them;
• information banners can offer the user a means of refusing cookies with the same degree of simplicity as that provided for accepting them, but the proposed mechanism is not effective because cookies, subject to consent, are still placed after the refusal expressed by the user.

The following are particularly affected by these new formal notices: public establishments, higher education establishments, the clothing industry, transport sector, mass distribution sector, and distance selling sector.

In Germany, the Saxony-Anhalt data protection commissioner published its guide for small and medium-sized companies (in German only). Craftsmen, merchants and freelancers in various industries collect, store and use personal data from customers, employees or suppliers, often in a variety of ways – and must comply with data protection. The State Commissioner has received numerous inquiries from these companies for a long time. 

• What customer or employee data is a company allowed to collect? 
• How long may the data be stored? 
• What should be done when customers exercise their data protection rights or employee data has been encrypted by a cyber attack?

Answers to these and many other typical questions are provided by the State Commissioner in the newly published guide. Read the full text here.

The Belgian data protection authority published its final recommendation on the use of biometrics (in French and Dutch). Biometric data is qualified as a special category of personal data (Art. 9 GDPR). The recommendation includes a general prohibition to process such data, unless a specific ‘derogation’ is granted, either the explicit consent of the data subject, or the necessity for reasons of substantial public interest. Since there is currently no legal norm in Belgian law that authorizes the processing of biometric data for the authentication of individuals, and insofar as explicit consent cannot be invoked, such processing is currently performed without a legal basis. Other key takeaways are:  

• it is important to consider whether the performance of a contract or the provision of a service is conditioned on the consent being provided. 
• a presumption of consent not being “freely given”, exists in particular in employer-employee relationships and where a product or service has a (quasi-) monopoly in the market.
• Purpose limitation, data minimization and proportionality principles are particularly important for the processing of biometric data.
• Data protection impact assessments will generally be required. 
• No transition period for companies is provided. 

Opinion: What if your boss was an algorithm?

Privacy International with its partners have teamed up to challenge the unprecedented surveillance that gig economy workers are facing from their employers. They decided to file over 500 data subject access requests, (DSARs), to seven companies – Amazon Flex, Bolt, Deliveroo, Free Now, Just Eat, Ola, and Uber. They also interviewed gig-workers. According to their report, several gig economy employers seem reluctant to fully comply with their data protection obligations. The investigation was unable to obtain information about how algorithms calculate a score which is then used to prioritise dispatch of journeys to drivers. Some companies also failed to provide the guidance documents or location data that is gathered. Finally, the report demonstrates that surveillance is not just vast data collection, but also the use of more invasive technologies. The report provides specific examples where facial recognition technology ended up locking drivers out of their account due to potential identity verification failures.

Data security: Log4j follow up

The EU Commission, the EU Agency for Cybersecurity, CERT-EU and the network of the EU’s national computer security incident response teams have been closely following the development of the Log4Shell vulnerability since 10 December. It is a flaw in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organisations, especially entities who fall under the Network and Information Security Directive, assess their potential exposure as soon as possible. The latest recommendations so far could be found in:

• list of vulnerable software, maintained by the Dutch National Cyber Security Center,
• advisory notices published by the CSIRTs Network Members in their relevant official communication channels,
• guidance given by CERT-EU.

Big Tech: E2EE, “buy-now, pay-later”, 5G smart factories, smartphones duopoly

Microsoft is rolling out end-to-end encryption, (E2EE), support for Microsoft Teams, the Verge reports. After announcing the feature earlier this year and testing a public preview since October, Teams is getting the E2EE security support for all one-to-one calls. Microsoft currently encrypts data in transit and at rest, allowing authorized services to decrypt content. Microsoft also uses SharePoint encryption to secure at-rest files and OneNote encryption for notes stored in Microsoft Teams. All chat content in Teams is also encrypted in transit and at rest.

US telecom giant Verizon signed a deal with Alphabet’s Google Cloud to use its 5G network and the tech firm’s computing power to offer services such as autonomous robots and smart factories, says Reuters. Telecom companies have been partnering with technology firms to automate businesses and factories to lower costs and speed up data traffic through private 5G networks that do not jostle for speed with others on a public network. Verizon has also been making private 5G deals in several countries and has partnered with other cloud operators such as Microsoft’s Azure and Amazon’s AWS. Reportedly “a camera attached to an autonomous mobile robot will scan packages to maintain inventory and using computer vision, the robot will send details over 5G to an inventory management system, providing real-time analytics”, the companies said.

The US Consumer Financial Protection Bureau, (CFPB), asked five “buy-now, pay-later” companies – Affirm, Afterpay, Klarna, PayPal and Zip Co – for information on their business practices, amid concerns that the financial products are putting consumers and their data at risk. The CFPB is concerned about “accumulating debt, regulatory arbitrage, and data harvesting” and is seeking data on the risks and benefits of the products. As an example, a recent survey by personal finance company Credit Karma found that one-third of US consumers who used “buy-now, pay-later” services have fallen behind on one or more payments, and 72% of those said their credit scores declined.

Apple and Google have a “vice-like grip” over people’s mobile phones and their duopoly over the market should be investigated by the proposed new regulator, the UK’s competition authority, the CMA. The two companies effectively control users’ mobile phone experience in the UK, with their operating systems installed on 99.45% of all phones in the country: “Once a consumer buys a phone they are essentially wedded to the ecosystem of one of the two companies – Apple’s App Store or Google’s Play Store and their respective web browsers Safari or Chrome”. The new Digital Markets Unit, (DMU), which will be part of the CMA, has been set up in shadow form until the government officially grants it regulatory powers. The DMU will enforce a code of conduct that the tech giants must follow when dealing with rivals and third parties. The code will affect only those companies deemed to have strategic market status, although no tech firms have been officially awarded that status yet, the Guardian reports.

The post Weekly digest December 13 – 19, 2021: Grindr’s privacy fine, guide for SMEs and developers, 5G smart factories appeared first on TechGDPR.

Legal processes and redress

The EU Parliament Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA). The document sets not-to-do rules for companies with “gatekeeper” status and significant market capitalization in the EU, (online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services). It says, among other measures, that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, (eg, A/B testing), except if there is a clear, explicit, renewed, informed consent, in line with the GDPR. In particular, personal data of minors shall not be processed for commercial purposes, marketing, profiling and behaviourally targeted advertising. If a gatekeeper does not comply with the rules, the Commission can impose fines of not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”.

The EU Commission presented a proposal on transparency and targeting of political advertising and electoral rights. The proposed rules would require any political advert, such as on the Facebook platform, to be clearly labelled and distinguished from organic contents, and include information such as who paid for it and how much. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The rules on political adverts must be approved by both the EU Parliament and Council, and are likely to enter into force by 2024.

The CJEU ruled on “inbox advertising” for the purposes of direct marketing. The display in the electronic inbox of advertising messages in a form similar to that of a real email gives “a likelihood of confusion that could lead a user who clicks on the link corresponding to the advertising message to be redirected, against his or her will, to an internet site displaying that advertisement”. In the related case two competing electricity suppliers distributed advertisements, via an advertising company, consisting of displaying banners in the email inboxes of users of a free email service. Those messages were not visually distinguishable in the list from other emails in the user’s account except for the fact that the date was replaced by the word “advertising”.

The Court reiterated that the  “ePrivacy” Directive protects subscribers against intrusion into their privacy by unsolicited communications, automated calling machines, telefaxes, emails, or SMS. However such communication would be compatible with recipients’ prior consent. An email service is offered to users in the form of two categories, namely, a free email service funded by advertising and, second, a paid-for email service, without advertising. Thus, it is important to determine whether the user concerned, having opted for the free email service, was duly informed of the precise means of distribution of such advertising and in fact consented to receiving advertising messages.

Official guidance

Stiffening anti-Covid measures by governments across the EU lead to employers being authorised to collect employees’ vaccination status data. In Germany,  recent legislation obliges employers to monitor compliance with the so-called 3G/2G rules on a daily basis by means of verification checks, and they must also document them on a regular basis. Employees are required to provide proof of their vaccination, recovery, or testing status upon request. The law explicitly states that employers may process employees personal data for the above purposes. The federal data protection regulator, the BfDI, supports the introduction of a legal basis for such queries in the workplace. Nevertheless, the law, in its opinion, does not provide enough protective measures for the data of the employees concerned. There are no pseudonymisation measures and no obligation of the inspecting person to maintain confidentiality. In the opinion of the BfDI, it would be sufficient to check employees’ data for access control and then delete it after or at the end of the respective day. Finally, the law does not specify the purpose of storing these, soon to be very large, amounts of data.

“Turn off the microphone, (on your smartphone), turn on privacy”, says the Italian regulator Garante, which offers suggestions to avoid “prying listeners”. Smartphone sensors – and microphones in particular – can remain active even when we are not using our device. In this way they could be used to collect information, which can also be used for different purposes by third parties: for example for marketing activities. Apps which, among the access permissions requested at the time of installation, also include the use of the microphone, are a widespread phenomenon. “Too often, as users, we grant these permissions without thinking too much and without informing ourselves sufficiently about the use that will be made of our data.” The regulator has now launched an investigation on the other most downloaded apps.

For several years, several digital stakeholders have been developing alternatives to third-party cookies for targeted advertising. The French regulator CNIL’s guide explains the basics behind “necessary” first-party cookies, “behavioural” third-party cookies, and alternative techniques used to bypass the growing restrictions against tracking made by browsers, such as “fingerprinting”, “single sign-on”, “unique identifiers” or  “cohort based targeting”. The CNIL reminds developers that these technologies must always be compliant with the data protection legal framework, the GDPR and ePrivacy Directive, regarding consent and the rights of data subjects to protect their communications and terminal equipment. In particular, the operations necessary for the constitution of an individual or group profile and the provision of targeted advertising, require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service requested by the user. In order to ensure that the use of these technologies respects users’ privacy the CNIL asks for a minimum set of rules:  

• enabling users to keep control over their personal data;
• exercisability all data subjects’ rights, through user-friendly interfaces;
• non-processing of sensitive data;
• determining responsible(s) (data controller/processor) for the implementation of these techniques within the ad tech supply chain.

Data breaches, investigations and enforcement actions

SmarterSelect, a US-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket, TechCrunch reports. The data spill, discovered by a cybersecurity company, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs. These files contained name, email address, phone number, student photos, Social Security numbers, parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations, descriptions of poverty etc. The company acknowledged the warning before revoking public access to the bucket in October. It’s not known whether SmarterSelect has notified those affected, nor whether it has alerted the relevant state attorney general.

The Spanish data protection authority the AEPD fined Vodafone España 50,000 euros for violation of national legislation on Information Society Services and Electronic Commerce. The complainant issued claims with the AEPD against continuous receipt of promotional communications from Vodafone to the complainant’s phone number. The sending of promotion communications had continued a year after the complainant exercised their right to cancellation of services and deletion of their data, which Vodafone did not adequately respond to.The aggravating factors to the violation were:

• the intentional nature of the infringement;
• the duration of the offence;
• the repetitive nature of the infringement; and
• the nature and amount of damage caused to the complainant, as he/she had to proceed with the claim to the AEPD twice. 

The Spanish regulator has also fined Unión Financiera Asturiana 9,000 euros for violation of Art. 6 of the GDPR, following the unlawful processing of a complainant’s personal data in the course of business activities. Unión Financiera had wrongfully processed the claimant’s personal data instead of blocking it, as they had requested, thus processing the personal data of the complainant without a legal basis. The company did not verify the data processing had been cancelled, simply indicating to the claimant that the data was blocked without detailing the actions taken, and later claimed that there had been no intention by the claimant to request the deletion of their personal data. This prompted the claimant to raise a complaint with the AEPD, DataGuidance reports.

Certification scheme for cloud services

The EDPB adopted a letter to The European Union Agency for Cybersecurity, ENISA, concerning the European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) compatibility with the Schrems II decision. In the letter, the regulator reiterates that the final certification scheme should be consistent with the obligations, including specific criteria for encryption and key management, to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering an adequate level of personal data protection. As an illustration, the EDPB included in the letter its latest Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Big Tech

Italy’s antitrust regulator the AGCM has fined Alphabet’s Google and iPhone maker Apple 10 mln euros each for “aggressive practices” linked to the commercial use of user data. The authority stated the two tech groups did not provide “clear and immediate information” on how they collect and use the data of those who access their services. Both Google and Apple said they disagreed with the antitrust decision and that they would appeal against it. The watchdog added that when users set up their account with Google, the system was designed in such a way that the terms and conditions on data usage were set up to be accepted. In the case of Apple, users do not have a choice on the issue, the antitrust regulator added. The fine is the maximum amount the watchdog can apply in these cases, the regulator said.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. Following an investigation the Irish data protection commissioner issued a 225 mln euro fine – the second-largest in history involving the GDPR – and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. Previously WhatsApp users complained about an update to the company’s terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. The new privacy policy contains substantially more information about what exactly is done with users’ information, and how WhatsApp works with Meta.

With Tesla’s latest Full Self-Driving release, it’s asking drivers to consent to allowing it to collect video taken by a car’s exterior and interior cameras in case of an accident or “serious safety risk”. Tesla has gathered video footage as part of FSD before, but it was only used to train and improve its AI self-driving systems. According to the new agreement, however, Tesla will now be able to associate video to specific vehicles. “By enabling FSD Beta, I consent to Tesla’s collection of VIN-associated image data from the vehicle’s external cameras and Cabin Camera in the occurrence of a serious safety risk or a safety event like a collision,” the agreement reads. The new policy and footage data likely covers the automaker’s liability in case someone tries to blame a crash or incident on the system, when driver error may be to blame. Despite the name, FSD is not an autonomous system. Tesla’s instructions tell drivers to remain alert and prepared to retake control of critical functions at any given time.

Google has pledged more restrictions on use of data from its Chrome browser. Britain’s competition regulator the CMA has been investigating Google’s plan to cut support for some third-party cookies – an initiative called the “Privacy Sandbox” – because it is worried it will impede competition in digital advertising. Google has said its users want more privacy when they are browsing the web, including not being tracked across sites. Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world’s most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google’s user databases. Google agreed earlier this year to not implement the plan without the CMA’s sign-off, and said the changes agreed with the British regulator will apply globally.

Chinese regulators have pressed ride hailing giant Didi Global Inc to devise a plan to delist from the New York Stock Exchange due to concerns about data security. China’s Cyberspace Administration, (CAC), has asked the management to take the company off the U.S. bourse due to worries about leakage of sensitive data. In July the CAC ordered app stores to remove 25 mobile apps operated by Didi – just days after the company listed in New York. It also told Didi to stop registering new users, citing national security and the public interest. Didi, which has about 377 million annual active users in China, provides 25 million rides a day to users in the country who sign into its app with a phone number and password. Its apps also offer other products such as delivery and financial services. Reportedly Didi is preparing to relaunch its ride-hailing and other apps in China by the end of the year in anticipation of the end Beijing’s cybersecurity investigation into the company.

The post Weekly digest November 22 – 28, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.