Legal processes: use of Google Analytics in France, Privacy Sandbox commitments in the UK

The use of Google Analytics, (GA), is illegal as it threatens the privacy of French website users, concludes the French data protection regulator CNIL. In its latest decision relating to an unnamed French website manager, the CNIL decided that the analytics service developed by Google risks giving US intelligence services access to the website users’ data. GA provides statistics on website traffic. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the data associated with it is transferred by Google to the US. The CNIL, in cooperation with its EU counterparts, concludes that in the absence of an adequacy decision following the “Schrems II” CJEU ruling such transfer can only take place if appropriate guarantees are provided. Although Google has adopted additional measures to regulate data transfers in the context of the GA functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. The CNIL ordered an unnamed website manager to bring this processing into compliance with the GDPR, if necessary:

• by ceasing to use the GA functionality under the current conditions, or 
• by using a tool that does not involve a transfer outside the EU, (and only uses anonymous statistical data). 

To go deeper on this topic you can also read the recent unfavorable decision on GA by the Austrian data protection regulator. In its defense, Google also recently posted a statement stressing that the GA tool does not track people or profile people across the internet.

Britain’s competition regulator CMA to keep a close eye on Google as it secures final Privacy Sandbox commitments. The CMA has accepted a revised offer from Google of legally binding commitments relating to its proposed removal of third-party cookies from the Chrome browser known as the Privacy Sandbox proposals. The CMA competition investigation was launched in January 2021 over concerns that the proposals would cause online advertising spending to become even more concentrated on Google, weakening competition and so harming consumers. Google has pledged not to remove third-party cookies until the CMA is satisfied.

The CMA is currently working closely with the UK Information Commissioner’s Office, ICO, to oversee the development of the proposals so that they protect privacy without unduly restricting competition and harming consumers. In one of the examples, Google commits to restricting the sharing of data within its ecosystem to ensure that it doesn’t gain an advantage over competitors when third-party cookies are removed. Google will also engage in a more transparent process than initially proposed, including engagement with third parties and publishing test results, with the option for the CMA to require Google to address issues raised by the CMA or third parties. Read more on the Privacy Sandbox initiative here and the ICO’s latest opinion on Data protection and privacy expectations from the advertising technology sector. 

Official guidance: configuration errors, payment services, EU data flows analysis

The French regulator CNIL published a guide, (in French), on security incidents related to configuration errors within public cloud storage spaces, DataGuidance reports. Malicious scenarios may be caused by a) publicly accessible ‘bucket”; b) overly permissive access rights for users, c) inadequate user authentication mechanisms. To detect unauthorized access, CNIL recommended that available logs should be analyzed, and the Data Protection Officer should be updated in a timely manner in the course of the investigation. If the incident was classified as a personal data breach, CNIL must be notified within 72 hours of discovery. Some essential steps to prevent configuration errors include: 

• knowing your infrastructure, (eg, configure security options: do not rely on default settings, in particular public and private access to containers);
• taking inventory of your cloud resources, (eg, separating the storage of personal and sensitive data from other data);
• limiting access, (eg, strong two-factor authentication for sensitive actions);
• encrypting data and performing regular backups;
• tracing, monitoring, and auditing containers and their security configurations;
• educating users on how to handle data stored in the cloud.

The EU Commission presented a new study estimating the volume of data flowing to main cloud infrastructures across the EU Member States, Iceland, Norway, Switzerland, and the UK. In 2020, the largest data flows came from the health sector, and Germany registered the largest volume of data inflow. Reportedly, by 2030, the flow of data stemming from European enterprises will be 15 times higher than in 2020. Furthermore, a follow-up study has just been started to assess the economic values of data flows within the EU, as well as with third countries such as the US and China. Both studies will complement the upcoming Data Act. It will also feed into the evaluation of EU Regulation of the Free Flow of Non-Personal Data, as well as the Digital Decade policy program. Read the full study and the interactive map here. 

A growing number of  EU payment industry associations co-signed a letter addressed to the EDPB, the European Commission, and the European Banking Authority about the final EDPB Guidelines on the interplay of PSD2, (Payment Services Directive), and the GDPR. Although it clarifies certain aspects of the interplay, other elements remain more worrying and raise new uncertainties, notably:

• the provisions on data minimisation;
• the processing of special categories of personal data;
• a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication;
• the risk that national data protection authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU.

Investigations and enforcement actions: IAB Europe/APD row, extensive health data collection, unprotected visa order forms, unsolicited marketing email

The Interactive Advertising Bureau (IAB) Europe has published an FAQ on the Belgian data protection authority, (APD), decision about the Transparency and Consent Framework, and its compliance with the GDPR. The IAB Europe states that:

• There is nothing in the APD’s decision that even remotely suggests that consent pop-ups are illegal or that they should not be employed by the digital advertising ecosystem to comply with the EU data protection rules. 
• The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”.
• The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata value.
• However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data. 
• The APD’s decision only concerns IAB Europe, not any vendor, publishers, or CMPs, but it does hint at the possibility of an order for a given party to delete TC Strings if they contain personal data collected in breach of Art. 5 and 6 of the GDPR.
• It is unclear if reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants is viable for all TCF purposes or solely for personalized advertising and profiling, etc.

The EDPB published an analysis of the recent decision by the Finnish Data Protection Ombudsman. An administrative fine with reprimand was imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information. The Data Protection Ombudsman stated that the actions of the data controller violated the principle of data minimization provided for in the GDPR. Namely, the data controller requested unredacted patient records from health care providers in order to settle claims. The controller also collected information on the patients’ health care appointments to determine whether the health care provider charged for visits not related to the examination or treatment of injuries sustained in the claim. Information was also requested in cases where the health care recipient may have omitted information essential for claims handling. The decision by the data protection authority is not final as it is under appeal in the administrative court.

Another fine by the Finnish data protection regulator was imposed on a travel agency for multiple violations of the GDPR. In the given case, a customer suspected the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency erase their data from the system, but the company had not fulfilled the customer’s request. The investigation showed that: 

• The travel agency used an unencrypted network connection for its visa application forms, and
• Stored personal data on a public web server. 
• The information entered on the form was saved as a PDF file in the web server’s files folder that was open to access from the internet.
• The information entered on the forms included the customer’s name, contact details, and passport number, which in particular poses a privacy risk. 

The regulator also imposed a fine on the small travel industry group that the travel agency is considered a part of.

Meanwhile, the Spanish data protection authority AEPD fined SegurCaixa Adeslas, (health insurance), 300,000  euros for sending marketing emails to the plaintiff, despite their request for deletion of their data, Data Guidance reports. This happened despite the fact that the given email address was registered in an opt-out list of people not willing to receive marketing communications. SegurCaixa Adeslas however indicated that the marketing emails were sent to insurance agents with which it maintained a commercial relationship, claiming that these insurance agents should be responsible for the activity of promoting and attracting clients. The AEPD found SegurCaixa Adeslas in breach of Art. 6, (unlawful processing), 17, (failed requests of data deletion), and 28, (no formalized data processing agreement with the contracted insurance agents), of the GDPR. 

Data security: IoT products

The US National Institute of Standards and Technology published its latest Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) products. An IoT product and its components must protect data stored and transmitted, (both between IoT product components and outside the IoT product), from unauthorized access, disclosure, and modification. Thus, maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data is protected and that protection of data helps to ensure the safe and intended functionality of the IoT product. The document provides some real-world IoT product vulnerabilities and related proposed baseline criteria. Here are some examples:

• Weak data protection in storage and transit creates vulnerabilities within home security cameras allowing adversaries to exfiltrate data. 
• Unencrypted sensitive data is available through a baby monitor, leaving the data vulnerable to access, modification, exfiltration, and misuse.
• Using weak de-identification methods leaves data vulnerable to being reidentified allowing unauthorized access to sensitive data, etc.

Big Tech: Meta annual report, TikTok promises minors privacy, AirTag dilemma, surveillance marketing by YouTube, TikTok & Co

Negotiations between the EU and US over transatlantic data transfers and their associated privacy issues need to succeed said Meta this week in its annual report to the SEC and in press releases. Failure to agree on a new transatlantic data transfer framework that complies with the EU’s GDPR could lead to Facebook and Instagram quitting Europe. Meta added and claimed 70 other companies are concerned about the impact on their business. The SEC report noted other data protection requirements at the federal, state, and international level, along with legislation restricting the collection and use of data from minors could impose limitations on Meta’s business. You can investigate Meta’s annual report here.

A TikTok news briefing revealed the company is conducting twin tests to crack down on adult content arriving on minors’ devices, Reuters reports. The company said one small test would look at how users themselves or their parents or guardians could restrict access, while a ratings approach is being trialled for app creators who want to specify adult content, similar to the film and games industries.

Apple has responded to reports its AirTag device is being used by criminals, especially stalkers, updating software and beefing up online support, according to The Guardian. Any initial user of the device will now be warned tracking people without consent is a crime in many places around the world. Guidance on what to do if you find an unwanted AirTag near you and how to disable it is being added to the website, along with links to two US helplines. Apple says additional measures, like precision detection of stalking AirTags, are on the way.

TikTok and YouTube are by far the biggest collectors of personal data among social media apps according to a report by URL Genius. While YouTube mostly collects data for its own business purposes and sells little to third-party trackers, TikTok sells nearly all its user’s data to third parties, more than three times as much, trailed by Twitter and Telegram. The report says that for users this means it is unclear where all this data goes, how it is used, and whether or not, for example, other online activity or location is being tracked, logged in to TikTok or not. The study added TikTok allowed third-party tracking even when users did not use the opt-in feature. Find many other findings on surveillance marketing in the original study report. 

The post Weekly digest February 7 – 13, 2022: France latest EU member to put pressure on Google Analytics appeared first on TechGDPR.

Legal processes and redress

The EU commission warned Belgium about failing to ensure full independence of its data protection authority. The Commission considers that Belgium violates Art. 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation. However, some members of the Belgian data protection authority currently cannot be regarded as free from external influence because they either report to a management committee depending on the Belgian government, or they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee. Belgium now has two months to take relevant action, failing which the Commission may decide to refer the case to the Court of Justice of the European Union.

The Dutch regulator, the AP, asks legislators to vote down the proposal for the Data Processing by Partnerships Act, (WGS). In its current version it gives government organizations and private parties very broad powers to share personal data with each other, for example, in cases of suspicion of fraud or organized crime. According to the AP, this can have major consequences for people who end up ‘”on the wrong list” or create a risk of “mass surveillance”. The purpose of the partnerships to share, store and analyze personal data on a large scale is not defined  clearly enough in the bill, the AP states. According to the government, every partnership concerns ‘”weighty general interests”, such as ”monitoring the proper functioning of the market”. The WGS concerns broad categories of data – social security numbers, living situation, residence status, financial data, police data and even data about sexual behaviour. Moreover, it is not only about people’s personal data, but also their family and friends, the AP notes. Read the regulator’s opinion, (in Dutch), here.

A three billion pound class action against Google over tracking millions of iPhone users has been blocked by the UK’s top court. Legal experts said the decision meant the “floodgates” remained closed to US-style representative actions on data breaches and cyber incidents in England and Wales. The Supreme Court has upheld Google’s appeal in Lloyd v Google, limiting the ability for individuals to recover damages for simple loss of control of their personal data. Richard Lloyd, a consumer rights activist, claimed Google illegally misused the data of 4 million iPhone users by tracking and collating their internet usage on their handsets’ Safari browser in 2011 and 2012, even when users were assured they would be opted out of such tracking by default. The Supreme Court found that a claim for damages under the Data Protection Act 1998, (which precedes the UK GDPR), required proof of damage in the form of either material damage, such as financial loss, or mental distress. That could be the time period, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence, an individual is not entitled to compensation. Read the full decision here. 

Official guidance

A new White Paper on digital payments and data privacy was published by the French regulator, the CNIL (in French). Payment data can make it possible to trace personal activities or to identify the behavior of individuals, creating a complex area of compliance for DP specialists. The Paper distinguishes between terms “payment data”, “purchase data”, “contextual” (behavioral) data, “silent party” data, “highly personal nature” (biometric) data. The CNIL considers that only authentication, and not identification, is necessary for merchants and other payment recipients. Qualifying the actors also could be the key: “Criteria such as direct contact with the data subject to subsequent re-use of data for their own account can be used in determining whether an actor should be considered a data controller or data processor.”

Some other criteria include – data minimisation, careful selection of third party recipients, location of payment data storage and international data transfers, determining a specific purpose for each data processing activity from legitimate interest, (eg, for security or fraud prevention), or consent of the user to legal obligations, (eg, for compliance with anti-money laundering laws). For the latter, the CNIL stresses that data protection is only part of the regulatory framework applicable to payment data in the EU, which also includes the Payment Services Directive, the Anti-Money Laundering Directive, and the Network Information Security Directive. Finally, for security reasons, the CNIL promotes  “tokenization,” – the method of substituting payment data with randomly generated, single-use tokens, on which the regulator will soon publish additional recommendations.

The CNIL also developed an awareness guide, (in French), to the GDPR to support associations in their compliance. Its objectives: to reiterate the main principles, (benchmarks), to respect, and to propose an adapted action plan. France has a particularly rich network of associations, listing more than 1.3 million bodies with various profiles, both in terms of size and sectors of activity, (charitable, political, sporting, social). Most of them collect a lot of information, sometimes sensitive, which concerns various audiences – their members, partners, employees, volunteers or even donors. The guidance includes a variety of steps to be taken: keeping records of processing activities, transparent privacy notices, consent mechanisms and licit cookie banners on the websites, direct advertising, (including charitable prospecting), compliance, prohibition on tracking criminal history of workers and volunteers, running DPIA, data breach notification, establishing a checklist of basic technical and organisational measures, and much more.

Enforcement actions

The Dutch regulator the AP has imposed a 400,000 euro fine on Transavia airline for failing to protect personal data. Poor security allowed a hacker to penetrate Transavia’s systems in 2019, granting access to the data of 25 million people. It has been established that the hacker downloaded personal data of about 83,000 people- name, date of birth, gender, e-mail address, telephone number and flight and booking details, as well as some medical data. Security was not in order on three points:

• The password was easy to guess and was enough to get into the system. 
• There was no so-called multi-factor authentication. 
• Once the hacker took control of these two accounts, they also had access to many of Transavia’s systems. The access was not limited to only the necessary systems.

The hacker penetrated the system in September 2019. Two months later Transavia closed the leak. The airline reported the data breach in a timely manner and informed those involved.

In Italy, the Court of Cassation upheld data protection regulator Garante’s decision to fine C.S. Group 60,000 euros. The C.S. Group, a car-sharing company, lodged a complaint against the fines for failure to notify the processing of the rented vehicles’ geolocation data and of their profiling of customers. The C.S. Group denied that the use of an algorithm to calculate tailored discounts based on additional information provided by customers could be framed as profiling, and requested the redetermination of the sanctions. The court rejected the complaint and confirmed the fines, highlighting that “processing personal data by means of an algorithm is in itself profiling, even when personal data is not stored indefinitely and is not associated with an individual customer, since it constitutes a screening of the data provided, in order to evaluate personal aspects and possibly to predict future behaviour”.

Luxembourg’s CNPD imposed corrective measures on a company for DPO-related violations (Art.37-39 of the GDPR). The company violated its obligations to communicate the data protection officer’s contact details to the supervisory authority, and also failed to ensure that other tasks – current or past – carried out by the DPO did not result in a conflict of interests with their role as a DPO. The investigation showed that the DPO was also Head of Compliance and Money Laundering Reporting Officer, and in such a role could determine the purposes and means of processing of personal data, which contradicts the independent role of the DPO. The court also states that there were no immediate measures to mitigate the risk such as parallel appointment of a deputy DPO, (outside the AML department) who would be in charge of such cases. No administrative fine in this case was imposed.

The Irish data protection authority brought in some changes to its breach notification form. Here are some of the updates for controllers and processors:

• confirming whether the breach is likely to result in a risk to the rights and freedoms of natural persons, (eg, whether the breach reaches the risk threshold), and whether the breach falls under the Law Enforcement Directive. 
• determining whether the breach relates to cross-border processing and related questions including details of the controller’s establishments, location of affected data subjects and whether they are “substantially affected”. 
• classifying the controller’s industry sub-sector according to Eurostat NACE criteria. 
• choosing the approximate numbers of data subjects from bands (1-10, 11-100).
• detailing existing TOMs and other measures to mitigate the risk.
• uploading supporting documents.
• declaring, (controllers), the understanding that any information provided in the breach notification may be utilised at a future date in relation to an inquiry.

Individual rights

UK based Privacy International continues to investigate data related issues in the digital health sector. PI and its partners question whether adopting a given digital solution leads to more effective delivery of quality care. One of the negative outcomes is in places where digital infrastructure is still developing, (eg. India), where the time lag between data collection and digitisation can take up to 72 days, which negatively impacts patients: “Such delays not only call into question the effectiveness of the system, but also raise serious questions as to the safety of the data awaiting to be digitised, ranging from storage to access – as well as participating staff know-how and awareness of data protection obligations.”  

However, similar failures may occur even in digitally progressive countries,(eg, non-functional Track and Trace QR code alert systems in the UK, or the NHS England Covid app outage). At the same time, data protection authorities have limited expertise and resources to effectively advise on the deployment of such systems in the health sector. PI also worries about the absence of proper impact assessment of the security of personal health data in centralised digital systems used by government agencies, or private-public partnerships in the UK, (eg, between NHS and Amazon), and worldwide. Read the full analysis by PI here. 

Data security

Europol has published its Internet Organised Crime Threat Assessment 2021. The report states the rise of ransomware crews deploying multi-extortion methods by exfiltrating victims’ data and threatening to publish it. Such modi operandi could include, for example, cold calling victims’ clients, business partners and employees with the purpose to commit investment fraud. In addition, many of the ransomware affiliate programs deploy DDoS attacks against their victims to pressure them into complying with the ransom demand. “Personal information and credentials are in high demand as they are instrumental in improving the success rate of all types of social engineering attacks. Unfortunately, the market in personal information flourishes as ransomware and mobile information stealers produce an abundance of marketable material as a by-product of the primary attack.”

Criminals have also realised how much potential there is to compromise digital supply chains – organisations need to grant network access to update distributors, which makes these third-party service providers an ideal target. According to Europol, one of the solutions would be to intensify public-private partnerships, (eg, expertise and information sharing with financial institutions can help to obtain data on cybercriminals and may help rapidly freeze their criminal proceeds.).

Opinion

Constant monitoring of workers and setting performance targets through algorithms is damaging employees’ mental health and needs to be controlled by new legislation, according to a group of UK MPs. Under the act workers, like delivery drivers, (who have to log most of their activity on shifts, sometimes while driving on the road), would be given the right to be involved in the design and use of algorithm-driven systems, where computers make and execute decisions about fundamental aspects of someone’s work – including in some cases allocation of shifts and pay. The parliamentary group report also recommended that corporations and public sector employers fill out algorithmic impact assessments, and expand the new umbrella body for digital regulation. Read more analysis of the proposal by the Guardian.

Big Tech

WhatsApp Ireland, owned by Meta, has secured permission from the High Court to challenge the Data Protection Commission ( DPC)’s decision to fine it 225 million euros. Last August the DPC held that the messaging service had failed to comply with its obligations under the GDPR in several respects: WA’s processing of data of users and non-users of the service, and the sharing of personal data between WA and Meta companies. WA also seeks declarations from the court including that certain provisions of the 2018 Data Protection Act are invalid, and are incompatible with the State’s obligations under the European Convention on Human Rights. Namely, the 2018 Act allows the DPC to engage in a form of administration of justice that is not permissible and is contrary to the Irish Constitution. Finally, the  size of the fine constitutes an interference with WhatsApp’s constitutional property rights, WA claims.

Meta plans to remove detailed ad-targeting options that refer to “sensitive” topics, such as ads based on interactions with content around race, health, religious practices, political beliefs or sexual orientation. In its blog post, the company gave examples of targeting categories that would no longer be allowed on its platforms, such as “Lung cancer awareness,” “World Diabetes Day”, “LGBT culture”, “Jewish holidays” or political beliefs and social issues. It said the change would take place starting January 19, 2022. However, advertisers, (small businesses, non-profits, and advocacy groups), on Facebook and other platforms, can still target audiences by location, use their own customer lists, reach custom audiences who have engaged with their content and send ads to people with similar characteristics to those users.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps in the Apple App Store and Google Play Store, a publication by the National Law Review reminds consumers. Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022. These announcements have encouraged mobile app developers to review any laws that may require them to maintain certain types of data, and to make sure that their apps clearly explain what data the app collects, how the app collects data, all uses of the data, and the app’s data retention and deletion policies.

The post Weekly digest November 8 – 14, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.