In February, the European Commission published a set of updated technical FAQs on the implementation of the legal provisions of the Data Act, applicable as soon as of 12 September 2025.  It enhances data sharing and enables a fair distribution of data value by establishing clear rules related to the access and use of data within the EU – B2B, B2C, and B2G. The guide elaborates among other things on:

• the definitions of data users, data holders and third parties, as well as 
• cloud and service interoperability requirements, 
• fairness of data-sharing contracts, and 
• enforcement and dispute resolution frameworks. 

The GDPR is fully applicable to all personal data processing activities under the Data Act.  In some cases, the Data Act specifies and complements the GDPR, (eg, real-time portability of data from loT devices). The Data Act also restricts the re-use of data by third parties. In the event of a conflict between the GDPR and the Data Act, the GDPR rules on the protection of personal data will prevail.

Stay up to date! Sign on to receive our fortnightly digest via email.

US data transfers

The Norwegian regulator Datatilsynet answered FAQs about the rules for US data transfers, due to a political situation in Washington. Although we currently have rules that make it easy to transfer personal data to the US, the Data Privacy Framework, the regulator expects that these rules will sooner or later be challenged in the CJEU. An adequacy decision will remain in force until it is revoked by the Commission.

This means that any changes in the US will not automatically result in the lapse of the adequacy decision. At the same time, if it is revoked, there will most likely not be a transition period. It is important to be aware of this when purchasing US services. Also, the use of US cloud services on European soil could be negatively affected if the adequacy decision is lifted. The most important advice for your business is to have an exit strategy for what you will do if you can no longer transfer personal data to the US in the same way as today. 

DORA implementation updates

On 18 February, the European Supervisors, (ESAs) —EBA, EIOPA, and ESMA – published a roadmap to designate critical ICT third-party service providers (CTPPs), such as cloud services and data hosting companies, that are critical to the functioning of financial entities under the Digital Operational Resilience Act. By 30 April, the competent authorities must submit the Registers of Information to the ESAs. These registers will list information regarding all ICT third-party arrangements that the financial entities have submitted to the authorities.

By July, the ESAs will notify the affected ICT third-party service providers if they have been classified as critical, and by the end of 2025 will start overseeing them for non-compliance (risk management, testing, contractual agreements, location requirements, etc).  

Legal updates worldwide

China data audits: With effect from May 1, 2025, Chinese regulators will focus more on the data protection compliance audit requirements under the Personal Information Protection Law, according to DLA Piper’s legal analysis. The measures provide the conditions and rules for both self-initiated and regulator-requested compliance audits regularly, covering the whole data lifetime, (for large and high-risk data processing, they will be conducted every two years), with the possible rectification steps and further enforcement.  

US privacy enforcement: In the past two months, New York state has amended several rules on data breach notification. The amended law requires New York residents to be notified of a data breach, fixing a 30-day deadline for businesses; plus, responsible persons must inform the state’s Attorney General, Department of State, the Police and Financial Services, (only for covered entities), about the timing, content, distribution of the notices, and the approximate number of affected individuals. A copy of the template of the notice sent to affected persons must also be provided. 

Meanwhile, Virginia state passed a bill requiring social media platforms to use commercially reasonable methods, such as a neutral age screen mechanism, to determine whether a user is a minor, (under 16 years of age), and to limit a minor’s use of the platform to one hour per day, per service or application, while allowing a parent to give verifiable parental consent to increase or decrease the daily limit. The amendment goes into effect on January 1, 2026.

Automated decision CJEU ruling

The Top European Court ruled that a data subject is entitled to an explanation as to how any decision was taken in respect of him or her. According to a judgement delivered on 27 February, a data subject is entitled to an explanation as to how a decision was taken in respect of him or her, and the explanation provided must enable the data subject to understand and challenge the automated decision. 

The case refers to a mobile telephone operator in Austria who refused to allow a customer to conclude a contract because of her credit standing. The operator relied in that regard on an automated assessment of the customer’s credit standing carried out by Dun & Bradstreet Austria. The contract would have involved a monthly payment of 10 euros.

Algorithmic discrimination and the GDPR

The European Parliament’s recent research meanwhile states, that one of the AI Act’s main objectives is to mitigate discrimination and bias in the development, deployment and use of high-risk AI systems. To achieve this, the act allows ‘special categories of personal data’ to be processed, based on a set of privacy-preserving conditions, to identify and avoid discrimination. The GDPR, however, is more restrictive in that respect. The legal uncertainty this creates might need to be addressed through legislative reform or further guidance, states the report. 

More from supervisory authorities

DPIA guidance: The Swedish Data Protection Authority IMY has published guidance on impact assessments for activities that process personal data, (in Swedish). The practical guide is intended to facilitate the work of impact assessments and reduce uncertainty about how the various steps are carried out and how the regulations should be understood. It also contains some legal interpretation support, as well as detailed templates for an assessment.

Urban data platforms: As municipalities move towards becoming smart cities or smart regions, more and more systems are being equipped with communication interfaces, states the German Federal Office for Information Security. These include sensors for recording parking spaces, measuring river water levels or smart garbage cans. Urban data platforms, (UDPs), can be used to bundle various information streams and enable efficient decision-making, such as on optimized traffic control, and early warning systems in the event of disasters or urban planning. 

To that end, the regulator has prepared technical guidance, for developers, solution providers and operators of such platforms, (in German). It analyses various existing IT security standards and examines existing UDPs for their vulnerabilities.

Employment records: The UK ICO updated its guidance aimed at employers who keep employment records. The data protection law does not stop you from collecting, holding and using records about workers. It helps to strike a balance between employer needs and every worker’s right to a private life.

The terms ‘worker’ or ‘former worker’ mean all employment relationships, including employees, contractors, volunteers, and gig or platform workers. It can be combined with the other ICO guidance on data protection and employment – in particular, our detailed guidance on workers’ health information and monitoring of workers.

Insurance companies data swaps

The North Rhine-Westphalia Data Protection Commissioner has initiated investigations against ten insurance companies in North Rhine-Westphalia for an illegal exchange of personal data. Specifically, the companies, together with almost 30 other insurers, shared data from customers in international travel health insurance to uncover cases of fraud and identify fraud patterns. Since the insurance companies are based in ten federal states and other European countries, a joint coordinated investigation was launched. To exchange data, the insurers used a closed email distribution list, on which several employees of the companies involved were usually registered. 

Privacy policy

The Latvian DVI looks at the most common shortcomings in privacy policies of the organisations it’s investigated, and asks data controllers to take them into account: 

• Privacy policy is hard to find
• Complex and unclear text
• Not all legal bases and purposes of data processing are listed
• The purpose of data processing is not linked to the legal basis
• Failure to specify the organization’s legitimate interests 
• Unclear information about the storage period
• Failure to specify recipients of personal data 

Finally, there is also a lack of guidance on data subjects’ rights and their implementation, and complicated mechanisms are provided for the implementation of rights. 

Emotion recognition

The Dutch Autoriteit Persoonsgegevens requested feedback on the AI Act’s ban on AI systems that recognize emotions in work or education, (unless for medical or safety reasons). The conditions outlined in data protection legislation must also be fulfilled if emotion recognition is done using personal information. Clarity is required on the definitions of emotions, biometric information, and the boundaries of “workplace” and “educational institutions.” 

In particular, in the GDPR, the definition of ‘biometric data’ is linked to the unique identification of a natural person that is allowed or confirmed by the processing of personal data. AP notes that the definition of the term ‘biometric data’ in the AI Act must be interpreted in the light of the GDPR. The distinction between emotions and physical states and between emotions and easily visible expressions also remains unclear.

In other news

Web browsing data fine: America’s FTC requires Avast to pay 16.5 million dollars, (which will be used to compensate consumers), and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The FTC alleged Avast sold that data to more than 100 third parties through its Czech subsidiary, unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and consumer consent. 

Refused bank loan: It is not possible to further process the data of a loan applicant if no customer agreement has been concluded with the bank, confirmed the Polish Supreme Administrative Court in its recent judgment. The court agreed with the data protection regulator UODO,  that the processing of data in the scope of creditworthiness assessment and credit risk analysis, related to inquiries that did not end with the granting of a loan, cannot be used, (neither by the bank nor the credit information bureau), in connection with the legitimate interest of the data controller. 

Data security

Location data: The Data Protection Commissioner in North Rhine-Westphalia warns citizens against being too careless with their location data. If people are careless when selecting an app and sharing personal data, they make it easier for third parties to collect location data and resell it to data traders. The data traders could then use the location information in conjunction with the device-specific ID to create individual movement profiles.

Consumers should ideally pick up their smartphone and check the system settings to see which app has been granted access rights. If in doubt, you should revoke permission.

Self-declared GDPR compliance: The Liechtenstein data protection authority asks organisations to be careful with self-declared GDPR compliance of software solutions or cloud services. Instead, it is necessary to check whether the respective service can achieve the determined level of protection with appropriate settings or measures. Security measures in the cloud include encryption mechanisms or regulations on access rights. Under certain conditions, the aforementioned check must be carried out in the form of a data protection impact assessment (DPIA).

Suppose the data stored in the cloud is transferred to a third country outside the EU/EEA area. It must also be checked whether this offers a level of protection equivalent to that in the EU/EEA area or can be ensured through suitable measures and guarantees under the GDPR. In addition, providers of cloud services are usually contracted as data processors, which is why the existence of a legally compliant data processing contract must be observed.

In case you missed it

AI from non-EU countries: A number of European regulators draw attention to the risks associated with the use of AI ​​tools like DeepSeek. Although this model of generative AI is freely accessible on the Internet, the manufacturer did not design it for the European market. Based on current knowledge, it can be assumed that the requirements of the AI Act and the GDPR in particular are not met. Some practical steps can be assumed: 

• Pay attention to the transparency of the provider and appropriate documentation.
• Use a separate, secure IT environment to avoid data leaks.
• If no privacy-preserving measures are known, it is reasonable to assume that none exist (and inform your employees of the risks associated).
• Take into account the AI ​​competence and ban on prohibited AI practices that must be ensured from February following the AI Act. 
• Make sure that the manufacturer of the AI ​​application, if it is also responsible for data protection and is not based in the EU, has appointed a GDPR representative, (otherwise, the effective enforcement of the rights of those affected can become very difficult).

AI in education: The Future of Privacy Forum meanwhile highlights the Spectrum of AI in education in its latest infographics. While generative AI tools that can write essays, generate and alter images, and engage with students have brought increased attention on the students, schools have been using AI-enabled applications for years for predictive or content-generating purposes too, including reasoning, pattern recognition, and learning from experience.

In practice, they often help with: automated grading and feedback, student monitoring, curriculum development, intelligent tutoring systems, school security and much more. 

The post Data protection digest 16 Feb – 2 Mar 2025: Data Act to strengthen EU digital market, vigilance over US data transfers appeared first on TechGDPR.

1. ICT Risk Management, 
2. ICT Incident Reporting, 
3. Digital Operational Resilience Testing,
4. ICT Third-Party Risk Management, and 
5. Information Sharing Arrangements (encouraged by not “required”)

1. ICT Risk Management (One of the Five Pillars of the DORA)

Organizations must implement comprehensive ICT risk management frameworks to identify, assess, and mitigate operational and cybersecurity risks. Key requirements include: 

• Establishing governance frameworks;
• Conducting regular risk assessments; and
• Defining risk tolerance and mitigation strategies.   

Objective:

This pillar requires financial institutions to implement comprehensive and proactive ICT risk management practices.

Key Elements:

• Institutions must identify and assess the risks related to their ICT systems and infrastructures.
• A robust risk management framework must be in place, covering the prevention, detection, and mitigation of ICT-related risks, including cyber threats, operational failures, and natural disasters. 
• Risk management processes should be integrated into the overall governance structure of the organization. 
• Specific measures to manage and monitor ICT risks across the entire life cycle of digital services should be implemented, including software, hardware, and data.
• Governance: There is an emphasis on having clear ownership of ICT risk management within the organization, particularly by senior management.

2. ICT Incident Reporting (One of the Five Pillars of the DORA)

The DORA mandates detailed reporting of ICT-related incidents to national authorities. This entails documenting the nature of the incident, its impact on operations, the affected systems, and any mitigation steps undertaken. For instance, a major data breach at a payment processor would require a detailed account of the breach’s scope, the number of customers impacted and immediate actions taken to secure the system.

Such reporting helps authorities assess systemic risks and provides organizations with a structured approach to managing incidents. The goal is to improve transparency and enable quick responses to systemic risks. Organizations must implement incident detection mechanisms. Classify incident severity and submit standardised incident reports within specified time frames.

Objective:

This pillar focuses on the early identification, reporting, and resolution of ICT-related incidents that could potentially disrupt the operation of financial services.

Key Elements:

• Financial institutions must have a system in place to detect and report incidents as soon as they occur or are detected, ensuring timely and effective response.
• Incidents must be categorized based on their severity, with those having a significant impact on the operation of the institution being reported to regulators and relevant authorities (e.g., the European Supervisory Authorities – ESAs).
• Reports must include detailed information about the nature, cause, impact, and resolution efforts of the incident.
• Institutions are also required to share lessons learned from incidents to prevent recurrence and improve resilience over time.

3. Digital Operational Resilience Testing (One of the Five Pillars of the DORA)

To ensure resilience, financial entities must test their systems rigorously. The DORA highlights Threat-Led Penetration Testing (TLPT) for critical ICT systems. Requirements include:  

• Regular testing schedules; 
• Comprehensive vulnerability assessments; and 
• Scenario-based crisis simulations.

Objective: 

To ensure financial institutions’ ICT systems are resilient to stress scenarios and can continue to operate during and after disruptions, this pillar mandates regular resilience testing.

Key Elements:

• Institutions must conduct regular testing of their ICT systems to assess their operational resilience. These tests can include scenario-based simulations, penetration testing, and vulnerability assessments.
• The testing should cover various aspects, such as cyber attacks, system failures, and other disruptive events.
• Financial institutions are required to conduct testing not only in-house but also in collaboration with third-party providers to ensure end-to-end resilience.
• Regular testing results must be documented, and improvements must be made to systems and processes based on test findings.

Frequency:

The testing frequency is typically defined by the risk profile and size of the institution, with larger institutions subject to more rigorous requirements.

4. ICT Third-Party Risk Management (One of the Five Pillars of the DORA)

Outsourcing ICT services doesn’t mean outsourcing accountability. The DORA requires organizations to manage third-party risks proactively by: 

• Conducting due diligence on ICT providers;
• Monitoring SLAs (Service Level Agreements); and
• Ensuring contingency plans are in place.

Objective: 

Since many financial institutions rely on third-party vendors, this pillar aims to ensure that these third-party relationships do not pose a risk to digital operational resilience.

5. Information Sharing Arrangements (encouraged but not “required”) (One of the Five Pillars of the DORA)

Collaboration is crucial in combating cyber threats. The DORA encourages financial entities to:

• Join trusted networks for sharing threat intelligence;
• Participate in industry-wide cybersecurity exercises; and
• Develop secure communication channels for incident reporting.

Objective:

This pillar promotes cooperation and information sharing among financial institutions, regulators, and other stakeholders to improve overall resilience to ICT risks across the financial sector.

Key Elements:

• Institutions are encouraged to collaborate and share relevant information regarding cyber threats, vulnerabilities, incidents, and best practices.
• There should be a structured process for sharing information related to incidents and threats to prevent cascading effects across the financial sector.
• Regulatory authorities, such as the European Supervisory Authorities, play a central role in facilitating this cooperation and ensuring information is exchanged in a timely and secure manner.
• Institutions must participate in national and EU-wide initiatives to enhance collective digital operational resilience, including participating in threat intelligence networks and working with law enforcement and cybersecurity bodies.

Understanding the Collaborative Frameworks

This includes the establishment of industry groups, joint exercises, and sector-wide programs that focus on ICT resilience and incident management. These five pillars work together to create a comprehensive framework that encourages financial institutions to proactively manage and strengthen their ICT systems. They focus on preventing incidents, detecting disruptions early, ensuring systems remain operational under stress, managing third-party risks, and fostering collaboration to improve overall sector resilience. By adhering to these pillars, financial institutions can enhance their ability to respond to and recover from digital operational disruptions.

Get Support Now

The DORA’s Five Pillars—ICT Risk Management, ICT Incident Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk Management, and Information Sharing—serve as the foundation for a secure and resilient financial ecosystem. Achieving compliance with these requirements is not merely about meeting regulatory obligations; it’s about fortifying your organization against the growing threats of cyber risks and operational disruptions.

At TechGDPR, we specialize in helping businesses navigate this complex landscape with confidence. Our tailored services, including in-depth gap analyses, ensure your organization aligns with the DORA’s standards while optimizing existing processes. Let us partner with you to transform compliance into an opportunity for operational excellence and long-term stability. Reach out to us today to take the first step toward robust digital operational resilience.

The post Understanding the Five Pillars of the DORA appeared first on TechGDPR.

So, what is the DORA?

The DORA is a comprehensive EU regulation that establishes a unified framework for Information and Communication Technology (ICT) risk management in the financial sector. It came into force on January 16, 2023, and financial entities must comply with its requirements by January 17, 2025.

Before explaining the DORA in more depth and its new mandatory compliance obligations for entities in-scope – it is worth keeping uppermost in mind what the implications could be for your business and in certain instances, the possible consequences to you as an individual. Personal liability can be attributed and sanctions levied.

Fines and Consequences of Non-Compliance

The DORA introduces a stringent enforcement mechanism to ensure compliance across the financial sector. The consequences of non-compliance can be severe, including:

Financial Penalties:

• Fines of up to 2% of the total annual worldwide turnover for financial entities.
• Individual fines of up to €1,000,000.
• For critical third-party ICT service providers, fines can reach up to €5,000,000 for companies or €500,000 for individuals.

Administrative Measures:

• Mandatory remedial actions to address compliance gaps.
• Public reprimands and disclosure of violations, leading to reputational damage.
• Withdrawal of authorization to operate in extreme cases.

Legal Consequences:

• Potential legal action and scrutiny from regulators or affected parties.

It’s important to note that the exact nature and amount of penalties may vary depending on national laws of EU member states. However, the overarching message is clear: non-compliance with the DORA can have significant financial, operational and reputational consequences for financial entities and their ICT service providers.

The DORA’s primary objectives are:

1. To create a cohesive approach to ICT risk management across the EU financial sector.  
2. To harmonize existing ICT risk management regulations among EU member states.  
3. To enhance the overall digital operational resilience of financial entities and their critical ICT service providers.

The DORA represents a significant shift from previous regulatory approaches, which primarily focused on capital requirements to mitigate operational risks. Instead, the DORA mandates specific technical standards, capabilities, and outcomes to ensure a unified set of best practices for digital resilience across the financial sector within its “Five Pillars”:  ICT Risk Management, ICT Incident Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk Management, and Information Sharing Arrangements (encouraged by not “required”) .

The DORA Scope and Applicability

The DORA’s scope is extensive, covering a wide range of financial entities operating within the European Union, as well as non-EU entities with operations in the EU market. It’s important to note that the DORA’s applicability extends beyond EU-based entities. Non-EU financial entities operating within the EU market are also subject to the DORA’s regulations. For example, a Canadian bank with a single branch or office in the EU would fall within the DORA’s scope, as would its ICT service providers.

The regulation applies to:

In Scope examples

To better understand the DORA’s wide-ranging impact, let’s explore some specific examples of how the regulation applies to different sectors within its scope:

If your business falls within scope of these sectors or is similar to the in-scope example and you have not yet begun a detailed the DORA Gap Analysis, reach out to us today to discuss how to get on track with these new mandatory legal requirements. It is best to avoid assuming that the DORA only applies to large financial institutions. Remember that it covers a wide range of entities, including smaller firms and non-EU companies operating in the EU market.   

The post Navigating the DORA – The Digital Operational Resilience Act (DORA) – A high level overview and Gap Analysis appeared first on TechGDPR.

Technical permissions in mobile app are very useful for privacy, explains the French regulator CNIL. They allow users to block access to certain data technically. However, these permissions are not designed to validate users’ consent, within the meaning of the GDPR.  Even when consent is required, a simple request for permission does not always allow for free, specific, informed and unambiguous consent. There may also be exemptions from consent, such as for the functioning of a navigation mobile app, when the data is required for the service. However, the OS supplier requires authorization to access this information. An ideal permissions system in conjunction with a consent management system should allow one to choose without any confusion:

• the degree of processing of the data provided according to the purpose pursued (eg, more or less precise location);
• the material scope of the authorisation, (eg, access to the selected photos rather than the overall media gallery);
• The duration of the authorization is given, (eg, one-time activation of the permission or for a predetermined period). 

Stay up to date! Sign on to receive our fortnightly digest via email.

Non-material damages for US data transfers

The CJEU orders the European Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website due to the transfer of personal data to the US without appropriate safeguards. In 2021 and 2022, a German citizen complained that the Commission violated his right to personal data protection when he used the Commission’s EU Login authentication service and chose to sign in with his Facebook account.

His data, including his IP address and information about his browser and terminal, were transferred to recipients in the US, (Meta, Amazon Web Services and CloudFront). According to the JD Supra law blog, while the sum is small, it is the first time an EU court has acknowledged that people can be awarded damages for illicit data transfers without demonstrating significant loss, paving the way for future claims, including class actions. 

More legal updates

“Maximum two complaints per month”: The NOYB privacy advocacy group explains another case, where the CJEU slammed the Austrian data protection authority for discontinuing proceedings against companies. In one example, the authority set the number of complaints that data subjects can file at a maximum of two per month. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the regulator. NOYB also looked at the EU-wide problem with data protection authorities’ inactivity – statistically many cases wait well up to several years for a decision, (instead of the established 6 months). 

Canada updates: According to an IAPP analysis, the proposed federal privacy law reforms and AI regulation contained in Bill C-27 are in serious jeopardy. Prime Minister Justin Trudeau’s recent resignation has paralysed Parliamentary business. As the country awaits a national election, C-27’s approval in the Senate is delayed. The proposals include enacting the Digital Charter Implementation Act, the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. 

India updates: The government has released a draft of the Digital Personal Data Protection Rules, (legal text available in English), under the Digital Personal Data Protection Act, (2023), and is currently seeking public feedback and comments, cms-lawnow.com law blog reports. Key rules include: consent obligations, including for children’s data, security safeguards, data breach notification, retention periods, information obligation, data transfers abroad, impact assessments and audits, and the exercise of data subject rights. 

Electronic patient records

On January 15 the “electronic patient record”, (ePA), will start with a pilot phase in Hamburg, Franconia and North Rhine-Westphalia parts of Germany. After the successful completion of the introductory phase, the nationwide rollout is planned for February 15 at the earliest. The use of ePA, was already possible voluntarily. However, from January 15, the Digital Act, (DigiG), stipulates that health insurance companies will create an ePA for all patients who have not explicitly objected to this.

Insured persons should therefore now check whether they want to use it or whether they object to its use completely or partially with an opt-out. The objection can be made at any time, and the health insurance companies must subsequently delete files that have already been created. The ePA brings with it advantages – it facilitates the exchange of medical documents, avoids duplicate examinations and makes it easier for patients to control which data they release to whom. However, there is currently also criticism, particularly regarding data security, (IT experts uncovered security flaws in the ePA at the Chaos Communication Congress at the end of 2024). 

Work agreements and data processing

DLA Piper’s legal blog looks at a CJEU case, where an employer, (in Germany), had initially concluded a temporary agreement with the works council on the use of the software ‘Workday’. It provided, inter alia, that specifically identified employee data could be transferred to a server of the parent company in the US. An employee brought a legal action for access to this information, for the deletion of data concerning him, and for compensation. On this occasion, the CJEU ruled that if employers and works councils agree on more specific rules in a work agreement regarding the processing of employees’ data, these must take into account general data protection principles, including the lawfulness of processing. Furthermore, such a work arrangement is open to judicial scrutiny. Thus, businesses should investigate if other legal bases are applicable.

More official guidance

UK online safety: On 16 December, Ofcom brought into effect new UK online safety regulations. Now digital platforms, especially bigger and riskier ones, (social media firms, search engines, messaging, gaming, dating apps, and file-sharing sites), have three months to complete illegal harm risk assessments and apply necessary safety measures, (from the list of more than 40 safeguards). Among many things, this will include, reporting and complaints duties, better moderation, easier reporting, built-in safety tests, and protecting children. The Act also enables Ofcom to make a provider use, (or in some cases develop), a specific technology to tackle child abuse or illicit content on their sites and apps. 

AI and consumer harm: America’s FTC gathered the latest casework on what companies need to consider when developing, maintaining, using, and deploying an AI-based product. This includes:

• taking necessary steps before and after deploying a product, (by testing, assessing, documenting, and inquiring); 
• preventative measures to detect, deter, and halt impersonation, fraud, abuse and non-consensual imagery;
• avoiding deceptive claims about AI tools that result in people losing money or put users at risk of harm; and, 
• ensuring privacy and security by default, (eg, abiding by legal obligations and not misleading users of a product about the usage of their data for algorithm improvement).  

Video surveillance on a large scale

Depending on the scope and purpose, video surveillance can be divided into three scales: narrow, medium, and wide-scale video surveillance, explains the Latvian regulator. Large-scale video surveillance means that the processing is carried out over a significant area and presents high risks for the processing of personal data at regional, national or transnational levels. The larger the area monitored and the more people visiting it, the higher the risk of data misuse.

If an organisation conducts video surveillance of several separate areas, their total area should be taken into account to determine whether video surveillance is taking place on a large scale. When conducting video surveillance in publicly accessible, but less populated or visited areas, the thresholds for the size of the area and the duration of data retention may be higher to qualify as large-scale. However, if video surveillance involves the processing of biometric data for the unique identification of a person, then it is considered to be the processing of special categories of data.  

Privacy of the art market

An analysis in The Art Newspaper notices that access to historic sales records is becoming more restricted due to increased confidentiality periods at auction houses.

In the EU and the UK, privacy rights are protected through contract, common law and data protection regulations. Thus, the identity of buyers and sellers is protected in several ways, which the auction houses are now restricted from disclosing without the client’s consent. Moreover, the degree to which such data privacy measures can be used to restrict access is still unclear, as the GDPR does not prescribe how long confidentiality clauses can last. 

More enforcement decisions

Genetic and health data breach: The Estonian data protection inspectorate imposed an 85,000 euro fine in connection with an incident that occurred at the end of 2023, in which the Asper Biogene OÜ system was attacked and approximately 100,000 files with people’s data, including genetic and health data, were obtained. However, the decision can still be appealed by the company. Asper Biogene OÜ is primarily engaged in testing for hereditary diseases, developing genetic tests and providing healthcare services, thereby processing health data extensively. 

Frontex case: The EDPS issued a warning to Frontex for a breach of data protection rules. The breach involved Frontex systematically sharing the personal data of suspects in transnational criminal cases with Europol without assessing whether the sharing was necessary. Such sharing can have serious consequences for individuals, who could be wrongly linked to criminal activities in Europe. Frontex stopped the transfer of personal data to Europol shortly after the inquiry and now assesses all information individually before sharing it with the agency. 

Facial recognition: The FTC meanwhile finalised an order against IntelliVision Technologies due to false claims that its AI-powered facial recognition software was free of gender or racial bias. The FTC alleged that IntelliVision lacked evidence that its software had one of the highest accuracy rates on the market and performed with zero gender or racial bias.

The complaint also alleged that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, nor did it have adequate support for its claims that its anti-spoofing technology ensures the system can’t be fooled by a photo or video image.

Data security

DORA is enforceable now: The Digital Operational Resilience Act, (DORA), is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. It covers areas of compliance such as:

• ICT risk management, 
• ICT third-party risk management, 
• Digital operational resilience testing, 
• ICT-related incidents, 
• Information sharing on cyber threats, and 
• Oversight of critical third-party providers.

For resources on implementing and delegated acts, policies and guides click here.

Security updates: Privacy International meanwhile reminds us that the CrowdStrike incident, (malformed update), earlier this year had major implications for governments and businesses across the world. Among many things, it emphasises the importance of security updates, including auto-updates, which are incredibly important to keep our devices running properly and safely. What is needed is for auto-updates to be properly tested before being implemented. Moreover, too often we see companies bundling together security and feature updates, meaning that users cannot install one without the other. That’s a problem, especially if a weaker system for testing feature updates pollutes the process for security updates, or if users are prevented from having the latest security updates installed because they don’t want the features or their device does not support the feature updates.  

Big Tech

US vulnerabilities: The outgoing President Joe Biden has just signed an executive order to address US vulnerabilities following cyber attacks, (by China, Russia, Iran and ransomware criminals), that cost the country billions, the Guardian reports. Among its most notable elements is a mandate for government agencies to install end-to-end encryption for email and video communications, as well as new standards for AI-powered cyber defence systems and quantum computing protections.

The order also requires federal agencies to only purchase internet-connected devices with a “cyber trust mark” from 2027, essentially leveraging government procurement authority to encourage manufacturers to tighten security standards for items like as baby monitors and home security systems.

The post Data protection digest 1-15 Jan 2025: mobile app permissions should work in conjunction with consent requirements – CNIL appeared first on TechGDPR.

Why You Should Attend

The regulatory landscape is shifting, and the Digital Operational Resilience Act (DORA) is at the forefront of these changes. January 17th marks the day that the DORA goes into effect, compliance now entails understanding the practical implications of this new regulation for your business. In this session, Stewart Haynes will leverage his 25+ years of experience in regulatory compliance to share insights on:

• What DORA Means for Your Business: Unpacking the regulation’s core requirements and timelines.
• Mitigating Operational Risks: Strategies to enhance your organization’s resilience against cybersecurity threats and IT disruptions.
• Navigating Regulatory Expectations: Insights into how regulators will assess compliance under DORA.
• Future-Proofing Your Strategy: How DORA aligns with other evolving regulations and what to prioritize in 2024 and beyond.

This session promises practical advice for decision-makers seeking to build robust, compliant operations. TechGDPR’s extensive experience in tailored privacy solutions ensures the conversation will address real-world challenges across industries, including fintech, health tech, SaaS, and AI.

Key Topics Covered

This webinar is designed to provide decision-makers with actionable insights, including:

• What Regulators Expect Under the DORA: Learn how compliance is evaluated and key indicators of operational resilience.
• Practical Risk Mitigation Steps: Discover how to address vulnerabilities in your digital infrastructure.
• Building a Resilient Organization: Understand the interplay between regulatory compliance and operational efficiency.
• Anticipating the DORA: Learn how the DORA will affect businesses on a day to day level.

This session offers a unique opportunity to gain insights from a former regulator’s perspective: Stewart Haynes’s firsthand experience as an Information Commissioner provides a rare glimpse into the priorities and processes that drive regulatory decision-making. Silvan Jongerius will bring his strategic expertise to ensure the discussion translates into actionable takeaways for your business.

Sign Up Now to Secure Your Spot!

Whether you’re a senior executive, compliance officer, or consultant, this webinar will equip you with the knowledge and tools to navigate the DORA confidently. Don’t miss your chance to gain invaluable insights directly from a former regulator and a leading privacy expert.

We look forward to seeing you on January 17, 2025!

The post Upcoming Webinar, DORA for Decision Makers: What You Need to Know for the Upcoming Year appeared first on TechGDPR.

Stay up to date! Sign on to receive our fortnightly digest via email.

DORA application deadline

As the Digital Operational Resilience Act will apply from 17 January 2025, the European supervisors have called on financial entities and third-party providers to advance their preparations on the information and communication technology requirements. There are also important interfaces between DORA and the GDPR, in data protection experts’ opinion. Both regulations aim at ensuring data integrity, confidentiality and availability, such as notification of security incidents, risk management, technical and organisational measures, controls and audits. Furthermore, an integrated strategy that considers both data protection and IT security is needed to comply with both regulations. 

Third-country authorities and GDPR certification

The EDPB published guidelines on GDPR Art.48 about data transfers to third-country authorities. The sharing of data with the public authorities in other countries can help collect evidence in the case of a crime, check financial transactions, or approve new medications. The board clarifies how organisations, private and public, can best assess under which conditions they can lawfully respond to such requests. The Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors across Europe. GDPR certification helps organisations demonstrate their compliance with the law and helps people trust the product, service, process or system for which organisations process their data.

More legal updates

US restricted transfers: The Department of Justice has suggested restrictions on cross-border transfers of sensitive personal data to “countries of concern”. The regulation would, among other things, restrict data brokerage transactions that pose significant national security threats to China, Russia, Iran, North Korea, Cuba, and Venezuela, and limit some vendor, employment, and investment arrangements with nations of concern unless they fulfil specified security standards. 

Those adversaries can be interested in biometric and genomic data, health care data, geolocation information, vehicle telemetry information, mobile device information, financial transaction data, and data on individuals’ political affiliations and leanings, hobbies, and interests. In this way, countries of concern can exploit their access to US government-related data or Americans’ bulk sensitive personal data to collect information on activists, academics, journalists, dissidents, and political figures. 

Oregon and several other US states have recently advanced their privacy laws. For instance, the Oregon Consumer Privacy Act applies to all for-profit businesses immediately and to applicable charitable organisations as of 1 July 2025. It provides residents with an opt-out option to a business selling, profiling, and using targeted advertising with their personal information, obtaining a copy, editing any inaccuracies and deleting the personal and sensitive data a business has collected about them.

On January 1, 2025, five more states’ consumer privacy rights laws will take effect – Iowa, Delaware, New Hampshire, Nebraska, and New Jersey. 

Customer expectations about their data

The assessment of customer expectations regarding the processing of their data is an essential element in ensuring the lawfulness and transparency of data processing states the Latvian regulator. Reasonable expectations are what a customer, given their specific relationship with the organisation, types of data and available information, can naturally expect from the processing of their data. A practical approach to assessing expectations would be conducting surveys, interviews and focus group discussions, as well as consulting industry standards and previous experience. 

Internal procedures and training

Developing appropriate internal procedures and regular training also helps ensure employees know how to act in supporting the company’s compliance efforts. This may be especially useful when a business expands rapidly, hires new employees, and the number of clients also increases. If non-compliance is detected which could result in a violation of customer data processing and protection, the company, with the help of its data protection specialist, has to prepare an action plan, which may include:

• conducting internal audits, 
• reporting immediately to the responsible person, 
• reviewing and improving legal bases and purposes of processing,
• reviewing related documentation,
• corrective measures such as informing data subjects, etc. 

More from supervisory authorities

Machine learning and training data: America’s NIST continues its series of posts about privacy-preserving federated learning, (PPFL). Unlike traditional centralised learning, PPFL solutions prevent the organisation training the model from looking at the training data. Model training is, however, only a small part of the machine learning workflow. In practice, data scientists spend a lot of time on data preparation and cleaning, handling missing values, feature construction and selection. Challenges may result from poor-quality or maliciously crafted data to intentionally reduce the quality of the trained model. 

To know more about AI model training the Spanish regulator AEPD has recently discussed a use case: a single-neuron network determines whether a person is overweight vs a network, which allows for more complex classifications but equally can lead to ‘hallucinations’. From a data protection perspective, the question is to choose the one that is most appropriate to the context and purpose of the processing operation. For example, the chosen structure  requires such a quantity of data samples and such diversity that it is not possible to obtain them, or that it is not proportional or legitimate to collect them. In this way, the purpose could not be achieved from the design stage. 

Software developers: Italian regulator Garante approved the Code of Conduct which concerns the processing of personal data carried out by companies developing and producing management software. Such software, intended for companies, associations, professionals and public administrations, is used to fulfil tax and social security, welfare and management obligations, drafting financial statements, personnel management and corporate obligations, with a significant impact on aspects relating to the protection of personal data. 

Sky Italia telemarketing fine

The Italian regulator also fined Sky Italia over 840 thousand euros for numerous violations found during telemarketing activities and sending commercial communications. The company carried out marketing activities, by telephone and via SMS, in the absence of adequate checks on the obligations regarding information and consent. Sky did not consult the registration of the users contacted in the public register of oppositions before each promotional campaign.

Some of the users had been contacted based on consent acquired even before the GDPR came into full effect. The documentation of consents acquired from data supply companies also appeared unsuitable to unequivocally demonstrate the will of the interested parties, as Sky stored the details of the consents in editable Excel files. Furthermore, Sky relied on the consent to marketing automatically provided by users during registration on the website and mandatory to use the service offered.

More enforcement decisions

The Irish Data Protection Commission fines Meta 251 million euros. Investigations were launched following a personal data breach, which was reported by Meta in September 2018. It impacted approximately 29 million Facebook accounts globally, of which approximately 3 million were based in the EU/EEA. The categories of personal data affected included the user’s full name, email address, phone number, location, place of work, date of birth, religion, gender, posts on timelines, groups of which a user was a member, and children’s personal data. The breach arose from the exploitation by unauthorized third parties of user tokens on Facebook.

CCTV: The Swedish data protection authority fined Granit Bostad Beritsholm AB due to unauthorized camera surveillance in an apartment building.  Previously there were cameras at three main entrances, at elevators and apartment doors, as well as in the basement corridor next to the storage room, laundry room and sauna. There were also several cameras in the garage, bicycle storage, garbage room, and at the back of the property.

The company now has to cease the camera surveillance of all places on the property except the garage. The camera signs must contain information about the company’s identity and contact information.

Prison sentence: A motor insurance worker, who led a team dealing with accident claims, has been handed a suspended prison sentence after an investigation by the UK Information Commissioner. The company reported to the regulator that it suspected an employee was unlawfully accessing its systems. The insurers became suspicious due to the higher-than-normal number of claims being processed. An internal investigation found he had featured in 160 of the claims, despite his role not involving the access of claims. The search of the suspect’s home also found he was sending personal data he had accessed by mobile phone to another person. 

AI impact assessment

The Future of Privacy Forum has prepared a detailed guide on how organisations can conduct AI impact assessments. Organisations typically take four common steps: a) initiating an AI impact assessment; b) gathering model and system information; c) assessing risks and benefits; and d) identifying and testing risk management strategies. There is also a trend within organisations to perform multiple assessments at different points in the AI lifecycle, as well as integrate AI impact assessments into existing risk management processes, including those around privacy.

Real-Time Bidding

America’s FTC announced a new enforcement action in which it alleged that the data broker Mobilewalla collected and retained sensitive location information from consumers, often without their consent, and shared those details with third parties to target advertisements. Most of the advertisements we see online often involve a process called “real-time bidding”, (RTB), where publishers, websites, apps, or other digital mediums with ad space to sell, auction off their empty ad space on exchange platforms, and advertisers can bid for that placement.

Big Tech

LinkedIn suspended AI training in Canada: The Privacy Commissioner welcomed the commitment from LinkedIn to pause training of AI models using the personal information from Canadian member accounts. While LinkedIn indicated that it believed that it had implemented its AI model in a privacy-protective manner, the company agreed to engage in discussions with the regulator to ensure that its practices are compliant with Canada’s federal private-sector privacy law. Recently LinkedIn also suspended AI training using UK and EU data. 

The European Data Protection Supervisor is examining the Commission’s compliance regarding the use of Microsoft 365. The Commission could have infringed several provisions of the data protection law for EU institutions, bodies, offices and agencies, including those on transfers of personal data outside the EU/EEA. In its decision of March 2024, the EDPS ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors, located in countries outside Europe not covered by an adequacy decision. There is also an ongoing court proceeding in the matter. 

AI development: The UK Information Commissioner is urging Generative AI developers to tell people how they’re using their data. This could involve providing accessible and specific information that enables people and publishers to understand what personal data has been collected. Without better transparency, it will be hard for people to exercise their information rights and for developers to use legitimate interests as their lawful basis. The Commissioner also encourages AI firms to get advice from the regulator through the Regulatory Sandbox and Innovation Advice services, as well as from other regulators through the DRCF AI & Digital Hub. 

The post Data protection digest 1 – 15 Dec 2024: DORA application deadline, new Meta fine, AI impact assessment appeared first on TechGDPR.