Official guidance: ‘cookie-walls’, US governmental inquiries, cross-border data transfers

The French regulator CNIL published its first evaluation criteria on ‘cookie walls’ or ‘pay walls. All the principles of the GDPR remain applicable to the processing of data related to the use of cookie walls. Particular attention must in particular be paid to informing individuals regarding the question of data transfers outside the European Union that the use of certain solutions would apply. Most of the services offered on the Internet are presented as free. However, this pecuniary gratuity is not without a counterpoint: the personal data of Internet users collected are very often used by web players to finance the services they offer by resorting, in particular, to targeted advertising. 

So, when an Internet user refuses the use of tracers on a website, (for example by clicking on a “refuse all” button), the CNIL recommends that publishers offer a real and fair alternative allowing access to the site and which does not does not imply having to consent to the use of their data. The fact, for a publisher, of conditioning access to its content, either on the acceptance of trackers contributing to monetising its service, or on the payment of a sum of money, is not prohibited in principle since this constitutes an alternative to consent to trackers. However, this monetary compensation must not be so expensive as to deprive Internet users of a real choice: we can thus speak of a reasonable price.

In the US, a government inquiry in the context of data security typically arises in one of two ways, says a K&L Gates article, either a data security incident involving a threat actor occurs, or a government agency is alerted to the possibility that a company is engaging in unlawful practices involving sensitive data. In both cases, it is not uncommon for a government agency to open an inquiry that could last months or even years. Thus, the most important factor is preparedness. Organizations should have a written policy for responding to government inquiries involving the storage, use, and management of sensitive data. 

Also a careful analysis of the inquiry is crucial to formulating the best response. For example, if the company receives an inquiry letter or a subpoena, there may be ways to negotiate the scope, breadth, and timing of a response. On the other hand, if the inquiry is through the form of an investigation notice, such a notice may be followed by requests for information, documents, interviews, or inspections that warrant a careful, forward-looking plan of response, including planning for a potential dispute. 

Meanwhile, the Berlin Data protection authority published new cross-border data transfers guidance, (in German). If personal data is to be transferred to third countries outside the EU or EEA, additional requirements apply. A two-stage check is then required: a) would data processing be permitted if it took place in the EU/EEA? b) is the data export to the third country also permitted, (eg, existence of adequacy decision, transfer tools like SCCs, approval of the supervisory authority)? Exceptions, (Art. 49 DS-GVO), also allows data exports in exceptional cases if certain special cases exist. These include in particular  consent from the data subject, the necessity of the transmission to fulfill a contract with or in the interest of the data subject, (eg, hotel booking).

In view of the market power of US IT companies, data exports to the US are particularly relevant in practice. The ECJ analyzed the legal situation in the USA and came to the conclusion that the level of protection for personal data from the EU that prevails there does not meet the requirements for permissible data export in the light of the GDPR and the Charter of Fundamental Rights of the EU, (Schrems II decision). In order for the standard contractual clauses to be able to continue to be used after the “Schrems II” judgment, the data exporters must take additional measures, (eg, secure encryption or pseudonymization, although these are not possible with many US cloud services), and a detailed examination of the legal system and practice of the third country with regard to any access by the authorities there to the transmitted personal data. 

The Berlin regulator also clarifies some ambiguity on which companies fall under the US secret service legislation, the data categories recorded and the legal protection options that are open to the addressees in the event of official orders. In addition, the question arises as to whether the US authorities have access rights even if data is processed exclusively in Europe.

Legal processes: administrative fines calculation, AML/CFT data protection obligations

The EDPB has adopted guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of fines. Throughout every stage, the fact that the calculation of a fine is no mere mathematical exercise must be taken into account. Rather, the circumstances of the specific case are the determining factors leading to the final amount, which can – in all cases – vary between any minimum amount and the legal maximum. The guidance set out applies to all types of controllers and processors except natural persons when they do not act as undertakings. This is not withstanding the powers of national authorities to fine natural persons. Taking into account these parameters, the EDPB has devised the following methodology:

• Identifying the processing operations in the case and evaluating the application of Art. 83(3) of the GDPR. 
• Finding the starting point for further calculation based on a) classification; b) the seriousness of the infringement; c) the turnover of the undertaking.
• Evaluating aggravating and mitigating circumstances related to past or present behaviour of the controller/processor and increasing or decreasing the fine accordingly. 
• Identifying the relevant legal maximums for the different processing operations. Increases applied in previous or next steps cannot exceed this amount. 
• Analysing whether the final amount of the calculated fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Art. 83(1) of the GDPR, and increasing or decreasing the fine accordingly. 

The EDPB also draws the attention of the European Institutions to the important data protection issues raised by the implementation of the AML/CFT obligations, as provided by the AML legislative proposals. Obliged entities are required to process personal data which allows to draw intimate inferences about individuals and which can notably lead to the exclusion of legal and natural persons from a right and/or a service, (for instance, a banking service). It is therefore crucial that the AML legislative proposals are in line with the GDPR. Among the safeguards the EDPB offers:

• Consultation of the EDPB in the context of the drafting and adoption of regulatory technical standards, (RTS), guidelines and recommendations, (eg, the RTS shall specify, notably, the information to be collected for the purpose of performing standard, simplified and enhanced customer due diligence, on an ongoing monitoring of a business relationship and on the monitoring of the transactions carried out in the context of such relationship).
• The need to better specify the conditions and limits of the processing of special categories of data and of personal data relating to criminal convictions, (eg, in order to avoid that decisions are made on a basis of discriminatory factors, it should be also specified that the assessment made by obliged entities shall not be solely based on the processing of special categories of personal data).
• The need to provide additional provisions in relation to the sources of information, (eg, the obligation to use reliable, accurate and up-to-date sources should be extended to every information processed by obliged entities for the purpose of AML/CFT).
• The need to provide specific provisions for the processing of personal data by providers of so-called “watchlists”. The providers of these “watchlists” are acting as data controllers, as defined in Art. 4 of the GDPR. Moreover, the legal basis, (Art. 6), for the processing of personal data by such providers is not clear, says the EDPB.

Investigations and enforcement actions: Google’s Lumen no opt-out, website without privacy policy, restaurant’s 14 unmarked cameras, unprotected whistleblower data

The Spanish privacy regulator AEPD fined Google 10 million euros for GDPR infringements, IAPP News reports. The AEPD found third-party data sharing by Google with legal database Lumen Project lacked an opt-out mechanism for data subjects, and, therefore, without valid consent for that communication to be carried out. The shared data, (processed in the US), included personally identifiable data, email addresses and individuals’ legal claims. In addition, in the privacy policy of Google, there is no mention of this processing of personal data of users, and communication to the Lumen Project does not appear among the purposes. The sanction also calls for Google to delete all the personal data shared with Lumen and halt further use of that data. Read the summary of the decision in Spanish here.

The AEPD also fined Movalia Traslados 1,200 euros for GDPR failures regarding the privacy policy on their website. The AEPD received a complaint related to Movalia Traslados’ website, where, in connection with an advertisement for a taxi service, website visitors could insert their personal data on a form to request a taxi. The data subjects had not been provided with information about the processing of their personal data via the form, and that they were able to submit the form to request a taxi without having read and accepted the company’s privacy policy. Furthermore, the AEPD noted the lack of a privacy policy and information on the nature of the data processing.  

Meanwhile, the Italian privacy regulator ‘Garante’ fined restaurant operator Rebirth for privacy and data protection violations. The Garante noted that it had sent a request for information, and that it had launched an investigation in the absence of a response from the operating company Rebirth. In the end, the Garante found that 14 cameras were installed in the restaurant (‘Caffè Antica Roma’), in the absence of any notice providing information on their presence. Additionally, the regulator noted that the video surveillance system had been installed without prior authorisation from the Labour Inspectorate and from the relevant trade union, Data Guidance reports.

The Danish data protection agency expressed serious criticism of the Danish Financial Supervisory Authority for not having complied with the requirement for adequate security, as it handed over information about whistleblowers to a journalist, in connection with a request for access to documents. The unintentional disclosure took place because the financial authority had not removed personal data from the material that had been provided with information in a sufficiently secure manner. It had thus crossed out personal data in the handed out pdf documents with ‘Hold the mouse cursor’ on crossed out passages. It appears that the financial authority was not aware that it is necessary to delete the hidden information behind the displayed document, (metadata, etc.), in order to ensure that it will no longer be available.

Data security: ransomware gangs using AI

The strongest alarm yet has been sounded about ransomware gangs using AI and machine learning to expand their criminal activity. In itself this is nothing new, but what has changed is the criminals’ rapidly increasing cash, or crypto, pile, which may allow them to trump the tech giant’s salaries for specialists and lure them into illegal activity. Just one outfit, Conti, extorted over 180 million dollars in 2021, a bumper year for the cybercriminals who raked in over 600 million dollars, a doubling of attacks year-on-year, with many of the groups Russian-based. One expert predicted the gangs will start using the technology in 12 to 24 months time, as the currently tiny pool of experts grows with new graduates entering the jobs market.

Big Tech: Google’s Incognito mode, Tesla’s Bluetooth Low Energy, Snapchat’s Lenses app

Texas Attorney General Ken Paxton has amended an ongoing lawsuit against Google, adding a new complaint, that the search giant’s Incognito mode is anything but. In the suit Paxton calls the privacy claims made for Incognito mode “false, deceptive, and misleading” when it “represents that Incognito Mode allows Texans to control what information Google sends and collects.” Google denies the accusation, but industry experts agree that Google’s efforts fall short of safeguards in place at Firefox and Safari, for example. Along with four other Paxton suits Google is facing a 2020 class action lawsuit over continuing to track users while in Incognito mode, for which damages of a minimum of five billion dollars is being sought. Reportedly CEO Sundar Pichai was warned in 2019 to stop calling Incognito “private”, but he continued to do so anyway.

A major security vulnerability has been exposed with Teslas, but essentially the same vulnerability applies to any of the millions of vehicles worldwide that have Bluetooth Low Energy installed, Reuters reports. Researchers were able to break into a Tesla and drive it away using a simple relay and laptop to fool the car into thinking it was communicating with an authorised key. Only Model 3 and Model Ys appear to be at risk, but with BLE also embedded in smart locks in homes and businesses, and the technique able to be used by hackers from anywhere in the world, and not just in close proximity, the risks are exponentially multiplied.

Snapchat’s Lenses app is facing a class action lawsuit from two Illinois residents who allege the app violates the US state’s Biometric Information Privacy Act. The app adds effects to photos, but to do so it scans the user’s face. However BIPA states that written consent must be obtained by any company before collecting certain biometric data, including facial scans, and no such feature is incorporated into Lenses.

The post Weekly digest May 16 – 22, 2022: cookie-walls, US governmental inquiries, cross-border transfers, AI for hackers appeared first on TechGDPR.

Official guidance: workplace conversations, use of the cloud

The Latvian data protection authority suggested when an employee could secretly record a conversation in the workplace to protect their interests, IAPP News reports. The regulator concluded that employees can secretly audio record their employer if it is the only way to collect evidence of illegality; (eg, mobbing, bossing, illegal activities at the workplace). However, some data protection regulations are applicable because a person’s recorded voice still constitutes personal data. It suggests:

• submit recordings as evidence to the state labor Inspectorate, the police, or a court;
• avoid publishing it to social networks or otherwise make a voice recording publicly available, including distribution within a team;
• when audio is transferred to law enforcement, the recording cannot be excessive, unrelated segments must be deleted;
• the information disclosed in a secret recording must also outweigh an individual’s right to data protection. 

The Danish data protection authority Datatilsynet has published guidance on the use of the Cloud, (available in English). The guide contains 14 practical examples with explanations. It is targeted primarily at organizations, (data controllers), that would like to start using one or more cloud service(s) and attempts to address the relevant elements of data protection law. However, many of the issues addressed in this guidance apply equally to most other IT service delivery models. A large number of cloud services are usually provided as standardized services where each organization as a customer has limited possibilities to tailor the service in question. Parts of the guide are therefore simultaneously addressed to cloud service providers, (CSP), who can learn more about how they can provide their services in accordance with data protection law. The main steps for data protection when using cloud services include: a) know your services, (data protection and security risk assessments), b) know your supplier, (screening, data processing agreements), and c) audit the CSP and sub-processors.

The guide also evaluates transfers to third countries. In this context, companies should be aware that if their European CSP as a processor complies with a request from law enforcement authorities in a third country, it is considered a personal data breach on part of the controller as unauthorized disclosure of personal data to the concerned law enforcement authority will have occurred. However, this question of an appropriate level of security of processing is limited only to cases where the use of the CSP does not otherwise involve any intended transfers of personal data to third countries, including in relation to the provider’s servicing of its infrastructure, the provider’s provision of support of your cloud service, the provider’s access to its infrastructure for the purposes of capacity planning, etc.

Legal processes and redress: EU sanctions & whistleblowing, employee’s image rights, rules on AI

The European Commission launched a whistleblower tool to facilitate reporting of possible sanctions violations. This is a secure online platform, which whistleblowers from around the world can use to anonymously report EU sanctions violations. This information can relate to:

• facts concerning sanctions violations, their circumstances, and the individuals, companies, and third countries involved, 
• facts that are not publicly known but are known to you and can cover past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions.

The EU has more than 40 sanctions regimes in place and their effectiveness relies on their proper implementation and enforcement regarding:

• arms embargoes,
• restrictions on admission, (travel bans), 
• asset freezes,
• other economic measures such as restrictions on imports and exports. 

The Commission is committed to protecting the identity of whistleblowers who take personal risks to report sanctions violations. If it considers that the whistleblower information it received is credible, it will share the anonymized report and any additional information gathered during the internal inquiry into the case with the national competent authorities in the relevant Member State(s). Access to the whistleblower tool is available here. 

An employee can obtain damages simply after the employer delayed to removing, upon request, a group photo including him from the company’s website, L&EGlobal blog post reports. In its recent decision, the French Court of Cassation ruled that “the mere fact that an employee’s image rights have been infringed when he or she objects to the publication of his or her image gives rise to a right to compensation, without the employee having to prove any prejudice.” Other findings of the case were: 

• every citizen, every employee, has a right to the protection of his or her image, (Art. 9 of the French Civil Code);
• The employee’s agreement must be obtained before any photo-taking, reproduction, or use, whatever the final medium of this image, (intranet, company newspaper, internet site, promotional video, etc.);
• The agreement must be in writing and as precise as possible, indicating the purpose, the medium used, and its duration;
• The employee’s silence does not constitute tacit consent.

The Irish Council for Civil Liberties, the ICCL, informed the European Commission and co-legislators of two errors in the proposal for harmonized rules on Artificial Intelligence in the EU, Data Guidance reports. In particular:

• A technically inaccurate reference to “validation and testing data sets” accidentally puts most machine learning techniques out of scope, (eg, important AI techniques such as unsupervised and reinforcement learning do not rely on validation and testing data sets).
• The text incorrectly relies on accuracy metrics, which cannot on their own yield adequate reporting about AI systems’ performance, (eg, AI systems based on unsupervised learning and reinforcement learning use other performance metrics, not accuracy. One of the performance metrics used in reinforcement learning is its reliability).

The two errors are unintended and can easily be corrected. However failing to correct these errors will put health, safety, and fundamental rights at risk, (eg, for cancer diagnosis, it is important that the AI system has fewer false negatives than false positives, as false negatives can be fatal while false positives cause inconvenience). The technical errors are available here, and the AI Act proposal is here.

Investigations and enforcement actions: ex-employees unauthorized access, Clearview AI ban in Italy, video surveillance footage on social media

The EDPB continues to analyze some important recent data breaches within the EU at the request of national regulators. This week it looked at the ‘Santander Bank Polska’ case and levied an administrative fine of 120,000 euros. The controller reported a data breach when it was established that a former employee of the bank, despite the termination of their employment contract, had unauthorized access to the controller’s profile, (on the Electronic Services Platform of the Social Insurance Institution), containing the bank employees’ data. The Polish regulator concluded that a breach of data confidentiality occurred, which simultaneously involved a high risk to the rights or freedoms of the data subjects. Here are some findings from the case:

• The bank posted a message on the internal communication platform, but it was general and not referred to a specified case. 
• It was addressed only to those employed at the time of notification, which could leave many data subjects unaware. 
• There was a high risk to the rights or freedoms of the data subjects and the controller should have communicated the incident to them, (all employees of the bank who were employed during the period when the former employee of the controller had unauthorized access to the data on the platform).

Meanwhile, the Italian supervisory authority ‘Garante’ imposed a fine amounting to 20 mln euros on Clearview AI Inc for multiple violations of the GDPR. The regulator launched its own proceedings following press reports in connection with facial recognition products which were offered by Clearview AI. Moreover, in 2021 ‘Garante’ received complaints and alerts from organizations that are active in the field of protecting the privacy and the fundamental rights of individuals against Clearview. The personal data held by the company, including biometric and geolocation information, was processed unlawfully without an appropriate legal basis. The company also infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation. 

‘Garante’ imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by Clearview’s facial recognition system with regard to persons in the Italian territory, and the designation of a representative in the EU. It’s the strongest enforcement yet from a European privacy regulator, following prohibiting decisions by UK’s ICO and France’s CNIL last year. However, whether Italy will be able to collect the penalty from Clearview, a US-based entity, is one rather salient question, TechCrunch analysis suggests.

The Croatian supervisory authority AZOP fined a retail chain company 90,000 euros for failure to take appropriate technical and organizational, (TOMs), measures for the processing of personal data, Data Guidance reports. AZOP received a report on alleged violations of personal data from the company, stating that the employees of the company, without authorization and contrary to internal acts and instructions, recorded video surveillance footage with their mobile devices and published it on social networks and in the media. AZOP found that:

• the company did not take adequate actions to prevent its employees from taking video surveillance images using their mobile devices;
• the company took certain organizational measures, such as employee education and adoption of internal acts, but did not take appropriate technical security measures that could reduce the risk of a similar violation, neither before nor after an incident;
• the company did not regularly monitor the implementation of TOM aimed at ensuring the confidentiality, integrity, and availability of personal data;
• the company failed to regularly test, evaluate, and determine the effectiveness of TOMS to ensure the security of video surveillance. 

Big Tech: TikTok child privacy class action, cybersecurity firms booming, Twitter Tor version

A class-action lawsuit against TikTok originally initiated by a 12-year-old girl has been granted permission to proceed by the UK High Court. At its heart is the claim the Chinese social networking giant processes children’s personal data unlawfully. The suit seeks damages in the name of millions of children, potentially exposing TikTok to billions in fines. TikTok contests the case and insists it has high-security standards across its platform.

With software security expected to be a booming market, more than doubling in value to 350 billion dollars by 2026, Alphabet Inc’s Google has snapped up Mendiant Inc. for 5.4 billion. The cybersecurity firm has become a reference for companies investigating cyberattacks, and Microsoft was also in the running to buy the company. Analysts say all the big cloud firms will be looking to buy cybersecurity companies, as cyberattacks have spiked with home working, and the Russia – Ukraine war also driving the market for security software.

In what has been described as a tectonic shift at Twitter the company is launching a Tor onion version of its site, with the clear aim of ensuring privacy and avoiding censorship. Software engineer Alec Muffett said, “It’s a commitment from the platform to dealing with people who use Tor in an equitable fashion.” The Tor network will now also feature as a supported browser on Twitter. Unlike accessing Twitter via Tor, the new service is designed specifically for it and adds layers of protection.

The post Weekly digest March 7 – 13, 2022: can employees secretly record workplace conversations? appeared first on TechGDPR.

Legal processes and redress

The EU Whistleblowing Directive is due to be implemented into national law by 17 December. It requires all EU Member States to implement legislation obliging all companies with 50 or more workers to put in place appropriate reporting channels to enable those workers to report breaches of EU law and ensure that those making whistleblowing reports are legally protected against retaliation for having done so. Also, businesses with operations across the EU need to monitor implementation and understand local requirements by the data protection authorities, as there will be variations between jurisdictions, (see the implementation tracker country by country from Bird & Bird LLP). Key areas to address will be ensuring that: 

• reports are handled by the correct people, in accordance with prescribed timescales and with appropriate security and confidentiality;
• required information is given to the whistleblower and to the person investigated;
• there is guidance and training in place to ensure non-retaliation; and 
• there are appropriate retention periods for reports and investigation data. 

How could this be implemented in practice, (Germany example provided), involving work councils, internal codes of conducts, reporting options and controls, is provided in an article by Ius Laboris lawyers.

Uber, Deliveroo and a dozen other two-sided online platforms could be hit by draft EU rules for gig workers. They may have to reclassify some of their workers as employees under a new proposal from the EU Commission meant to boost their social rights. The rules apply to ride-hailing, food delivery apps etc, and require companies to provide information to employees on how their algorithms are used to monitor and evaluate them as well as  allocation of tasks and setting of fees. Employees can also demand compensation for breaches, Reuters reports. The rules place the burden on online platforms to provide evidence that these regulations do not apply to them. Workers can also challenge their reclassification either via an administrative process or in a court. The draft rules will need to be thrashed out with EU member states and EU lawmakers before they can be adopted, with the Commission estimating a 2025 time frame.

In Germany, the administrative court of Wiesbaden issued a preliminary decision prohibiting RheinMain University from using Cybot A/S’s consent management platform Cookiebot by Usercentrics, DataGuidance reports. In particular, the court found that:

• Cookiebot CMP transfers the complete IP address of the end user to the servers of a cloud company whose headquarters are in the US.
• The end user was identifiable from a combination of a key stored in the user’s browser, which identified the website visitor, and the transferred full IP address. 
• This constituted a transfer of personal data to a third country, underlining that this is prohibited in line with the “Schrems II” CJEU judgment. 

Even if the corresponding server is possibly located in the EU, the US group has access to it, so that the US Cloud Act with broad query options for US authorities takes effect. Finally, the university did not ask users’ consent for the data transfer, users were not informed about the possible risks associated with the transfer resulting from the US Cloud Act, and the data transfer was not necessary for the operation of the university’s website.

Official guidance

In Austria, a newly approved Code of Conduct, (available in German only), establishes more legal security for insurance brokers and consultants. In particular, the document, (approved by the data protection authority in accordance with Art.40 of the GDPR), finally clarifies the legal status of the insurance broker as the data controller, who acts independently in the interests of the customer and is not subject to any data protection instructions from an insurance company. In addition, there is now clarity about the justification for data processing with regard to “simple” and “special” categories of personal data. An advantage for all those who want to officially adhere to the Code of Conduct is an objective external monitoring body entrusted with checking compliance.

Data breaches, investigations and enforcement actions

The Dutch data protection authority, AP, imposed a fine of 2.75 mln euros on the tax authorities. For years the tax administration has processed the dual nationality of applicants for childcare allowance in an unlawful, discriminatory and improper manner. The dual nationality of Dutch nationals does not play a role in assessing an application for childcare allowance. Nevertheless, the tax administration kept and used this information. In addition, the tax authorities processed the nationality of applicants indicators to combat organised crime using a system that automatically designated certain applications as high-risk. The data was not necessary for those purposes, and the administration should have deleted the data according to GDPR data minimisation principles. In 2018 the tax administration stopped using these indicators, and by 2020 the dual nationalities of Dutch people were completely removed from its systems. 

The UK Information Commissioner’s Office, the ICO, hit broadband ISP and TV operator Virgin Media with a 50,000 pound fine after it sent nearly half a million direct marketing emails to people who had previously opted out. In August 2020 the regulator received a complaint from one of the operator’s customers about the unsolicited email. The message itself took the form of a price notification and attempted to get the customer to opt back into marketing communications. However just one customer complained to the ICO about receiving the spam – but that was enough to spur the regulator into investigating. Even though 6,500 customers decided to opt back into receiving marketing emails as a result of the mailshot, the ICO said this wasn’t enough to ignore UK regulation of Privacy and Electronic Communications. “The fact that Virgin Media had the potential for financial gain from its breach of the regulation, (by signing up more clients to direct marketing), is an aggravating factor”, the ICO stated.

The Norwegian data protection authority, Datatilsynet, has punished the Government Pension Fund, (SPK), with an infringement fee of 99,000 euros. The SPK has collected unnecessary income information about approx. 24,000 people. SPK had obtained income information from the tax administration since 2016. They themselves revealed that part of the information was data that should not have been collected, as it was not necessary for post-settlement disability benefits. The information was obtained through a predefined data set from the tax authority. Until 2019, SPK did not have routines for reviewing and deleting the surplus information that was collected, violating basic principles for data processing including special categories of personal information.

Artificial Intelligence

More and more companies will become engaged in developing and building AI systems but also in using already deployed AI systems. Therefore, potentially all companies will need to deal with the underlying legal issues to ensure accountability for AI systems sooner or later, says analysis by Bird and Bird LLP. One of these accountability requirements will often be the need to conduct a Data Protection Impact Assessment. DPIAs for AI systems deviate from similar assessments relating to the development and deployment of common software, which results from some peculiarities lying in the inherent nature of AI systems and how they work. The main points to consider are:

• Distinguishing between DPIAs for AI system development/enhancement (eg, training the algorithm) and for AI system deployment for productive use (eg, CVs of candidates are rejected based on the historical data fed into an algorithm).
• Taking a precise, technology-neutral approach to catching the essential characteristics of AI, (eg, systems with the goal of resembling intelligent behaviour by using methods of reasoning, learning, perception, prediction, planning or control).

The most important aspects of DPIAs for AI systems development/enhancement should include: controllership, purpose limitation, purpose alteration, necessity, statistical accuracy, data minimization, transparency, Individual rights, and data security risk assessment. Data controllers (providers of the AI system or the customers that deployed it) may also voluntarily decide to conduct DPIAs as an appropriate measure to strengthen their accountability, safeguarding the data subject’s rights. This may ultimately help to also win customer trust and maintain a competitive edge. 

Opinion

The Guardian publishes thoughts by a former co-leader of Google’s Ethical AI team Timnit Gebru:

“When people ask what regulations need to be in place to safeguard us from the unsafe uses of AI we’ve been seeing, I always start with labor protections and antitrust measures. I can tell that some people find that answer disappointing – perhaps because they expect me to mention regulations specific to the technology itself.” In her opinion, the incentive structure must be changed to prioritize citizens’ well-being. To achieve that, “an independent source of government funding to nourish independent AI research institutes is needed, that can be alternatives to the hugely concentrated power of a few large tech companies and the elite universities closely intertwined with them.”

Individual rights

Monitoring of workers’ personal data via entrance control systems – is featured by the Social Europe website. In tracking entrance to and exit from the workplace and ensuring its safety, electronic control systems, in which limited and non-sensitive data belonging to workers are uploaded, will be more in compliance with legal instruments than biometric systems. Biometric entrance-control systems should therefore be a last resort and limited to access to exceptional areas which require high security or in particular areas where highly confidential information is kept. As the article sums up, the EU’s GDPR does not directly regulate the monitoring of workers by electronic and biometric entrance-control systems. The provisions of such monitoring can be found in specific national legislation, but also in Council of Europe’s Recommendation CM/Rec (2015)5, on the processing of personal data in the context of employment, and Opinion 2/2017 of the Article 29 Working Party. 

Data security

How do Sim Swapping attacks work and what can you do to protect yourself? The European Union Agency for Cybersecurity, ENISA, has taken a technical deep dive into the subject. Since 2017 such attacks have usually targeted banking transactions, but not exclusively. They also hack the cryptocurrency community, social media and email accounts. In a SIM swapping attack, the attacker will convince the telecom provider to do the SIM swap, using social engineering techniques, pretending to be the real customer, claiming that the original SIM card is for example damaged or lost. Specific circumstances may open the opportunity for attackers, which can be:

• Weak customer authentication processes;
• Negligence or lack of cyber training or hygiene;
• Lack of risk awareness.

More information for the public is available in the ENISA Leaflet “How to Avoid SIM-Swapping”.

How long would it take a computer to hack your exact password? The latest chart by Statista website illustrates that a password of 8 standard letters contains 209 billion possible combinations, but a computer is able to calculate this instantly. Adding one upper case letter to a password dramatically alters a computer’s potential to crack a password, extending it to 22 minutes. Having a long mix of upper and lower case letters, symbols and numbers is the best way to make your password more secure. A 12-character password containing at least one upper case letter, one symbol and one number would take 34,000 years for a computer to crack.

Big Tech

Twitter is reviewing a controversial policy that penalizes users who share images of other users without their consent, The Guardian reports. The company has launched an internal review of the policy after making several errors in its enforcement. The platform now allows users to report other users who tweet “private media that is not available elsewhere online as a tool to harass, intimidate, and reveal the identities of individuals”. If a review concludes the complaint has merit and the image wasn’t used for a journalistic or public interest purpose, those accounts are deactivated. Some activists say the broad nature of the new rules makes them ineffective and ripe for abuse against the most vulnerable groups, while some reporters, photographers and journalists are concerned that they do not take into account unreasonable expectation of privacy in public spaces, and would undermine “the ability to report newsworthy events by creating nonexistent privacy rights”.

A Virginia federal court granted Microsoft’s request to seize 42 US-based websites run by a Chinese hacking group, IAPP reports. Microsoft, which has been tracking the hacker group known as Nickel since 2016, is redirecting the websites’ traffic to secure Microsoft servers to “protect existing and future victims.” Microsoft’s Corporate VP of Customer Security and Trust said Nickel targeted organizations in 29 countries, using collected data “for intelligence gathering from government agencies, think tanks, universities and human rights organizations.”

Several Amazon services – including its website, Prime Video and applications that use Amazon Web Services (AWS) – went down last week for thousands of users in the US and EU. Amazon’s Ring security cameras, mobile banking app Chime and robot vacuum cleaner maker iRobot were also facing difficulties. Amazon said the outage was probably due to problems related to application programming interface, which is a set of protocols for building and integrating application software. The huge trail of damage from a network problem came from a single region “US-EAST-1” and underscored how difficult it is for companies to spread their cloud computing around, Reuters reports. With 24% of the overall market, according to research firm IDC, Amazon is the world’s biggest cloud computing firm. Rivals like Microsoft, Alphabet’s Google and Oracle are trying to lure AWS customers to use parts of their clouds, often as a backup. 

Russia blocks popular privacy service Tor, ratcheting up internet control, Reuters reports. Russia has exerted increasing pressure on foreign tech companies this year over content shared on their platforms and has also targeted virtual private networks, (VPN), and other online tools. The Tor anonymity network is used to hide computer IP addresses to conceal the identity of an internet user. Tor also allows users to access the so-called “dark web”. Tor, which says its mission is to advance human rights and freedoms, has more than 300,000 users in Russia, or 14% of all daily users, second only to the US.

Recently uncovered software flaw could be “most critical vulnerability of the last decade”, the Guardian reports. The problem is in “Log4Shell”, which was uncovered in an open-source logging tool in Apache software ubiquitous in websites and web services. The flaw was reported to Apache by AliBaba on November 24th, and disclosed by Apache on December 9th. Reportedly it allows hackers password-free access to internal systems and databases. The open source logging tool is a standard kit for cloud servers, enterprise software, and across business and government. Few computer skills are needed to steal or obliterate data, or install malware by exploiting the bug. It will be days before the full extent of damage is known.

The post Weekly digest December 6 – 12, 2021: whistleblowers, gig-workers, cookiebots, software flows, DPIA for AI appeared first on TechGDPR.