The EU AI Act 

The EU AI Act is one of the first laws in the world designed to regulate AI, setting rules to ensure AI systems are safe, ethical, and respect human rights. It classifies AI systems into four risk categories — from minimal risk to high risk. The stricter the category, the more oversight and compliance are required. The AI Act also outlines use of AI that is prohibited within the EU. Chapter 2, Act 5 of the EU AI Act prohibits the following uses of AI: 

• Using manipulative techniques to distort behavior and impair informed decision-making, causing significant harm;
• Exploiting vulnerabilities related to age, disability, or socio-economic status to distort behavior, causing significant harm;
• Inferring sensitive attributes (e.g., race, political opinions, sexual orientation) through biometric categorization, except for lawful purposes;
• Social scoring that leads to detrimental treatment based on social behavior or personal traits;
• Assessing criminal risk solely based on profiling or personality traits, unless supporting human assessments based on objective facts;
• Compiling facial recognition databases by scraping images from the internet or CCTV footage;
• Inferring emotions in workplaces or educational institutions, except for medical or safety reasons; and
• ‘Real-time’ remote biometric identification in public spaces for law enforcement, with exceptions for serious cases like missing persons or imminent threats.

There are also special considerations and requirements for the development or use of high risk AI systems, which are classified as such in Chapter 3 of the EU AI Act which could result in the necessity of a risk management system. Risk management systems are frameworks for identifying, mitigating, and managing AI-related risks, especially regarding discrimination and data breaches.

Lastly, the providers of General Purpose AI systems (GPAI) are subject to special requirements under Chapter 5. 

Important Principles for Ethical AI Policies to Address

When developing ethical AI, it is important to emphasize fairness, accountability and transparency. It is not just important in the development of AI systems but the use of AI systems. In essence, ethical AI is about ensuring that as AI technology advances, it does so in a way that respects human dignity, promotes fairness, and fosters trust, ultimately contributing to the well-being of individuals and society as a whole. 

Fairness

The primary objective of a fairness policy is to eliminate algorithmic bias and ensure that AI decision-making processes treat all individuals equitably. An AI policy should include comprehensive protocols such as fairness assessments, regular bias audits, and data diversity requirements during the training phases of AI systems. By mandating AI fairness testing before deployment and continuously monitoring systems for potential biases, organizations can proactively address and mitigate any unfair treatment. For instance, consider the case of Amazon’s AI recruitment tool, which was found to exhibit bias in hiring practices against women; this highlighted the necessity of implementing bias mitigation policies in AI-driven recruitment processes to ensure equitable outcomes.

Accountability

Establishing clear lines of responsibility for AI decision-making is crucial to ensuring human oversight and accountability. An AI policy should address the issue of accountability by defining specific roles and responsibilities within the organization for the oversight of AI systems. This includes establishing audit trails to track decisions and requiring regular reviews of AI outputs to ensure accountability. As Data Officers, TechGDPR can help in the development of these policies. Since the role of Data Officer involves data governance, we can help ensure oversight for your organization to maintain control over AI systems and understand their impact on decision-making processes.

Transparency

Transparency in AI systems is essential for building trust among users and complying with regulatory demands. The principle of transparency is also mentioned in Art.12 GDPR. An AI policy should be transparent and include protocols that mandate the use of explainable AI models, thorough documentation of decision-making processes, and clear disclosures in privacy notices regarding AI-driven data usage. A good AI policy should require organizations to provide stakeholders with comprehensible explanations for AI-driven decisions, ensuring that the operations of AI systems are understandable to both users and regulators. Organizations that adopt explainable AI frameworks such as the OECD Transparency and Explainability Principle, for example, can better maintain transparency and meet regulatory requirements, fostering trust and accountability in their AI applications.

The Role of Data Officers in Ethical AI Policy Creation

Data Officer is a new service provided by TechGDPR in which we can help with AI compliance as well as serving as a Data Protection officer, a role which can be mandated by the GDPR. Instead of having multiple people filling these roles, a Data Officer can understand how to navigate everything for your peace of mind. It is not a traditional role for privacy or AI compliance but this innovative role can alleviate stress for how to navigate multiple regulations including the AI Act as it is so new. 

Conclusion

In conclusion, as AI continues to permeate various industries, ensuring its ethical use is paramount. The EU AI Act lays out new legal requirements for AI systems and multiple frameworks including the OECD emphasizing the need for fairness, accountability, and transparency which can be done through the creation of AI policies. Organizations must not only comply with these regulations but also proactively adopt ethical AI practices to build trust and mitigate risks.

TechGDPR’s Data Officer service offers a comprehensive solution, integrating AI compliance with data protection and privacy governance. By crafting and implementing tailored AI policies, a Data Officer can ensure that your organization’s AI systems are not only legally compliant but also ethically sound, fostering a responsible approach to AI development and usage. As the landscape of AI regulation evolves, partnering with a Data Officer will be crucial in navigating these complexities and maintaining your organization’s commitment to ethical AI.

The post Ethical AI: How Data Officers Craft Policies for Fairness, Accountability, and Transparency appeared first on TechGDPR.

  Legal processes and redress

DPOs enforcement action: The EDPB launches coordinated enforcement action on the designation and position of data protection officers. DPOs across the EU will be sent questionnaires, with the possibility of further formal investigations and follow-ups. According to the Portuguese data protection agency, it will ask DPOs to voluntarily participate in the action and they do not have to identify themselves or the organisation concerned. The Spanish privacy regulator says it will analyse the practices of tens of thousands of public and private sector entities, (education, banking, health, security, financial solvency, etc.) 

The questions will be related, among others, to the designation, knowledge, and experience of the data protection officers, their tasks, and resources. Special attention will be paid to the independent and effective performance of the tasks of the DPO, and their possible conflict of interest, (where they exercise additional functions of compliance officers, IT managers, etc.), explains the Bavarian data protection supervisor. The requirement for DPOs to report directly to the highest management level of the controller or processor, and their operating conditions, (based on organisational charts, annual reports, etc), also will be checked.

UK Data Protection reform resumes: The Data Protection and Digital Information Bill was reintroduced in the House of Commons. Followed by a rapid change in the UK government last summer, the reading of the old document did not occur as expected. Much of the new bill is the same as the withdrawn one. The new document also followed a detailed co-design process with industry, business, privacy, and consumer groups. It would reduce burdens on companies and researchers and boost the economy by 4,7 billion pounds over the next decade. The research briefing on the draft reform bill is available here. 

Creditworthiness and profiling risks: The CJEU’s Advocate General suggests that the automated establishment of the ability of a person to service a loan constitutes profiling under the GDPR. In the related case, a German company governed by private law, (SCHUFA), provided a credit institution with a score for the citizen in question, which served as the basis for a refusal to grant credit. The citizen requested SCHUFA erase the entry concerning her and to grant her access to the corresponding data. The latter merely informed her of the relevant score and of the principles underlying the calculation method, without informing her of the specific data included, arguing that the calculation method is a trade secret. Other related cases concerned the lawfulness of the storage of citizen data from public registers, (on discharge from remaining debts), by credit information agencies.

Official guidance

Data subject access rights: The Latvian data protection agency DVI explains what the right to access your data means. Every natural person has the right to obtain accurate information about their data, (or a copy of it), held by an organisation. For example, a person participated in a job interview and has not passed the rounds of applicant selection. In order to find out whether or not the company has stored personal data, the person can contact the company and ask, and if this is the case, demand an explanation for what purpose it is processed. The individual must first contact the organisation using the communication channels or methods specified in the privacy policy. The request should be as clear as possible, and include:

• identifying information of the requester, (the organisation has the right to additional information, so the person can be identified correctly);
• an indication whether the information is desired for all data or for a specific case;
• an indication of the period for which information is to be provided;
• precise requests referring to all or any of the above questions.

The organisation may refuse the request if it was already answered or it is disproportionally large, unidentified, or the information is covered by other regulatory acts. But if the organisation does not respond to the request within a month, and does not provide the information, (or the reasons for refusal), the person has the right to file a complaint with the data protection authority. 

Dematerialised receipts: The French privacy regulator CNIL looked at dematerialised receipts that merchants can offer you in place of traditional printed ones. You still must have the choice of whether or not to receive it, (via email, sms), as dematerialisation is not provided for by law. The dematerialised receipts allow the merchant to collect and reuse your data for advertising: but they must respect your rights by asking for your consent or by allowing you to opt out. If a merchant offers the retrieval your receipt by scanning a QR code with your smartphone, only the technical data necessary to establish the connection between the devices should be collected. Finally, the creation of a loyalty or online account is not mandatory to obtain your receipt. 

User and Entity Behavior Analysis: UEBA techniques have a multitude of applications that always have something in common: recording user behavior in the past, then modeling this behavior in the present, and, if possible, predicting what it will be like in the future. According to the Spanish privacy regulator AEPD, techniques used online collect massive amounts of data and almost always apply machine learning or AI. Users are always people, entities can be animals, vehicles, mobile devices, sensors, etc. The application of these techniques depends on the specific application domain, since it may be interesting to analyse the individual behavior of people or their behavior from a social perspective in three main domains: 

• service and marketing optimisation; 
• cybersecurity; 
• health and safety.

When personal data is processed, the principles established in the GDPR are mandatory, including transparency, data minimisation, and purpose limitation. But in many cases, users are not informed about the types of techniques that are being used, the depth of the treatment, the scope of data sharing, or the potential impact that a data breach may have.

Algorithmic fairness: The UK privacy regulator ICO decided to update its guidance to help organisations adopt new technologies while protecting people and vulnerable groups. New content was added on AI and inferences, affinity groups, special category data, as well as things to consider as part of your DPIA. The updated guidance explains the differences between fairness, algorithmic fairness, bias, and discrimination. It also explains the different sources of bias that can lead to unfairness and possible mitigation measures. There is a new section about data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. Technical terms are also explained in the updated glossary.

Enforcement decisions

Irish queries: The Irish data protection authority DPC in its 2022 report stated that the most frequent GDPR topics for queries and complaints were: access requests, fair-processing, disclosure, direct marketing, and right to be forgotten, (delisting and/or removal requests). At the same time, breach notifications were down 12% on 2021 figures. The most frequent cause of breaches reported arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total. Where possible the DPC endeavored to resolve individual complaints informally – as provided for in the Data Protection Act 2018. Overall, the DPC concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint handling. 

Medical research data: The French privacy regulator CNIL reminds two medical research organisations of their legal obligations – to carry out an impact assessment on data protection and to properly inform individuals. Health research must be authorised by the CNIL or comply with a reference methodology. These methodologies require a DPIA to be carried out before starting the research. A single analysis may cover a set of processing operations that present similar risks, (eg, similar projects, using the same IT tools). 

Information notices provided by the two organisations also did not specify the nature of the information collected or its retention period, contact details of the data protection officer or the procedures for appealing to the CNIL. Finally, an information notice stated that the data was anonymised, which was not the case since the identity of the patients was only replaced by a three-digit “patient number” and a “patient code” composed of two letters corresponding to the first initial of the name and surname of the person concerned.

Political affiliation data: In Romania, a political party was fined following a data breach notification. The data stored in an operator’s server hosting an application became subject to a phishing attack. It was found that the operator did not implement adequate technical and organisational measures to ensure an appropriate level of security, such as the encryption/pseudonymisation of personal data stored, which led to the loss of the confidentiality of the data processed by accessing unauthorised use of personal data such as name, surname, personal number code, e-mail, telephone number, and political affiliation data.

Non-conformant data breach notice: The Norwegian data protection authority Datatilsynet imposed a fine of approx. 220,000 euros on the US company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. The US company sent a notice to the Norwegian regulator only in September 2021, long after the 72-hour deadline for reporting a breach under the Art. 33 of the GDPR. The security breach concerned personal data that could be be used for fraud and identity theft.

Data Security

PETs: The OECD offers guidance on emerging privacy-enhancing technologies – digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. This often includes zero-knowledge proofs, differential privacy, synthetic data, anonymisation, and pseudonymisation tools, as well as homomorphic encryption, multi-party computation, federated learning, and personal data stores. However, the majority of these tools lack standalone applications, have limited use cases, and are still in the early stages of development.

Big Tech

Meta and Dutch users: Facebook Ireland acted unlawfully when processing the personal data of Dutch users, states an Amsterdam court. Between 2010 and 2020, users’ personal information was processed illegally for marketing purposes. Additionally, it was distributed to third parties devoid of legal justification and without properly informing users about it. Also, consent was not obtained before processing sensitive personal data for advertising purposes, such as sexual orientation or religion. This concerned both information voluntarily provided by users and information that Facebook Ireland collected by observing users’ online browsing patterns outside the Facebook service. 

Meta tracking tools: According to the Austrian data protection authority DSB, the use of Facebook’s tracking tools (Login and Meta Pixel) is a violation of both the GDPR and the “Schrems II” ruling. As a result of US surveillance laws requiring companies, like Facebook, to disclose users’ information to the authorities, the CJEU determined in 2020 that using US providers violates the GDPR.  According to the NOYB foundation, which launched the complaint, numerous websites track users using Meta tracking technology to display personalised ads. Websites using this technology also send all user data to US multinationals. And while the EU-US Data Privacy Framework is waiting for approval from the European Commission, the US government continues bulk surveillance of EU users. 

Meta’s WhatsApp settlement in the EU: The European Commission and the European network of consumer authorities have closed their investigation into Meta’s messaging app WhatsApp following a complaint made by the BEUC, (the European Consumer Organisation). WhatsApp has committed to better explain the policy changes it intends to make and to give users a possibility to reject them as easily as to accept them. Unfortunately, this will only apply to future changes to the app. However, the complaint identified multiple breaches of consumer and data subject rights since 2021 including aggressive commercial practices, and unclear and misleading terms of use and notices to its users. 

The post Data protection & privacy digest 4 – 17 March 2023: position of DPOs, user behavior analysis, creditworthiness and profiling appeared first on TechGDPR.

Official guidance: first European data protection seal, GDPR harmonisation rules, data breach notification, children’s data protection, artistic and literary works

The EDPB approved the very first GDPR certification seal, (see the detailed opinion here). Europrivacy became the first certification mechanism that demonstrates compliance. It was developed through the European Research Programme Horizon 2020 and is continuously updated by the European Centre for Certification and Privacy in Luxembourg and its International Board of Experts. Companies and services can use the certification scheme to increase the value of their businesses and trust in their services. They can use Europrivacy to:

• assess the compliance of their data processing activities,
• select data processors,
• assess the adequacy of cross-border data transfers,
• assure citizens and clients of the adequate processing of their data.

The scheme applies to a wide variety of data processing activities while taking into account sector-specific obligations and risks, such as AI, IoT, blockchain, automated cars, smart cities, etc. It is supported by a ledger-based registry of certificates for authenticating delivered certificates and for preventing forgery. The GDPR certification seal has an innovative format for criteria, which is both human and machine-readable. It is also aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001). 

The EDPB is also asking the European Commission for clarification and harmonisation of rules on procedures that still differ in each European Member State. This includes clarity about the rights of people making a complaint, criteria for handling complaints, the scope and nature of the documents that must be shared in complex investigations, deadlines for handling cases, how to close cases, investigative powers, and the publication of decisions. Additionally, complaints can sometimes be resolved in a non-contentious way, for example after the intervention of the SA has facilitated the exercise of a data subject’s rights. However, the current lack of harmonisation regarding amicable settlements creates challenges. 

To support children, their parents and educators in the digital world, the French regulator CNIL provides practical sheets, games, and videos, in clear and straightforward language, (in French only). This includes a digital vocabulary for children explaining what terms like IP address, cookies or paywalls mean, but also teaches children the right reflexes when doing things such as subscribing to a social network,(“TacoTac”), downloading online games on parents’ devices, sharing “funny” images/videos of people online, and much more. 

Latvia’s data protection authority DVI explains the principles of data processing within artistic and literary expression, as creators’ final results may contain other people’s data. An artist or writer, when evaluating the result of their work and before making it available to the general public, must conclude that it:

• It was created within the framework of the artist’s right to freedom of speech and expression.
• The right to privacy and data protection of natural persons whose data is included in the artistic or literary object is not threatened.
• Does not threaten the interests of the data subject, which are more important than the interest of the public to get to know the creation.
• It would not be desirable to publish works, (eg, photos), in which natural persons are depicted offensively, or which may cause personal injury, moral or other harm, thereby infringing the right to privacy of that person.
• If the involved natural persons are informed about the planned purpose, it must be expressed clearly, without hidden intentions. 

The EDPB is seeking public comments on updated guidelines on personal data breach notification under the GDPR. Back in 2017, Working Party 29 adopted the document, which was endorsed by the EDPB. The new one is a slightly updated version of those guidelines. In particular, the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated. Any reference to the WP29 Guidelines on Personal data breach notification should, from now on, be interpreted as a reference to these EDPB Guidelines.

Legal processes:  test databases, MiCA draft regulation, bank AML monitoring, debt information collection

The CJEU delivered judgment related to retention and purpose limitation principles: creation and long retention of a database to carry out tests and correct errors, and compatibility of such processing with the purposes of initial collection. The request was made in proceedings between ‘Digi’, one of Hungary’s main internet and television providers, and the country’s data protection regulator NAIH, concerning a Digi test database breach, (by an ethical hacker). Digi had not deleted the test database, with the result that a large amount of personal data had been stored without any purpose for almost 18 months. However, data copied into the test database had been lawfully collected to conclude and perform the subscription contracts. On the request of the Budapest High court, the CJEU clarified that:

• Processing of a database set up for testing and error correction is not exempt from the legitimate expectations of those customers as regards the further use of their data, (such errors are liable to be harmful to the provision of the contractually provided service). 
• It is not apparent that all or part of that data was sensitive or that the subsequent processing had harmful consequences for subscribers or was not accompanied by appropriate safeguards.
• At the same time, a database created for testing and correcting errors should not be kept for a period exceeding what is necessary to carry out those tests and to correct those errors. 

The final text proposal for a Regulation on Markets in Crypto-assets (MiCA) has been endorsed by the European Council, and now awaits formal approval in the European Parliament. MiCA attempts to provide a harmonised framework for the protection of holders of digital assets, including their data. Currently some crypto-assets fall outside of the scope of EU financial services legislation. There are no rules, other than AML rules, for services related to these unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the service of exchanging crypto-assets for funds or other crypto-assets, or the custody of crypto-assets. The lack of such rules leaves holders exposed to risks, in particular in areas not covered by consumer protection rules. 

The proposed regulation states that the issuing, offering, or seeking admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this regulation should be carried out by applicable Union law on the protection of personal data. Furthermore, crypto-assets shall not be considered to be offered for free where purchasers are required to provide or to undertake to provide personal data to the offeror. Also, regarding the transfer of personal data to a third country, the European Banking Authority shall apply Regulation 2018/1725 (‘on the protection of natural persons concerning the processing of personal data by the Union institutions’). 

The Dutch data protection authority, (AP), is concerned that a new anti-money laundering law opens the door to unprecedented mass surveillance by banks. Part of the proposal is to monitor all bank transactions of all Dutch account holders in one centralized database, using algorithms. In addition, banks must start exchanging customer data with each other. In many cases this monitoring could be outsourced to an algorithm-capable third party. Combined, the risks associated with this system are disproportionate to the purpose of the bill, believes the AP. For instance, this system could lead to people losing access to their bank accounts completely wrongly. Banks are already required to carry out individual checks on people or companies that may be laundering money or financing terrorism. And they must report unusual transactions to the authorities. 

The Norwegian data protection authority Datatilsynet responded to the government’s proposal to extend the debt information scheme to also include mortgage-secured debt. The regulator recognizes that banks and other creditors need to process information about existing mortgages and car loans in connection with the assessment of a loan application. However, the proposal conflicts with the data minimisation principle, states Datatilsynet. Banks and other credit institutions already have access to information about mortgages and car loans. It appears that the real purpose of the proposed extension of the debt information scheme is to make the creditors’ collection of information about mortgage-secured debt more efficient. This needs to be done in a more privacy-friendly way, and the regulator also points out that citizens’ debt information is attractive for both public and commercial actors, increasing the risk of purpose slippage.

Investigations and enforcement actions: lost DSAR, generic responses to DSARs, whistleblowing reports management, Clearview AI fine, Zoetop data leak

The Italian privacy regulator Garante fined BPER Banca 10,000 euros for violating Art. 12 and 17 of the GDPR. The complainant asked the bank, via email, to delete his professional account from a job application database. This email was acknowledged by the company, which asked him to repeat the request accompanied by identity documents, which the bank duly received at the same email address. However, this last communication was not followed by any effective action by the person in charge, (HR planning and development service), following an internal misunderstanding: changes in the company’s e-mail system generated some problems in communication flows between the various corporate functions. The account deletion request was finally fulfilled when the complainant’s lawyer sent a registered letter presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation. However, the company noticed that some of the applicant’s data would still need to be processed for administrative, accounting, operational and organizational reasons. Other statutory retention periods would also apply for other litigation, or administrative/judicial proceedings. 

Garante also imposed a 10,000 euro fine on Clio S.r.l for violating Art 5, 6, and 30 of the GDPR, and in connection with similar decisions issued against the Municipality of Ginosa and Acqua Novara.VCO, Data Guidance reports. Clio supplies and manages on behalf of various public and private entities an application used for the acquisition and management of whistleblowing reports. Garante found that Clio had failed to regulate the relationships with various customers, who acted as data controllers, as a result of which Clio had carried out data processing activities in the absence of an appropriate legal basis. In addition, Clio had failed to keep a register of the processing activities carried out on behalf of the data controllers. Garante however noted the collaborative behavior of Clio in the course of the investigation.

The Croatian data protection authority AZOP recently issued a negative statement on a generic response to data subject access requests, (in this case, the location of stored data), by a telecoms provider. The complainant received a generic notice listing the category of data collected along with the legal bases, and was told that any information on the processing of data, (collected with his consent), could only be obtained from the point of sale. Since the applicant was not satisfied with the generic answer, he repeated his inquiry on the same day in greater detail, specifically about where his data was stored, but he did not receive an answer from the company. 

The French regulator CNIL imposed a penalty of 20 million euros, (the maximum financial penalty under Art. 83 of the GDPR), on CLEARVIEW AI and ordered the company to stop collecting and using, without any legal basis, the data of people in France and to delete data already collected. CLEARVIEW previously was given two months to comply with the formal notice and justify it to the CNIL. However, it did not provide any response. CLEARVIEW scrapes photographs from a wide range of websites, including social media, that can be consulted without logging into an account, and extracts accessible images and videos from distribution platforms. Through this collection, CLEARVIEW creates, expands, and markets access to its search engine in which an individual can be searched for using images. The company offers this service to law enforcement agencies. CLEARVIEW boss Hoan Ton-That stated to the media that his company had no clients or premises in France and was not subject to EU privacy law, adding that his firm collected “public data from the open internet” and complied with all standards of privacy.

The New York Attorney General secured 1.9 million dollars from an e-commerce retailer, Zoetop, (owner of SHEIN and ROMWE), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers. Zoetop was targeted in a cyberattack. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. Zoetop also represented, falsely, that it had seen no evidence that credit card information was taken from the systems.

Data security: data breaches, software support practices, password management

A quick reminder from the Latvian data protection authority DVI was published on what constitutes a data breach and how to report it. Breaches can be classified according to three well-known information security principles:

• Confidentiality incident, (hackers have found a security “hole” in the organisation’s information system and retrieved the personal data of customers).
• Integrity incident, (due to an incorrectly organized SQL queue, the integrity of records of a customer database stored in the cloud has been lost. As a result, the new records are assigned to inappropriate reference fields and related information of one customer is attributed to another customer).
• Availability incident, (due to the organisation’s incorrect backup copy policy, the existing database is overwritten with a half-year-old backup copy, without the possibility of restoring to a more current version of the database).

An organisation must therefore have developed and implemented an internal procedure for determining whether a breach has occurred, as well as a procedure for assessing the risks arising. If it is determined that it is likely that the breach could reasonably pose risks to the rights and freedoms of a natural person: the organisation must notify the supervisory authority within 72 hours. If, however, the notification takes place later, the reasons for the delay must be explained. Finally, the causes of the breach must be thoroughly investigated and measures must be taken to prevent repeated breaches in the future.

Privacy International looked into the software support practices for 5 of the most popular smart devices, (smartphones, personal computers, gaming consoles, tablets, and smart TVs), and concluded that they fail to meet the expectations of the vast majority of consumers. The majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product’s expected life cycle. And when it comes to accessibility of information, only a few companies appeared to have detailed policies online. It is therefore critical that software remains up to date for a long time to ensure a device is secure and reduce risks to consumers’ privacy and security, stated PI.

In the context of increasing compromises of password databases, the French CNIL updates its recommendation to take into account the evolution of knowledge and allow organisations to guarantee a minimum level of security for this authentication method. According to a 2021 Verizon study, 81% of global data breach notifications are related to a password issue. In France, about 60% of notifications received by the CNIL since the beginning of 2021 are related to hacking and a large number could have been avoided by following good password practices, (two-factor authentication or electronic certificates). 

If operations relating to password management are entrusted, in whole or in part, to a subcontractor, roles and responsibilities must be precisely defined and formalised and the level of security required and the security objectives assigned to the processor must be clearly defined, taking into account the nature of the processing and the risks it is likely to generate. Finally, if simple software publishers are not subject to the legal framework for data protection, users must comply. In this sense, the documentation of password management software must specify in detail the modalities of generation, storage, and transmission of passwords.

Big Tech: human behaviour that leads to data breaches, Australia data leaks, Meta’s Pixel tracking tool, AI hiring tools, speech to identify mental health problems

London-based cybersecurity company OutThink has raised 10 million dollars in early-stage investments as it looks to help organisations identify human behaviour that can lead to data breaches. The company, which claims human behaviour is the source of 91% of data breaches, uses machine learning, natural language processing, and applied psychology to identify, understand and manage the attitudes, intentions, and sentiments of individuals.

Australia envisages increased penalties for data breaches following major cyberattacks. Australia’s telco, financial, and government sectors have been on high alert since Optus, the country’s second-largest telco, disclosed a hack that saw the theft of personal data from up to 10 million accounts. The attack was followed by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, including medical diagnoses and procedures. Australia’s Woolworths Group also said its online retailer MyDeal identified that a “compromised user credential” was used to access its systems that exposed data of nearly 2.2 million users, Reuters reports. 

At least 47 proposed class actions have been filed since February claiming that Meta Platforms Inc.’s Pixel tracking tool sent the plaintiffs’ video consumption data from online platforms to Facebook without their consent, in violation of the federal Video Privacy Protection Act, a Bloomberg Law analysis of court dockets found. Almost half of the new cases were filed in September alone. The complaints allege they knowingly disclosed protected information by allowing Meta’s embedded Pixel code to share a digital subscriber’s viewing activity and unique Facebook ID with the social media platform.

AI hiring tools do not reduce bias or improve diversity, Cambridge University researchers say in a study of the evolving technique the BBC called “pseudoscience”, reporting on the study. In particular, claims one of the research team, these tools can’t be trained to only identify job-related characteristics and strip out gender and race from the hiring process, because the kinds of attributes we think are essential for being a good employee are inherently bound up with gender and race. Some companies have also found these tools problematic, the study notes. For instance, a German public broadcaster found wearing glasses or a headscarf in a video changed a candidate’s scores. 

Finally, software that analyses snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics, and telehealth platforms, putting privacy activists on alert, according to Axios news. Unlike Siri and Alexa, vocal biomarker systems analyse how you talk — prosody, pauses, intonation, pitch, etc. — but not what you say. While the voice sample is run through a machine-learning model that uses a capacious database of anonymized voices for comparison, it may increase systemic biases towards people from specific regions, backgrounds, or with a specific accent.

The post Data protection & privacy digest 12 – 24 October 2022: first GDPR certification seal, test databases, password management appeared first on TechGDPR.

Why do GDPR assessments on AI matter?

If you are a company, regardless of size, that already implements, or wishes to introduce, AI tools or apps into the workplace that interacts with humans without carrying out an in-depth assessment that evaluates risks, acquiring both foreseen and unforeseen penalties, then your company may face penalties. Foreseen risks are fairly obvious risks the company did not take necessary and obligatory steps to prevent them from becoming heightened security threats. Unforeseen risks result from a company not carrying out a Data Protection Impact Assessment (DPIA), or not assessing the technology in-detail through human oversight/intervention on the individual level; thus allowing some form of negligence to creep in. This would result in several GDPR violations such as impacting the rights and freedoms for data subjects (Article 12-22), which would otherwise have been averted by privacy by design. It is nearly impossible to assess and predict all risks; however,the objective is more that of displaying user-centricity rather than runaway enthusiasm for the capabilities of the technology thus enabling trustworthy AI with the users. 

Risk assessments by product designers that objectively surface risks for the data subjects are particularly challenging -a reality legislators did not ignore. To that effect, the need to assess technology from the perspective of the data subject (as embodied in Art.35.9’s requirement to solicit the views of the individuals whose data will be subjected to the technology) illustrates the intention to provide for a feedback loop in product design, the same way designs are tested on consumers in market research for example.

GDPR Fines related to Artificial Intelligence 

In May 2021, the Spanish data protection Authority (AEPD) imposed two fines totaling  €1.5 million against EDP ENERGÍA, SAU under articles 6, 13 and 25. One of the key elements in the fines was how DPA based their decisions on the infringement of Articles 6 and 22 were instrumental to the infringement of Article 13. Recall the HR example mentioned above, imagine your HR department not vetting apps or tools being introduced through candidate applications that do use AI capabilities Did your department inadvertently discriminate against potential candidates, thus eradicating a central purpose of HR -that of promoting and sustaining diversity in the workplace. In 2018, Reuters reported that Amazon’s new recruiting engine excluded women from the candidate pool. As a result, the system learned to disqualify anyone who attended a women’s college or who listed women’s organizations on their resume. Amazon has since scrapped and implemented a more “water-down” recruitment system, however, AI in Human Resources is expected to grow. Ultimately, and more concerning, the company has violated anti-discrimination laws which in turn, exposes the company to penalties. Under the GDPR, these penalties range from a simple order to alert the processing to being barred from processing data and or being fined. 

Therefore, the disadvantages of not putting in the ground work to ethically evaluate tools that may or may not have AI capabilities likely incurs high costs, lack of trust among your employees and company reputation at stake for further partnerships. 

Why ethical assessments are essential for GDPR compliance

To be, or not to be ethical?

One may not always know how to scope ethical questions in today’s world of big data, data collection, AI and ML capabilities; i.e. what is intrinsically right or wrong in regards to collecting large amounts of data, or health data concerning children for example? Today, many private or public organizations -including governments- understand the stakes of considering ethics and its importance in data collection and utilization. The GDPR further embeds ethics into law within the EEA. The GDPR safeguards the rights and freedoms of data subjects by keeping organisations in line with data protection, privacy and ethics. This is notable for instance in the requirements of GDPR Art.5.1.a, lawfulness, fairness and transparency and Art. 5.1.b. purpose limitation providing for a heightened requirement to communicate and to align the processing to what is expected by the subject, what is necessary to the processing. The principle of privacy by design mentioned previously is however introduced by the GDPR in Article 22 and Recital 71. 

The European Commission introduced a proposal for an EU regulatory Framework on artificial intelligence (AI) in April 2021. The Framework will be a complement to the GDPR’s regulation of AI in Articles Art. 13 , 15-22, 25, and 25 and intends to focus on specific utilisation of AI systems and associated risks. Waiting for it to be published and come into force is however not the recommended approach. Investing years into product development only to find out that the product will need to be overhauled to satisfy data protection requirements prior to its release will prove dramatic. Tell-tale signs of this happening occur when co-innovation partners start pulling out of discussions. Here at TechGDPR and in preliminary discussions we have, albeit rarely, come in contact with products that are ethically questionable or intrinsically at odds with data protection. With a sharp eye for the current and future trends in regulation, we help innovators understand where their products require consolidation.

As a proactive start, consider the available assessment checklists created by supervisory authorities to guide private and public organizations, to ethically assess tools and their AI features. 

Can AI comply with privacy by design requirements?

AI technology and machine learning requires large amounts of data to even function or bring out a workable algorithm. A strong proposition of the technology is its use of data lakes in innovating ways. From the outset this is at odds with data protection law that requires any processing to have a stated purpose before it is performed.

One can argue there is not an explicit law nor regulation enacted that fully clarifies  how companies can assess a tool’s ethical footprint. Be that as it may, the duty remains for companies to ensure Privacy by Design under the GDPR. Checklists and assessment methodologies abound, created to guide organizations to assess tools and their AI capabilities. 

We recommend product teams to start early and take a proactive role by engaging their DPO, data protection, legal, IT and information security teams.

The post Artificial Intelligence and Privacy by Design appeared first on TechGDPR.

What are HIPAA and the GDPR?

HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. HIPAA was enacted to specifically deal with how medical data are shared and processed. Unlike HIPAA the GDPR regulates any information which can lead to the identification of a living person whether it is health-related or not. The GDPR denotes health data as special categories of personal data, commonly referred to as sensitive data. This means that non-consensual processing of health-related data is strictly prohibited unless the processing purposes are related to medical diagnosing, preventative or occupational medicine, provision and management of health or social care or treatment, in accordance with a contract with a medical professional or based on Union or Member State law. 

The GDPR defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status (GDPR Art.4). HIPAA denotes protected health information as any data uncovering an agent’s identity in respect to his or her past, future or present physical or mental condition, provision of and payment for the health treatment and services. Both definitions are similar, yet HIPAA also designates financial information of the recipient of the treatment as health data. The GDPR applies to all organizations operating in the EU or offering goods or services to individuals located in the EU territorially no matter of the citizenship. HIPAA, on the other hand, applies to special covered entities within the US, those include healthcare providers, health care clearinghouses and health plan providers.

The key differences between HIPAA and GDPR relevant to MedTech 

The principal difference between the regulations is obviously their scope. As previously stated, the GDPR relates to all organizations processing all types of data relating to a person. Furthermore, the GDPR applies to a much broader range of entities. Even if the company is located in the US (or anywhere in the world) and processes data of subjects located in the EU, it must comply with the GDPR. Contrastingly HIPAA only applies to covered entities located in the US. 

The right to be forgotten is another aspect specific only to the GDPR. It stipulates that under certain conditions, such as the revoking of previously granted consent or when the data is no longer necessary, the data subject may exercise a right to request a free of charge erasure of his or her personal data. If a company relies on third-party cloud storage services, it should ensure that it is able to locate and erase the data when required. The GDPR is also stricter on data breaches, it only grants 72 hours to report a data breach while HIPAA allows for up to 60 days to report a data breach if more than 500 individuals. If less than 500 people are affected, the data breach may be reported by the final day of reporting each year. 

The GDPR also introduced the notion of privacy by design and by default. The concept postulates that when developing new services related to MedTech, or any other sector, involving processing personal data, the company must always consider privacy. HIPAA makes no mention of such a framework for launching new services is present in HIPAA. 

Both regulations are compulsory and impose fines for non-compliance. HIPAA fines are mostly around $25.000 per violation, although in the worst case circumstances a company may be fined of up to $1.5 million per year. GDPR opens the door to potentially much larger maximum fines of up to 4% of the annual worldwide turnover. 

Do HIPAA and GDPR overlap?

There are some similarities and overlap between HIPAA and the GDPR which is good news for companies required to comply with both regulations. Firstly, both include obligations relating to individuals or entities handling data on behalf of covered entities who control the processing of data. Under HIPAA, those are distinguished as business associates and are required to sign a business associate agreement (BAA), this is similar to the data processors under the GDPR.

Secondly, HIPAA, as is the case with the GDPR, requires companies to ensure safeguards are in place to protect the data collected and stored from unauthorised access and disclosure. Article 32 of the GDPR specifically deals with the obligation of minimising risks of a security breach. Appropriate measures include pseudonymisation and encryption of data, maintenance of ‘ongoing confidentiality, integrity, availability and resilience of processing systems and services’ as well as ‘ability to restore availability and access to data in the event of an accident’. The same article prescribes regularly testing, assessing and evaluating the effectiveness of security measures in place. Furthermore, the entity subject of the GDPR shall ensure all personnel processing data on their behalf adheres to the code of conduct prescribed by the legislation and does not process data except on their instructions.

Parallel obligations of the covered entities can be found under HIPAA’s Security Rule. HIPAA also postulates confidentiality, integrity, and availability of protected health information in electronic form (ePHI). Likewise, covered entities must ensure potential security threats, or unlawful uses or disclosures of ePHI, are considered and addressed. HIPAA also obliges the covered entities to ‘ensure compliance of the workforce’. 

Both regulations call for minimisation of data collection and minimisation of data disclosure. Data should be disclosed for research purposes, judicial proceedings, public health interest and if required by law in both legislations.

HIPAA and the GDPR grant data subjects analogous rights. In particular, with a few exceptions, such as access to psychotherapy notes, both regulations grant the data subject the right to access and review a copy of the processed data. Moreover, if the information is inaccurate or incomplete, the data subject has a right to request an amendment of the information.

HIPAA and the GDPR grant data subjects a right to be informed of how and for what purpose their personal data is used and processed, this includes information regarding the recipients or categories of recipient to whom the personal data have been or will be disclosed. The privacy notice must include information on individual rights with respect to their personal information and how those rights may be exercised, and the covered entities obligations as well as the purpose of data usage and processing. Interestingly, both GDPR and HIPAA require the privacy notice to be written in clear and plain language.  

HIPAA and GDPR application

Two global trends may be identified with regards to MedTech and data processing. On one hand, there is an evident explosion of consumer health data. Technological advancement has stimulated vast growths in consumer-generated health data. Those can be put to work through data analytics to extract powerful insights. Secondly, as life expectancy increases and larger sections of the population account for senior citizens, the market boom for healthcare is explained by a demand to further digitise and employ analytics to identify the most cost and health effective treatments and insurance plans. 

Beyond the similarities and differences outlined earlier, there is a fair amount of divergence in how the two frameworks are implemented. Consider an app developer seeking to re-use healthcare data to extract insights. Under the GDPR, this app developer handles a special category of data and this handling is subject to strict safeguards. However, in the US, the same app developer will not be is not a subject HIPAA and the GDPR -provided they do not process personal data from an EU data subject. That is because HIPAA postulates that only covered entities of healthcare providers and insurers or their business associates are subject to the legislation. In other words, medical data that is collected and processed in a hospital will be subject to HIPAA and considered PHI.

If an individual voluntarily provides his or her health information to a mobile app, which is not connected to healthcare activities of a covered entity (i.e. not a business associate of any covered entity), most likely this falls outside of HIPAAs’ jurisdiction but the app developer remains subject to additional state or federal law. An example of such laws is the FTC Act that generally regulates commercial use of personal data or the Children Online Privacy Protection Act with regards to the use of children’s data. Ultimately, this has an effect on how consent should be extracted to process the data, as well as on the appropriate security and organisational protection measures, regardless of HIPAA. 

This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.

The post HIPAA, the GDPR and MedTech appeared first on TechGDPR.

About WIFI-tracking

WiFi-tracking technology relies on devices such as smart phones sending so called probe requests. With enabled wireless network, a device will broadcast a probe in regular intervals to see which known or unknown wireless networks are available to possibly connect to. By capturing these requests along with some other information such as signal strength and time, a fairly accurate analysis of the location and behavior can be made. By combining data from different access points in close vicinity, an accurate location can be determined through trilateration.

The GDPR as introduced on May 25^th 2018, does make this practice harder: as MAC (Media Access Control) addresses are considered (pseudonymised) personal data, e.g. it can be used to single out a person, it requires a valid legal base and adherence to the other articles of GDPR. This article explores the possibilities for meeting these requirements.

Personal data and scope of the GDPR

The definition of personal data under the GDPR is outlined in Article 4(1):

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

On 19 October 2016, the Court of Justice of the European Union (the “CJEU”) published its judgment in Case 582/14 – Patrick Breyer v Germany. This judgement concludes that dynamic IP addresses are to be seen as personal data, and following the same logic, MAC addresses of personal devices are therefore certainly to be seen as personal data.

While alternatives for MAC addresses, such as hashed or encrypted versions, can be stored and processed, these would still be considered pseudonymous if they can uniquely single out a single device belonging to a natural person. Pseudonymising data does not move it out of scope of the GDPR as the data can still be linked back to a natural person, with the use of extra information.

As soon as position of devices is determined, there is location data available as well which certainly falls under the GDPR.

Once data is truly anonymized (e.g. aggregated data with a significant enough sample size), and it can no longer be related back to a single data subject, it will be out of scope of the GDPR and can be further used. Nevertheless a valid legal base will be required for the initial collection of any personal data.

Who is the controller?

Defining the different stakeholders is important to further analyze the GDPR compliance. The data subject within WiFi-tracking is the person with a personal, WiFi-enabled device that is being tracked. This person should be guaranteed GDPR compliant processing of his or her personal data. That includes the requirement of properly informing them about their data being processed their rights under the GDPR.

Defining the data controller and data processor is more challenging. The GDPR has defined that the controller is the one ‘determining the means and purpose for processing’ and the processor as the one ‘processing data on behalf of the controller, based on specific written instructions’. In a WiFi-tracking situation this may mean different things based on the specifics of the setup.

If a venue utilizes WiFi-tracking for its own purposes (such as capacity planning) with its own hardware using a third party software, it is quite likely that the venue is the controller, and the third party software provider the processor. This also requires a data processing agreement to be in place between the two to ensure the processor is given specific written instructions for processing.

In case the hardware is placed in the venue by a third party service provider, and the data is then made available directly to them for purposes pursued by the service provider, this may as well be determined to be the controller.

Legal bases

For the processing of personal data under the GDPR, the controller needs to define the legal base of processing. There are 6 possible legal bases (Art 6 GDPR, sub 1): (a) consent, (b) performance of a contract, (c) legal obligation, (d) vital interest, (e) public interest and (f) legitimate interest. Legal bases c, d and e do certainly not apply as WiFi-tracking can not be seen as a legal obligation, in anyone’s vital interest or in public interest in general. The other possible legal bases are analyzed hereunder.

Consent (Art 6.1a)

To claim the legal base of consent, the data subject will need to freely give prior consent to the processing in case. It is important to emphasize that consent need to be freely given and can therefor not be required for the provision or ‘payment with data’ of a service.

Recital 42: “… Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Recital 43: “Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

If consent was a precondition of a service, but the processing is not necessary for that service, consent is deemed to be invalid. Mixing in the consent for tracking with the use of guest WiFi or a loyalty program, is therefor not possible. Consent to WiFi-tracking should be given as an additional, non-required option.

In addition, consent should be revocable as easily as it has been given. A system should be in place that allows for consent to be revoked at any place and time.

Collecting consent

1. Using a captive portal
2. Using proximity push notifications
3. Through a loyalty program

Performance of a Contract (Art 6.1b)

The performance of a contract may be used for fulfilling contractual obligations, as well as for the preparatory stages of concluding a contract. This however, would imply that at least at some point a ‘business’ relationship for the usage of data can be substantiated.

If data subjects may be rewarded in some kind of way for providing their tracking details and usage data, this could be a way to explore the use of Article 6.1b as a legal base, but not until the data subject has shown interest in such a relationship themselves, e.g. it can not be assumed. In short, for tracking behavior without further reward program, this legal base can not be applied.

Legitimate Interest (Art. 6.1f)

Legitimate interest may be the legal basis for processing user data if the interests of the user do not override the interest of the controller when considering the reasonable expectations of the data subject and their relationship with the controller, according to the GDPR. The determination of legitimate interest requires “careful assessment” of these reasonable expectations and the context of data collection.

A legitimate interest could be a purely commercial interest. The legitimate interest and it’s balancing against the interest of the data subject, need to be well documented and the essence of it is to be explained to the user.

What is important to consider for legitimate interest, is to analyze if there are less privacy-intrusive methods of reaching the same goal. If this is the goal, legitimate interest is unlikely to hold up.

Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC (which has been adopted as guidance under the GDPR) states:

The economic interests of business organizations to get to know their customers by tracking and monitoring their activities online and offline, should be balanced against the (fundamental) rights to privacy and the protection of personal data of these individuals and their interest not to be unduly monitored.

According to the same opinion, in case the goal of the tracking is marketing, there are more specific requirements under the ePrivacy Directive:

consent is required under Article 5(3) of the ePrivacy Directive for behavioral advertising based on tracking techniques such as cookies storing information in the terminal of the user.

Public space vs. private space

Strong opinions by data protection authorities, for example the Dutch DPA have been issued on WiFi-tracking in (semi-)public spaces. While WiFi-tracking within private (commercial) space can be legitimized, the moment personal data of those outside of the premises (e.g. passers-by) are analyzed it is very difficult to base this on legitimate interest.

If legitimate interest is used as a legal base, measures may need to be in place to ensure that only data subjects in the companies premises are being tracked.

Fulfilling the duty of information

Whichever legal base is chosen, as soon as personal data is collected of data subjects, they need to be informed. The regulation prescribes this as follows in Article 13:

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: …

This means that the controller has the duty to inform data subjects. Which is in the situation of an app or website, normally practiced by publishing a privacy notice. In the case of WiFi-tracking, this is obviously more problematic. One way may be to display a clear notice at the border of the perimeter, for example with a sticker on the door.

At the same time, data subjects should also have the choice not to be subjected to data processing, and would therefor need to be advised to switch off their WiFi in case they wish to opt out.

Data minimization and storage limitation

Whatever personal data is stored under the GDPR needs to be the minimum amount required to meet the specified purpose, and needs to be stored no longer than required for this purpose.

In current implementations of data protection for WiFi-tracking, there is a big emphasis on timely anonymization and limited storage as means to protect the privacy of the users. NS, in the example below, uses a different hash per day in order not to be able to correlate information across multiple days.

Mechanisms to exercise rights

Whenever personal data is collected from data subjects, they have rights under the GDPR, and they need to be informed about them and given ways to execute their rights. These rights could be rights to justification, right to erasure, right to information and the right not to object to automated decision making. The first ones could be surfaced through a website, portal or app of some sort. The last one needs to be closely considered in terms of what happens with their date.

Example of WiFi-tracking in practice and their explanation of compliance to the GDPR.

At the time of writing, Nederlandse Spoorwegen (Short:NS, translated: Dutch Railways) uses WiFi-tracking on (at the time of writing) 6 of its larger train stations. They make travelers aware of this with stickers indicating the use of WiFi-tracking around the station, and explain the mechanics behind it in their privacy policy: https://www.ns.nl/en/privacy/in-and-around-the-station.html

In summary, they use the legal base of the legitimate interest “to improve our services and to increase your safety in and around the station.” and use technical measures to limit and further pseudonymize the MAC addresses collected:

“The MAC address is immediately ‘hashed’ – converted into a series of characters. This series is then sent to a server, where we add extra random characters and hash the series again (a process known as ‘salt’). The extra characters differ per day, and are not stored on a computer. We then ‘cut out’ some of the characters, so that there is no way that the series can be traced to an individual.”

Other requirements under the GDPR

As WiFi-tracking counts as monitoring of behavior, and should in most cases be considered on large scale, both the controller and processor will need to designate a data protection officer, and, in case it has no establishment in the EU, also designate a EU representative.

ePrivacy Regulation and Directive

The ePrivacy directive, and in the future the ePrivacy Regulation deals with communication instead of data processing, and is therefore relevant for the use of WiFi-tracking. It will be further scrutinized with the introduction of the ePrivacy regulation. The regulation prohibits companies from using consent collection methods that force users to agree to tracking in order to receive access to services. The Regulation provides three possible purposes for tracking:

• When it is necessary to transmit an electronic communication.
• When it is necessary to provide an information society service requested by the user.
• When it is necessary to measure the reach of an information service requested by the user.

The original draft of the ePrivacy Regulation also contains provisions for the protection of data subjects using public WiFi. That initial draft stated that tracking an individual’s location through a WiFi or Bluetooth connection was permitted. However, in response, Parliament and the Working Party proposed solutions that would require businesses that have locations which provide WiFi to obtain a data subject’s consent before tracking and to post a notice on the possible dangers of using their WiFi connection in a prominent place.

The latest draft of the ePrivacy regulation, dated October 2018, contains the following relevant passage in recital 25:

A single wireless base station (i.e. a transmitter and receiver), such as a wireless access point, has a specific range within which such information may be captured. Service providers have emerged who offer physical movements’ tracking services based on the scanning of equipment related information with diverse functionalities, including people counting, such as providing data on the number of people waiting in line, ascertaining the number of people in a specific area, etc referred to as statistical counting for which the consent of end-users is not needed, provided that such counting is limited in time and space to the extent necessary for this purpose.

Providers should also apply appropriate technical and organisations measures to ensure the level if security appropriate to the risks, including pseudonymisation of the data and making it anonymous or erase it as soon it is not longer needed for this purpose. Providers engaged in such practices should display prominent notices located on the edge of the area of coverage informing end-users prior to entering the defined area that the technology is in operation within a given perimeter, the purpose of the tracking, the person responsible for it and the existence of any measure the end-user of the terminal equipment can take to minimize or stop the collection.

Additional information should be provided where personal data are collected pursuant to Article 13 of Regulation (EU) 2016/679. This information may be used for more intrusive purposes, which should not be considered statistical counting, such as to send commercial messages to end-users, for example when they enter stores, with personalized offers locations, subject to the conditions laid down in this Regulation, as well as the tracking of individuals over time, including repeated visits to specified locations.

There is no final draft of the ePrivacy Regulation yet, so the exact implementation of these requirements remains unclear for the time being. It is expected that once officially adopted, the Regulation will come into force 24 months later.

Conclusion

Generally spoken, WiFi-tracking under the GDPR (and ePrivacy regulation in the future) is challenging. The main problems revolve around:

1. WiFi-tracking relies on MAC addresses, which are considered personal data, even in hashed form.
2. It is required to inform data subjects before collection of personal data takes place.
3. Consent as a legal base is challenging as it’s very difficult to collect valid, freely given consent from data subjects. Where consent may be collected, e.g. through a captive portal, it is quite unlikely to have a high conversion rate.

Possible approaches to GDPR compliance

There are some approaches that can be considered to utilize WiFi-tracking within the requirements of the GDPR:

1. Informing and asking for consent through a captive portal, push notification or app before tracking users.

Where the legal base of processing personal data would be consent, one approach may be to ask consent through a captive portal. This could be set up as an additional option when asking people to agree to conditions for using guest WiFi.

2. Relying on legitimate interest for tracking.

It seems possible to rely on legitimate interest for tracking in certain cases, but this limits what the tracked data can be used for. It needs to be possible to argue for a real, legitimate interest that can not or hardly be met using less privacy-intrusive methods. It can be further debated if direct marketing or advertising can constitute a legitimate interest for this purpose or not. If that is the case, all data subjects need to be given an easy way to opt-out of this tracking.

3. Find a way to moving the data out of scope of the GDPR though anonymized collection.

If a way can be found to properly anonymize data following the requirements of the GDPR, it will be out of scope of the GDPR and can therefor (from that point onwards) be processed freely. The challenge with this approach is the correlation of data which will become impossible if the data is anonymized right at collection. Also, for low traffic areas, the sample size may be too insignificant to ensure that tracking is truly anonymous.

NOTE: This article does not constitute or replace legal and professional advise. Consult your lawyer or privacy professional before using WiFi-tracking.

The post WiFi-Tracking and Retail Analytics under the GDPR appeared first on TechGDPR.

On Confidentiality

Before getting into the details, I first want to emphasize that TechGDPR works with a wide variety of clients, and we approach our specialized consulting for each client with the utmost confidentiality–unless, that is, a client states otherwise. Zcash is among our clients that have taken steps to publicly discuss this GDPR-compliant assessment. It is with permission of both Zcash and Least Authority that TechGDPR released our report.

Zcash GDPR assessment on the P4 protocol

In October 2018, TechGDPR conducted a GDPR compliance assessment of the P4 protocol specification on behalf of the Zcash Company and Least Authority. This assessment reflects important conversations among regulators, compliance advisors, and implementers of blockchain and other cutting edge technologies in the context of the GDPR and other privacy-protecting regulations.

Data gathered while utilizing the P4 protocol is mostly anonymous, and only a few types of data could potentially be flagged as personal, and therefore in scope of the GDPR. The risk of identifying natural persons through the use of Least Authority’s S4 storage service is significantly mitigated by the use of zero knowledge proofs in Zcash’s shielded transactions. Other regulations, such as financial regulations, anti-money laundering regulations, and know-your-customer regulations, may be triggered by anonymous online services. And although new regulations around the world are attempting to make services providers responsible for their users’ content, Zcash has been favorably received by financial regulators.

TechGDPR’s Findings

The assessment conducted by TechGDPR (PDF available here) asserts that implementation of P4 does not likely raise any major issues regarding GDPR compliance, apart from the consideration whether or not to allow customers to use S4 for data processing under GDPR, and how to effectively prevent this (see finding #11: “Possible role of data processor”). A few matters require highlighting as they may become an issue in the future as the usage of the service changes (finding #2: “File deletion, garbage collection”), or the interpretation of the GDPR evolves further (findings #1: “Logging IP Address” and #3:”Consequences of maintaining a full node”). The biggest concerns are related to the processing of data within S4, not within P4. The P4 protocol itself only presents concerns if subscribers insist on paying from transparent addresses.

TechGDPR also concluded that as long as Zcash transactions cannot be linked back to a natural person, because they are private or because no link between the t-address and the user exists, the transaction within Zcash and payment information itself should be considered anonymous and therefore out of scope of the GDPR.

In our opinion, the P4 service allows for as close to anonymous usage as you can get with current technology, with important caveats regarding user practices and user volume. The full benefits of P4 can only be realized if the user is extremely cautious with how they use it, as is the case with most privacy-preserving solutions today. Least Authority has tried to make it harder for users to make mistakes (i.e., by requiring Tor), however, it is still possible to gather some information through leaked metadata or trivial mistakes by the user that may, over time, be enough to link the usage back to a person. As the user base grows, maintaining anonymity will become easier to establish a relationship between specific users and their data or metadata will become increasingly difficult.

Privacy-enhancing technology, including P4, is not perfect. It is difficult to use, and requires perfect handling by both the user and Least Authority. Still, technologies like P4 go a long way toward challenging the advertising-surveillance model of the modern internet, and illustrate how blockchain-based technologies could show a new way forward.

Zcash looks forward

A statement released on Friday by Zcash declared, “We are at the beginning of what promises to be a longer journey toward privacy-by-design in the realm of blockchain technology.”

Total anonymity may not be possible, but the policies outlined in the GDPR show legitimate demand and P4 demonstrates that we can get pretty close.

The post Is total privacy GDPR compliant? Zcash report shows how “Privacy by Design” handling of personal data gets us close. appeared first on TechGDPR.