Official guidance

DPOs duties: The Swedish data protection agency published the results of a coordinated investigation, initiated by the EDPB, on the role and position of data protection officers. It investigated 50 organisations in the public and private sectors. Here are some of the statistics: 

• Several data protection officers have other tasks/roles in addition to the role of data protection officer, which in certain situations can potentially mean a conflict of interest.
• There are differences in how many hours data protection officers spend on skills development around data protection issues.
• There is a wide variation in the number of resources and methodological support needed to complete DPO’s duties.
• The organisations to some extent have different ideas about what should be included in the data protection officer’s mission.

Interestingly, most, but not all, organisations believe that the DPO should participate in the handling of personal data incidents whereas only two-thirds of the organisations believe that the DPO should be consulted in the planning of new personal data processing. 

Sandbox invite for innovative tech: Organisations have until the end of this year to submit expressions of interest in entering the UK Information Commissioner Office’s Regulatory Sandbox in 2024. If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s team wants to hear from you. Expressions of interest will be assessed based on whether the product or service being developed is innovative and could provide a demonstrable benefit to the public, whether you’re a start-up, SME or larger organisation, from the private, public or voluntary sectors. 

Server colocation: The Danish data protection authority has considered whether an IT company that provides (server) colocation should be considered a data processor for the organization for which the service is provided. The assessment is negative, in particular, if the supplier of colocation does not have access to the personal data that is processed on the servers. The provision of colocation primarily concerns the provision of a service other than the processing of personal data, in particular physical facilities as well as internet and power supply. However, this is only a starting point. Several circumstances can lead to the colocation company being considered a data processor to a certain extent: 

• the company provides additional services beyond physical facilities,
• the company can and may be tasked with moving, restarting or otherwise handling the servers where the information is processed,
• the company can and may have the task of replacing hard drives, and memory, (firewall, backup services, etc).

AI code of conduct: The Canadian government published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Generative systems can be adapted by organisations for various uses – such as corporate knowledge management applications or customer service tools. Firms developing and managing the operations of these systems both have important and complementary roles. 

Signatories of this code would develop and apply standards, and share information and best practices with other members of the AI ecosystem, prioritising human rights, accessibility and environmental sustainability. See the measures to be undertaken under the Code of Conduct in the original publication. 

Encryption evaluation tool: The Spanish data protection agency launched the ValidaCripto tool to evaluate encryption systems. Encryption is a procedure by which information is transformed into a seemingly unintelligible set of data, helping to protect the information from a possible personal data breach. The tool runs in the browser, without recording or transmitting any data to the Agency, and allows information to be stored locally and reports to be generated. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorising the most critical elements, reviewing the suggested controls and generating follow-up documentation. 

Workplace monitoring: The UK Commissioner’s Office has published guidance to ensure lawful monitoring in the workplace. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including: 

• Making workers aware of the nature, extent and reasons for monitoring.
• Having a clearly defined purpose and using the least intrusive means to achieve it.
• Having a lawful basis for processing workers’ data – such as consent or legal obligation.
• Only keeping the information which is relevant to its purpose.
• Carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers.
• Making the personal information collected through monitoring available to workers if they make a subject access request.

Legal processes

EU-US DPF tried in court: The EU General Court rejected the request for interim suspension of the EU-US data Privacy Framework but has yet to examine the substance of the case. The request was introduced by a French member of parliament, who is also a member of the French data protection authority CNIL, requesting that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for US security purposes. He also observed that the wording of the DPF ruling, which is currently only available in English, should be translated into the EU’s official languages. 

Delete Act: California’s Governor signed the Delete Act into law. It revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data. According to the Guardian analysis, Californians already have the right to request that their data be destroyed under current state privacy regulations, but doing so requires filing a request with each corporation.  The revised measure emphasizes that all data brokers must register with the privacy protection agency, and mandates it to create a simple and cheap means for Californians to request that all data brokers in the state remove their data through a single page, regardless of how that information was obtained. 

Consumer profiling: The EDPB-EDPS published a joint contribution to the public consultation on the draft template relating to the description of consumer profiling techniques. Under the new Digital Markets Act, designated gatekeepers now shall submit to the European Commission independently audited descriptions of any techniques for profiling consumers that they apply to or across their core platform services. The regulators wonder whether the Commission should expect to receive detailed audited descriptions of profiling techniques for each of the core platform services of the gatekeeper. 

The regulators are also concerned that the template alone would not provide sufficient safeguards against low-quality or otherwise unreliable audits on behalf of gatekeepers. The EDPB and the EDPS underline that any approval or statement from the European Commission on how a gatekeeper processes personal data for consumer profiling or how it informs consumers about profiling techniques does not automatically mean that the gatekeeper is complying with the GDPR, which is for supervisory authorities to verify.

Health research in France: The CNIL has adopted two new reference methodologies to allow public and private bodies, (in addition to healthcare institutions and their federations, as well as healthcare manufacturers), except insurers, to process data from the main database of the National Health Data System. The data controller should indicated in their protocol:

• the components of the main database concerned by the access request;
• the target population;
• the targeting period;
• the data or categories of data required;
• the historical depth of the data;
• the requested access period. 

As there are many ways to access these data, any controlled environment that meets the conditions set in new methodologies may host the data as part of the research projects concerned.

Enforcement decisions

Case studies book: The Irish data protection authority published detailed case studies, (based on 126 real cases), illustrating how data protection law is applied, how non-compliance is identified and how corrective measures have been imposed, from the past five years. It concentrates on such topics as access request complaints, the accuracy of personal data, cross-border cases, data breach notifications, unauthorised disclosure, direct marketing, objection to processing, the right to be forgotten, and much more. 

“My AI” fine: the UK Information Commissioner has issued a preliminary enforcement notice against Snap and its generative AI chatbot “My AI”. The investigation provisionally found Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. Snap launched the ‘My AI’ feature for UK Snapchat+ subscribers in February, with a rollout to its wider Snapchat user base in the UK in April. The chatbot feature, powered by OpenAI’s GPT technology, marked the first example of generative AI embedded into a major messaging platform in the UK. As of May Snapchat had 21 million monthly active users in the UK.

Employee geolocation data: The Italian data protection authority fined Shardana Working 20,000 euros following a complaint by three individuals employed by the company. The company is responsible for reading gas, electricity and water meters. The three workers, to verify the correctness of their pay slips, had asked the company to provide the information used to process mileage reimbursements and the monthly hourly salary, as well as the procedure for establishing the compensation due.

In particular, they had asked to know the data collected through the company smartphone on which a geolocation system had been installed which allowed workers to identify the route to take to reach the meters. The regulator found that Shardana Working had not adequately informed the employees of the data processed through the GPS installed on their smartphones. Even if the company deemed that it could not fully respond to the employees’ requests, it should have at least indicated the specific reasons why it could not comply with the access requests. 

Dismissal based on geotracking: A similar instance occurred recently in France, according to the Ius Laboris legal blog. The highest civil court in France has intervened in an employee discharge based on geolocation data from his work car.  An employee of an equipment rental firm was fired for making unnecessary trips. The geolocation process had been declared to the French Data Protection Agency CNIL to locate employee vehicles and ensure the safety of goods and people on site. The employee had been informed of this. The Supreme Court, on the other hand, held that the trial judge should have evaluated whether the company’s geolocation system was also intended, as stated to the regulator, to monitor the employee’s professional activities and working hours, and if the employee had been told about such a purpose. 

Electronic ticketing: The Greek data protection authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization, (OASA), examining the protection of personal data processed in the framework of the automatic fee collection system, a system also referred to by the term “electronic ticket”. A total fine of 50,000 euros and a compliance order referred to the determination of the data retention times for the various processing purposes, (of 20 years), the anonymity of travel card holders and their movements, (eg, of employment categories), and a review of the personal data impact assessment and other documentation, (not available at the time of the audit). 

Big Data

Biometric surveillance: According to The Guardian, dozens of cross-party MPs and privacy campaigners in the UK have joined a campaign calling for an “immediate stop” to the use of live face recognition monitoring by police and commercial companies. Live face recognition has lately been used by British police at large-scale public events such as King Charles’ coronation. The announcement follows the policing minister’s announcement of government intentions to make UK passport images searchable by police: to link data from the police national database, the Passport Office, and other national databases to allow officers to identify a match with the “click of a button.” 

Google user data:  Google will give users in the EU better choice as to how Google processes their data according to commitments undertaken by the company. This is the result of proceedings conducted by the Bundeskartellamt, (German Federal Cartel Office), based on the new instrument under competition law, which allows intervention when competition is threatened by large digital companies. Commitments concern situations where the company would like to combine personal data from one Google service with personal data from other Google or non-Google sources or cross-use these data in Google services that are provided separately. 

Such an obligation already results from the new Digital Markets Act.  Relevant core platform services listed in the Commission’s designation decision are thus not covered by the commitments, (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). However, Google’s commitments provided to the Cartel Office do concern data processing across services involving more than 25 other services (including Gmail, Google News, Assistant, Contacts and Google TV).

The post Data protection digest 2 – 17 October 2023: DPOs duties and methodology should be clarified – latest study appeared first on TechGDPR.

Legal processes: personal data breaches, EU Commission’s data transfers, non-implementation of the GDPR by a country, US-UK data access, targeted ads

In Poland, an administrative court upheld the decision of the personal data protection office UODO on the fine imposed on Bank Millennium. A personal data breach occurred as a result of the loss of bank correspondence including client names, surnames, registration address, bank account numbers, etc. by courier services. The UODO learned about the incident from a complaint against the bank. The controller decided there was a medium risk of negative consequences for the persons affected by the breaches, so did not report the breach to the supervisory authority and did not fully comply with the obligation to notify the data subjects. 

In its decision the court clarified that a breach of personal data is not only when personal data has been read by an unauthorized person, but also when the data controller cannot exclude such a situation due to the lack of information in this regard. According to the court, the supervisory authority also correctly recognised that the bank is the controller of the personal data concerned by the breach. It was the bank, and not the postal operator, that defined the purposes and methods of data processing. However it is true that postal operators or courier service providers are controllers, but only for the data needed for correct delivery.

The European Commission urged Slovenia to fulfil its obligations under the GDPR, as well as make it possible for its data protection authority to use all the corrective powers under the legislation. The Commission considers that Slovenia has failed to fulfil its obligations stemming from the GDPR due to its persistent failure to reform its pre-GDPR national data protection framework. Slovenia now has two months to reply to the Commission’s reasoned opinion. If the reply is not satisfactory, the Commission may decide to bring this matter before the Court of Justice of the European Union. 

Conversely, according to the euractiv.com news website, the Commission may face a lawsuit for violating its own data protection rules when transferring EU users’ personal data from one of its websites to the US. Reportedly, the action was initiated by a German citizen with regard to the Conference of the Future of Europe’s website, meant to engage EU citizens in deciding the future of the bloc and its member states. Amazon Web Services hosts the website, hence when registering for the event, personal data such as the IP address is transferred to the US. Moreover, the Commission’s website also allows users to log in via their Facebook account, which is US-based media too and faces an investigation by the Irish data regulator on similar allegations. In parallel, a complaint was filed before the European Data Protection Supervisor that has jurisdiction over the application of the data protection rules by EU institutions. However, the EDPS has put investigations on hold because a lawsuit is pending and the decision might take up to 18 months. 

The US-UK Data Access Agreement will go into effect in October, according to the joint statement shared by the US Justice department. It will be the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime. Namely, it will allow information and evidence that is held by service providers and big tech companies related to the prevention, detection, investigation or prosecution of serious crime to be accessed more quickly than ever before. This will help, for example, the law enforcement agencies gain more effective access to the evidence they need to bring offenders to justice, including terrorists and child abuse offenders, thereby preventing further victims.

According to Privacy International the UK Department for Culture, Media and Sport (DCMS) recently ran a consultation to review the regulatory framework for paid-for online advertising. The aim according to DCMS is “to tackle the evident lack of transparency and accountability across the whole supply chain.” While PI agrees with the rationale for intervention, as a starting point it would like to see existing regulation, (such as the UK GDPR), be properly and regularly enforced. PI would rather resources were focused on enforcing existing data protection standards, and as a result that more investigations be opened into intermediaries and platforms such as data brokers, data suppliers, data management platforms, and measurement and verification providers, third-party software development kits etc. The risks to privacy do not stem from ad targeting alone, or the content of adverts. There are many steps in the process before adverts are served in a targeted manner:

• Data collection, (hidden means such as trackers placed on the websites you visit)
• Profiling, (dividing users into small groups or “segments” based on previous online behaviour)
• Personalisation, (designing personalised content for each segment), and
• Targeting, (delivering tailor-made, targeted messages)

Through each of these stages the users still have very little understanding on where that data came from, or by who and for what profiling is used, or the level of detail of profiling practices, etc. PI concludes it is impossible to address the problem without tackling the whole supply chain, (eg, real time bidding technology), and creating accountability at each stage.

Official guidance: smart video devices, geographical indications for EU producers

The French privacy regulator CNIL has published its position on the conditions for the deployment of smart video devices in places open to the public, (excluding offices, warehouses, and domestic use). For several years, says CNIL, new types of cameras equipped with artificial intelligence software have been evolving. The CNIL’s position concerns “augmented” video devices that differ from biometric recognition devices such as facial recognition devices. Two criteria make it possible to distinguish these devices:

• the nature of the data processed: physical, physiological or behavioural characteristics;
• the purpose of the device: to uniquely identify or authenticate a person.

A biometric recognition device will always combine these two criteria while an “augmented” camera will not meet any, (eg, an “augmented” camera that films the street to classify the different uses: cars, bicycles, etc.), or only one of the two, (eg, an “augmented” camera that detects fights in a crowd). This distinction has legal consequences: biometric recognition devices involve the processing of so-called “sensitive” data which are, in principle, prohibited by the GDPR, with some exceptions. 

The CNIL considers that any actor who wishes to deploy an “augmented” video device will have to rely on a legal basis determined on a case-by-case basis. While none is excluded or privileged in principle, the legal basis of “legitimate interest” must not lead to a manifest imbalance between the interests pursued by the user of an “augmented” video device and the reasonable expectations of individuals, (eg, a store that analyses the mood of customers to display them appropriate advertisements). More generally from the outset it is necessary to demonstrate proportionality, (that is to say, the conditions for implementing the device in relation to the objectives pursued), of the envisaged device. Even the police are not authorised by law to connect automatic analysis devices to video protection cameras to detect conduct contrary to public order or offences, says the CNIL. 

As such, effective data protection and privacy by design mechanisms must be implemented to help reduce the risks to data subjects. Strong safeguards include, for example, the integration of measures allowing the almost immediate deletion of source images or the production of anonymous information. Finally the CNIL states that people generally cannot oppose the analysis of their images, for example, when the algorithms do not keep the images, or that the conditions for exercising this right are not practicable, (marking one’s opposition requires pressing a button, making a particular gesture in front of a camera, etc). You can read the full opinion by the CNIL, (in French), here. 

The EDPS meanwhile published an opinion on protecting the personal data of EU foodstuff producers. While supporting the proposal for a regulation on geographical indications for wine, spirits, agricultural products, and quality schemes for agricultural products, the EDPS recommends that a number of measures related to the processing of personal data are clarified and added:

• explicitly indicating the role of the European Union Intellectual Property Office as joint controller together with the European Commission;
• identifying in the proposal itself the different categories of personal data to be included in the supporting documentation accompanying the applications for registration, oppositions and official comments, extracts from the Union register and the single document;
• indicating in which circumstances and/or conditions it is necessary to make which categories of personal data publicly available and clearly define for which objectives;
• assessing whether it would be appropriate to put in place a procedure whereby only individuals who demonstrate a legitimate interest have access to additional categories of personal data, such as contact details;
• the chosen data retention period for the documentation related to the cancellation of geographical indications should be further justified or reduced.

Enforcement actions: passwords in clear text, wrongful emails, membership and consent, web hosting, vehicle geolocation, healthcare data, Google Workspace

The Danish data protection authority Datatilsynet expresses serious criticism of Salling Group for having stored a number of customers’ passwords in clear text format in a log file from one of the grocery group’s websites. The error persisted for more than a year. Salling Group uses a common login – Salling Group profile – so that the username and password can be used on all the services where the Salling Group profile provides access. In 2021, Salling Group implemented a monitoring tool to register incidents and events. Due to a human error, the customers’ passwords were not encrypted before they were stored in the system’s log file when the customers logged in to the website. 

As a result, up to 146 internal users in the Salling Group were given technical access to read both usernames and passwords for a number of customers who had logged in on the website. If this access had been used, it would have been possible to gain access to the name, address, email address, telephone number, masked payment card information and purchase history of a number of Salling Group’s customers. The regulator also ordered the company to notify the customers whose passwords have been stored unencrypted in the log for the monitoring tool. 

In a separate ruling Datatilsynet also assessed the benefits of membership, (of Magasin’s customer club Goodie), in return for giving consent to marketing. The consumer will not be prevented from buying certain products/services simply because consent is not given – they will simply have to pay regular prices and the general discounts that apply at Magasin. In other words, it is voluntary whether a customer gives marketing consent in exchange for benefits or buys products/services on normal market terms. Members can revoke their consent to marketing at any time, with the consequence that membership of a customer club ends. There are no costs associated with revoking consent, and in connection with registration for the customer club, it is clearly stated that revoking consent results in the termination of membership. On this basis, the Danish regulator found that Magasin’s processing of personal data had taken place in accordance with data protection regulations. The full decision, (in Danish), is available here.

The Spanish privacy regulator AEPD fined DKV Seguros y Reaseguros, (health insurance for individuals), 220,000 euros for confidentiality and security violations, (Art 5, 32, 33 GDPR), Data Guidance reports. According to the individual plaintiff, they received dozens of emails with medical clearances of unknown individuals from the company, including the individuals’ names, surnames, and test data, from 2020-2021. Further, the AEPD specified that the plaintiff had repeatedly brought the situation to the attention of DKV Seguros y Reaseguros, but they did not act until receiving notice from a regulator. The investigation found out that:  .

• the company’s technical and organisational security measures were inadequate, taking into consideration that the data in question was of a sensitive nature; 
• the company had failed to notify the AEPD that it had suffered a personal data security breach since it had become aware of it back in 2020. 

However, the AEPD noted that due to an admission of guilt and a voluntary payment on the part of the defendant, the fine was reduced by 20%.

Meanwhile the Berlin data protection commissioner is examining data processing contracts between web hosting providers and their customers. Many organisations operate their websites or online shops via an third-party service provider. As a rule, related data processing takes place on behalf of the responsible party, the site operator. This means that the web hoster is technically a processor and a specific contract needs to be signed. In order to support responsible parties and prevent them from future sanction and enforcement actions, the Berlin data protection commissioner is examining the agreements of selected large web hosters the area. Many organisations in Berlin have complained about standard form contracts offered by web hosting companies, who are not willing to change them. Thus, the regulator encourages all IT service providers to check their standard contracts independently and to adapt them to the law.

The HIPAA journal has published the latest statistics on healthcare data breaches in the US.  Reportedly, there were 31 reported breaches of 10,000 or more healthcare records in June – the same number as in May 2022  – two of which, (the Texas Tech University Health Sciences Center and Baptist Medical Center), affected more than 1.2 million individuals. Healthcare providers were the worst affected HIPAA-covered entities, along with business associates. Several healthcare providers submitted breach reports in June 2022 due to a ransomware attack on HIPAA business associate, Eye Care Leaders. At least 37 healthcare providers are now known to have been affected by that ransomware attack and more than 3 million records are known to have been exposed in the attack. 

The French CNIL has imposed a penalty of 175,000 euros against the company UBEEQO International, (short vehicle rentals), for having disproportionately infringed the privacy of its customers by geolocating them almost permanently. The checks covered in particular the data collected, the retention periods defined, the information provided to individuals and the security measures implemented. The CNIL found in particular that, during the rental of a vehicle by an individual, the company collected data relating to the geolocation of the rented vehicle every 500 meters when the vehicle was in motion, when the engine was turned on and off or when the doors opened and closed. In addition, the company kept a history of some of the collected geolocation data for an excessive period of time. The company argued that vehicle geolocation data was collected for different reasons:

• ensure the maintenance and performance of the service, (eg, check that the vehicle is in the right place, monitor the state of the fleet);
• find the vehicle in case of theft;
• assist customers in the event of an accident.

The CNIL considers that none of these purposes justifies a collection of geolocation data as fine as that carried out by the company. Such a practice is indeed very intrusive in the privacy of users insofar as it is likely to reveal their movements, their places of frequentation or all the stops made during a route.

Finally, the Danish data protection agency has made a final decision in the case concerning the use of Google Chromebooks in Elsinore municipality, EDPB reports. Last year the municipality of Elsinore was ordered to make a risk assessment of the municipality’s processing of personal data in the primary school using Google Chromebooks and Workspace. Based on the documentation and assessment of the risk for the data subjects which the municipality has prepared, the regulator has now found that the processing does not meet the requirements of the GDPR on several points. The municipality as controller has not assessed some specific risks in relation to the data processor construction as to the processing activities the controller is allowed to do as a public authority. In addition, the data processor agreement states that information can be transferred to third countries in situations for technical support without the required level of security and protection. The regulator has now made a new decision. It contains, among other things:

• A suspension of the municipality of Elsinore’s data processing where information is transferred to third countries without the necessary level of protection.
• A general ban on processing of personal data with Google Workspace until adequate documentation and impact assessment has been carried out and until the processing operations have been brought into line with the GDPR.  

Many of the specific conclusions in this decision probably will apply to other Danish municipalities that use the same data processor setup as Elsinore. 

Data security: private correspondence for a government

The UK Information Commissioner called for a government review into the systemic risks and areas for improvement around the use of private correspondence channels – including private email, WhatsApp and other similar messaging apps. The investigation found that the lack of clear controls and the rapid increase in the use of messaging apps and technologies had the potential to lead to important information around the government’s response to the pandemic being lost or insecurely handled. 

An example of this included some protectively marked information being located in non-corporate or private accounts outside of the Department of Health and Social Care’s official systems. This information, stored on outside servers, betrays an oversight in the consideration of storage and retention of information and the associated risks this could bring. Although the use of private channels brought some real operational benefits at a time in which the UK was facing exceptional pressures throughout the COVID-19 pandemic, it is of concern that such practices continued without any review of their appropriateness or the risks they present.

Big Tech: Microsoft cloud for governments, DiDi Global privacy fine, UBER massive data breach

Microsoft is beefing up its cloud offer, in partnership with Italy’s Leonardo and Belgium’s Proximus, by launching a public cloud to service government customers. Dubbed the “Cloud  for Sovereignty” Microsoft says it will offer greater control over data, be cheaper, and be closer to developing technology. Rivals Amazon and Google are doing good cloud business in the US and elsewhere, but the EU’s privacy watchdog is currently checking to see if private cloud operators are doing enough to ensure the safety of public data.

Chinese ride-hailing service DiDi Global has been hit with a billion-dollar fine by the national cybersecurity regulator for going public on the NYSE before a Chinese probe into the company’s data practices had been completed. The probe found user data had been illegally collected for years, and that DiDi had endangered national cybersecurity with their data processing methods. The inquiry forced the New York delisting of the company, which says it will review and change its practices.

Uber has admitted to failing to report a massive 2016 data breach and covering it up from regulators for a year as part of a Non-Prosecution agreement in the ongoing federal criminal case in California; Data from over fifty million users was stolen, but the company points to a complete overhaul of data protection and privacy and change of top management since then. The company also fully co-operated with prosecutors. Uber has already paid out nearly 150 million dollars in all 50 US states in civil litigation related to the breach, Reuters reports.

The post Weekly digest 18 – 24 July 2022: personal data breaches, web hosting, targeted ads, smart video devices, geolocation & privacy appeared first on TechGDPR.