The European Data Protection Board (EDPB) announced the topic for Coordinated Enforcement Action 2026 on transparency and information obligations. Articles 12, 13, and 14 of the GDPR require that individuals be informed when their personal data is processed, ensuring transparency and enabling greater control over personal information. Participating data protection authorities will join this action voluntarily in the coming weeks, with enforcement activities scheduled to launch during 2026. 

Experian credit checks fine

As the background example of the above transparency obligations, the Dutch data protection authority AP last week imposed a 2.7 million euro fine on Experian Nederland. Experian provided credit ratings on individuals to its customers until 2025. The company collected data on factors such as negative payment behavior, outstanding debts, and bankruptcies. The AP found that Experian violated the GDPR by improperly using personal data, and failed to adequately inform individuals about this.

Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords. People started contacting the AP after they could no longer pay installments or because they suddenly had to pay a high deposit when switching energy suppliers. Only afterward did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information was accurate. Experian collected data about people from various sources, both public and private, and failed to adequately explain why this data collection was necessary.

Experian acknowledged violating the law and will not appeal the fine. It has ceased operations in the Netherlands and will delete the database containing all personal data.

Stay up to date! Sign up to receive our fortnightly digest via email.

More legal updates

DMA and GDPR: The EDPB and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in the case of the GDPR and fairness and contestability of digital markets under the DMA. However, several activities regulated by the DMA entail the processing of personal data by gatekeepers and refer to definitions and concepts included in the GDPR (eg, on how to lawfully combine or cross-use personal data in core platform services). 

Italy’s new AI law: On 10 October, the Italian law on Provisions and Delegation to Government on Artificial Intelligence, including an age verification requirement, entered into force. It is the first comprehensive legislation adopted by an individual EU member state on research, testing, development, adoption, and application of AI systems and models, with a human-centric approach. The government has appointed the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received its final approval in the parliament after a year of debate. The enforcement measure imposes even prison terms on those who manipulate technology to cause harm, such as generating deepfakes. 

US Bulk Data: The US Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect as of October 6, JD Supra law blog reports. This means if your organisation transfers US sensitive data (from demographic data to cookie data) that hits the bulk thresholds, you need to develop and implement a compliance program, either a stand-alone program or as part of the compliance program (through due diligence and audit procedures). 

Electronic patient files

In Germany, the electronic patient record (ePA) for everyone has been tested in model regions since January 2025. Since 29 April, it has been available for use nationwide by practices, hospitals, and pharmacies, among others. As of 1 October, it is generally mandatory for practices and other medical facilities to fill out the records. At the same time, the information (eg, on ongoing or further treatment) can only be included in the ePA for everyone if the insured person has not fundamentally objected to this with their health insurance provider.

Finally, special consent requirements apply to information from genetic testing for diagnostic purposes, as well as on children and adolescent records.

California privacy updates

At the end of September, California finalised regulations to strengthen consumer privacy that go into effect on 1 January, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision-making technologies, as well as updates to existing CCPA regulations. The final regulations and supporting materials will be posted on the regulator’s website as soon as they are processed.

ISO/IEC 27701

On 14 October, ISO released ISO/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard. For the first time, ISO/IEC 27701 is now a standalone standard, no longer just an extension of ISO/IEC 27001. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII to:

•  Strengthen data privacy and protection capabilities
•  Help demonstrate compliance with global privacy regulations such as the GDPR
•  Support trust-building with partners, clients and regulators
•  Align with existing ISO/IEC 27001 systems to streamline implementation
•  Facilitate accountability and evidence-based privacy management

Cookie updated guidance

The Swiss FDPIC published an updated version of its cookie guidelines, which contains specific clarifications and additions intended to improve the comprehensibility of the text and clarify practical issues. In particular, the FDPIC found it useful to clarify why the use of cookies for the purpose of delivering personalised advertising may require the consent of the data subjects. This is the case when the website operator provides third parties with access to visitors’ personal information in return for payment by integrating third-party cookies or similar technologies, and these third parties are embedded in several websites. As the latter are enabled to carry out high-risk profiling, this constitutes a particularly intensive intrusion into the privacy of the data subjects.

AI systems development guidance

In Germany, the Data Protection Conference (DSK) publishes guidance on AI systems with Retrieval Augmented Generation (RAG). It provides legal and technical information on how to harness the potential of such AI systems while simultaneously reducing the risks for those affected. RAG is an AI technology that augments large language models with targeted access to company or government agency knowledge sources to deliver context-specific answers. 

Typical application examples include in-house chatbots that access current business data and scientific assistance systems that leverage research databases. 

Thus, RAG use must be designed in compliance with data protection by design and by default. Controllers must ensure transparency, purpose limitation, and the protection of data subjects’ rights at all times. Controllers wishing to implement such RAG systems must conduct data protection assessments of the various processing operations on a case-by-case basis and always keep their technical and organisational measures up to date. 

More from supervisory authorities

Union membership: The Latvian data protection authority DVI explains whether an employer needs to know about a worker’s union membership. The answer is that the employer cannot request such information from the employee at any time. The most appropriate justification for processing such data is when such rights are established for the employer by law; however, there is also the possibility of obtaining the employee’s consent or finding out this information when the employee has disclosed it themself. 

Such a question should not be asked during a job interview, when drawing up an employment contract or during an employment relationship, as long as the employer does not intend to terminate the employment relationship with the employee in question. If an employee is to be dismissed, asking about union membership is important because union members may have special protections, such as the need to obtain the union’s consent to termination. 

Commercial robocalls: The DVI also explains what a company should consider if it wants to use commercial robocalls. The regulatory framework stipulates that the use of automated calling systems, which operate without human intervention for the purpose of sending commercial communications, is permitted only if the recipient of the service has given their prior free and explicit consent. Thus, sending commercial communications in this way is lawful only if the person concerned has previously (before making the call) given their free and explicit consent to be disturbed by automated calling devices. 

Google Analytics fine confirmed by court

In 2023, Sweden’s data protection authority IMY decided after an inspection that Tele2 (mobile network provider) must pay a penalty fee of SEK 12 million because they violated the GDPR. The Court of Appeal has now ruled in favor of IMY. The violation concerned the fact that the company, in connection with the use of Google Analytics, transferred personal data to the US without adequate protection.

IMY assessed that the data transferred to the US via Google’s statistical tool was personal data, since the data transferred could be linked with other data that Google had access to and thus enabled Google to distinguish and identify specific persons. 

Minors’ data in the EU

On 16 October, the European Parliament’s Committee on the Internal Market and Consumer Protection adopted its report on the Protection of minors online. The report calls for an EU-wide digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, and a minimum age of 13 for any social media use. It urges the European Commission to strengthen enforcement of the Digital Services Act and to swiftly adopt guidelines on measures ensuring a high level of privacy, safety, and security for minors. The Parliament is expected to vote on the final recommendations during the November plenary session.

Microsoft use of children data

The Austrian data protection authority ruled on a complaint regarding Microsoft’s handling of children’s data under the GDPR. It found that the Federal High School and the Federal Ministry for Education, acting as joint controllers, violated the complainant’s right of access and right to be informed. They failed to provide complete and timely information on data processed through Microsoft Education 365, including cookies and third-party data transfers, (content, log, and cookie data). Microsoft was also found to have infringed the complainant’s right of access by not providing complete information on cookie data, its own processing purposes, and transfers to third parties such as LinkedIn, OpenAI, and Xandr, digitalpolicyalert.org reports. 

Doping scandals and personal data

A CJEU Advocate General has ruled on the publication of the name of professional athletes who have infringed anti-doping rules. In the related case in Austria, four athletes concerned submit that that publication contravenes the GDPR. Such publication is provided for by law. It aims, first, to deter athletes from committing infringements of the anti-doping rules and thus to prevent doping in sport.

Second, it aims to prevent circumvention of the anti-doping rules by informing all persons likely to sponsor or engage the athlete in question that he or she is suspended. In that context, the Austrian court asked the Court of Justice to interpret the GDPR. The first opinion was that such practice is contrary to EU law. The principle of proportionality requires account to be taken of the specific circumstances of each individual case. In the Advocate General’s view, publishing the relevant name, but limited to the relevant bodies and sports federations, accompanied, for example, by pseudonymised publication on the internet, would make it possible to achieve both those objectives.

In other news

Clearview AI fine confirmed: On 7 October, the UK Upper Tribunal confirmed that Clearview AI’s facial recognition business is subject to the EU and UK GDPRs. Clearview had argued that its scraping of billions of online images to produce facial recognition services for sale to foreign law enforcement agencies placed it outside of GDPR’s material and territorial scope. The tribunal rejected the claim and made it clear that Clearview’s activities involve ‘behavioural monitoring’. Clearview sought a narrow interpretation of the GDPR, but the tribunal rightly adopted a broader one that clearly encompasses automated processing.

This decision follows the Information Commissioner and Privacy International’s appeal against a 2023 First Tier Tribunal ruling that had quashed Clearview’s 7,552,800 pounds fine. Clearview trawls through sites like Instagram, YouTube and Facebook, as well as personal blogs and professional websites. It uses facial recognition technology to extract the unique features of people’s faces, effectively building a gigantic biometrics database. Clearview has previously been found to be in breach of the GDPR in France, Italy, Austria and Greece, resulting in fines totalling 65,200,000 euros.

Meta AI bots: The Guardian reports that parents will be able to block their children’s interactions with Meta’s AI character chatbots. The social media company is adding new safeguards to its “teen accounts”, which are a default setting for under-18 users, by letting parents turn off their children’s chats with AI characters. These chatbots, which are created by users, are available on Facebook, Instagram and the Meta AI app. Parents will also be able to block specific AI characters and get “insights” into the topics their children are chatting about with AI. Meta said the changes would be rolled out early next year, initially to the US, UK, Canada and Australia. 

In case you missed it

AI for everyday tasks: As more and more companies are using their users’ personal data to train AI models, the French data protection regulator CNIL explains how to oppose it for the main platforms. The practical cases include: Google – Gemini, Meta – Meta AI, Open AI – ChatGPT, Microsoft – Copilot, X – Grok, DeepSeek, Mistral – The Cat, Anthropic – Claude, and LinkedIn.

‘Self-aware’ AI: Guernsey’s data protection authority meanwhile publishes its observations on how AI has formed the basis of a number of companion apps and the creation of numerous digital friends and partners. It is important to remember, for all of us, personally and professionally, that such products are not ‘living beings’, while more and more news stories continue to emerge of tragic outcomes in which a digital companion played a part. Individuals have the right not to be subject to automated decision making which is at the core of such products, without appropriate safeguards being in place. And for organisations functioning as data controllers, these are vested with the responsibility on any decisions AI makes or advice it provides to people. 

The post Data protection digest 4-18 Oct 2025: Transparency the GDPR’s 2026 enforcement goal, and the Experian case as a model NOT to follow appeared first on TechGDPR.

Official guidance: Google Analytics, risk assessment tool, work monitoring, privacy policy check-list, machine learning, APIs

The Danish data protection authority, following several other European counterparts’ decisions, concludes that the Google Analytics tool cannot be used legally without implementing several additional measures, (eg, effective pseudonymisation by using proxy servers), in addition to the settings provided by Google.

The Spanish privacy regulator AEPD launched an online tool that helps assess the level of risk of personal data processing. The tool allows an initial and non-exhaustive evaluation to be carried out, which, where appropriate, must be adjusted by each person in charge to determine an accurate risk level for the processing. 

The Latvian data protection authority DVI issued two guides, (in Latvian only), on online tools  to organise remote work meetings and video surveillance of employees performing their work duties. The organisation must determine exactly why data processing during online meetings or workspace is necessary. The purpose of data processing must be determined precisely and realistically, and interact with one of the legal tenets of the GDPR. A privacy notice is to be made available before data processing is started. If the organisation has a data protection specialist, they must be consulted for advice on carrying out the planned processing more appropriately.

Jersey’s privacy regulator has tried to demystify Art.12 of the GDPR – obligation to inform. It concludes that the most direct way to communicate to your data subjects is through writing clear statements. For the best transparency when constructing a robust privacy policy, view the regulator’s privacy policy checklist.

The use of application programming interfaces, (APIs), to share personal data can promote better data protection. The French regulator CNIL launched a draft recommendation on the technical and organisational measures to be applied. It aims to identify the cases in which an API is recommended to securely share personal data or anonymised information, and to disseminate best practices regarding their implementation and use. Data sharing here means the ability of identified reusers or the public to retrieve data held by an organisation, or the ability of data holders to transmit data for reuse by others. 

The EDPS explains 10 misunderstandings about Machine Learning. ML systems adapt autonomously to the patterns found among the variables in the given dataset, creating correlations. Once trained, these systems will use the patterns learned to produce their output. Typically, the training of ML systems requires large amounts of data, depending on the complexity of the task to be solved. However, adding more training data to a machine learning model development process will not always improve the system’s performance. On the contrary, more data could bring more bias. 

Legal processes: general data retention ban, Europol database, sensitive data, digital health infrastructure, commercial practices

In Germany, the Federal commissioner for data protection approved the CJEU preliminary ruling that the country’s general indiscriminate data retention, (IP-addresses, traffic, and location data), violates EU law. The law may only be applied in circumstances where there is a serious threat to national security defined under very strict terms, stated the top court. The retention law came into force after major attacks by Islamists in Europe and cost the country’s internet and telecom industries millions of euros. 

The EDPS is taking legal action as the new Europol Regulation puts the rule of law and EDPS independence under threat. The regulator requested that the CJEU annuls two provisions of the newly amended Europol Regulation, (which came into force on 28 June 2022). These new provisions, (articles 74a and 74b), have legalised Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity retroactively. The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, overriding the EDPS Order which requests that Europol deletes concerned datasets. 

The privacy commissioner of Canada, along with his provincial and territorial counterparts, endorsed a resolution that encourages governments to implement a digital health communication infrastructure that would phase out the use of unencrypted email and fax communication in favour of more secure alternatives available to all Canadians. The pandemic has spurred rapid digital advancements in the delivery of services. At the same time, data breaches in the health sector continue, potentially leading to harm including discrimination, stigmatisation, and financial and psychological distress states the regulator.

Meanwhile, US President Joe Biden has initiated a review of foreign investment for national security risks to sharpen focus, among other things, on threats to sensitive data. The executive order instructs the dedicated Committee to consider whether a “covered transaction involves a US business with access to US persons’ sensitive data and whether the foreign investor, for instance in biotechnology or AI, has, or the parties to whom the foreign investor has ties, have sought or had the ability to exploit such information.”  

A CJEU Advocate General suggests a competition authority may consider the compatibility of commercial practice with the GDPR. The non-binding opinion, (ahead of the court’s ruling), refers to Meta’s antitrust probe in Germany. The competition watchdog prohibited the practice of users having first to accept general terms which led to cookie placement, further data sharing with group services, (WhatsApp, Instagram), and linking the data to user accounts for advertising purposes. The freedom of consent in such a dominant position in the Social Media market is also an issue.

Investigations and enforcement actions: managing director as a dpo, Klarna bank, caller identification, data processing contract, image publication, legal professional privilege

The Berlin commissioner for data protection BlnBDI has imposed a 525,000 euro fine on a Berlin e-commerce group’s subsidiary due to a conflict of interest on the part of the company’s data protection officer. This person was at the same time the managing director of two service companies that processed data for the group. The DPO thus had to monitor compliance with data processing managed by himself.  

The Swedish privacy protection authority IMY, in cooperation with Germany and Austria, is investigating complaints about Klarna Bank making data rectification or objection to direct marketing difficult. The complainants were asked for identification purposes via an unencrypted email service to provide: their name, date of birth, e-mail address, address, invoice and purchase details,  and sometimes their telephone number.

Vodafone Romania was fined 2000 euros after not checking compliance with the caller identification procedure, which allowed third parties to fraudulently purchase new phones on behalf of some of the operator’s customers. Also, third parties could access data from contracts concluded by customers and data from personal accounts, such as name, address, contact phone number, PUK code, the contact number of the account holder, the SIM ID of the original card, billing and debt details, and data traffic.

In Poland, a personal data breach was reported, (followed by an administrative fine), in a cultural center. The investigation found that the administrator entrusted another entity for processing, without concluding a written contract, for keeping accounting books, records, (in ​​finance, taxes), and documentation storage. The controller did not verify the processor, did not check whether it provided appropriate technical and organisational measures, and did not have any documents confirming the verification of the terms of cooperation. Additionally, any communication with the controller was ineffective.

The Spanish data protection authority AEPD fined a company, (Digitecnia Solutions), for publishing on its website an image of a complainant to illustrate the work they were doing. The image did not allow the complainant to be seen in full, but he can be seen in part. This, together with the fact he appeared linked to Digitecnia, was information that made this person identifiable. All this constituted the processing of the claimant’s personal data, which he was not aware of. 

The Isle of Man information commissioner issued an enforcement notice to Sentient International regarding the company’s refusal to comply with a data subject access request. Sentient decided to restrict the data subject’s right of access, believing that the right of access does not apply to data that consists of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. The regulator clarified that the rule applies to some documents, but not personal data therein, such as communications that were not made for the dominant purpose of obtaining or providing legal advice. Also,  professional legal privilege cannot be applied retrospectively.

Data security: data put online by hackers, SMEs, IoT, and ZTA in a mobile world

The French privacy regulator CNIL notes a clear increase in data breach notifications, nearly half resulting from ransomware attacks. In some cases, users’ personal data may be put online by hackers. If a violation concerns you, the responsible body must inform you as soon as possible. The CNIL is not able to tell you if a breach impacts your data. Some websites indicate that they hold the data and can tell you whether or not you are concerned. The CNIL advises against using them. 

The German federal office for information security has published a guide on cybersecurity for small and medium-sized enterprises. It offers SMEs an easy-to-understand introduction to improving their cyber security level because information security is the prerequisite for secure digitisation. It starts with the most important basics of IT security – briefly and concisely based on 14 questions. Among other things, it provides information on who is responsible for information security in the company, why patches and updates should be installed regularly, why an anti-virus program is necessary, and why data backup is so important.

Zero trust architecture, (ZTA), is not a new concept, but there is renewed interest in implementing zero-trust principles for an organization’s mobile administrators, states the US NIST. Due to the pandemic, many employees have transitioned to remote/telework options. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere. In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen.

The NIST IoT Cybersecurity Program also released two new documents:

• The final version of Profile of the IoT Core Baseline for Consumer IoT Products. This publication documents the consumer profile of NIST’s IoT core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (eg, IoT products for home or personal use).
• Workshop report for Building on the NIST Foundations: Next Steps in IoT Cybersecurity. These considerations have broad applicability across IoT product sectors, including the consumer IoT products sector and the industrial IoT sector. 

Big Tech: Uber, Optus, and TAP cyberattacks, World Cup data analysis app

Uber’s EXT contractor had their account compromised by an attacker. The attacker likely purchased the contractor’s Uber corporate password on the dark web after their device had been infected with malware. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, the contractor accepted one, and the attacker successfully logged in. From there, the attacker accessed other employee accounts which gave the attacker permission to use several tools, including G-Suite, and Slack. 

Sensitive information about TAP Air Portugal’s customers also has been shared on the dark web after a cyberattack. The attackers were booted from the system but not before gaining access to sensitive data, including name, nationality, gender, date of birth, address, email, telephone contact, customer registration date, and frequent flyer number. It is unclear how long the hackers had access to the system. However, the airline has assured its passengers that the breach has not affected their flights. 

Australia’s major telecommunications company Optus experienced a cyberattack that leaked personal data of up to 10 million customers, in one of Australia’s biggest cybersecurity incidents. An offshore-based entity, possibly in Europe, had broken into the company’s customer information database, accessing home addresses, driver’s licenses, and passports. Stolen customer data and credentials may be sold through several forums including the dark web.

World Cup players to get FIFA data analysis app. Players at the finals will be able to browse their performance data on a purpose-built app developed by the governing body which allows footballers of all 32 teams access to analysis and information. The data will be synced with a video of the action to allow a quick assessment of key moments. While such data and metrics are widely available to players with the top clubs and national sides, who employ teams of analysts, the app will ensure teams with fewer resources compete on a level playing field, Reuters reports.

The post Data protection & privacy digest 13 – 26 Sept 2022: Google Analytics clash, caller identification, commercial practices & GDPR appeared first on TechGDPR.

Legal processes: future US data privacy law, Canada’s Bill C-27

Last week the “American Data Privacy and Protection Act” was officially introduced to the US House of Representatives. The document, be it enforced by Congress, promises to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The future US data privacy law consists of two key provisions: federal preemption over many state privacy laws and a private right of action. According to dataprotectionreport.com, it is the only bill currently under Congressional consideration that contains both of these components. The bill’s four titles draw upon many of the EU GDPR key principles.

• Duty of loyalty (data minimization, privacy by design, loyalty to individuals with respect to pricing).
• Consumer data rights (consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms).
• Corporate accountability (executive responsibility, service providers and third parties, technical compliance programs, approved compliance guidelines, digital content forgeries).
• Enforcement, applicability, and miscellaneous (Enforcement by the Federal Trade Commission, by State Attorneys General, by individuals, relationship to Federal and State laws, COPPA, etc.).

Meanwhile in Canada, a new draft Digital Charter Implementation Act (Bill C-27) was introduced by the ministers of Industry and Justice. It would strengthen Canada’s existing legal framework for personal information protection in the private sector and introduce new rules related to artificial intelligence: 

• the Consumer Privacy Protection Act, (CPPA), would repeal and replace the Personal Information Protection and Electronic Documents Act with a more robust framework in line with the General Data Protection Regulation;
• the Personal Information and Data Protection Tribunal Act would establish an administrative tribunal for organizations and individuals to seek a review of Privacy Commissioner decisions, as well as impose administrative monetary penalties for certain violations of the CPPA; and
• the Artificial Intelligence and Data Act would regulate the development and deployment of high-impact AI systems, establish an AI and Data Commissioner and outline criminal prohibitions and penalties for certain uses of AI.

Official guidance: proxy servers for US data transfers, advertising and address trading, health sector professionals

The French regulator CNIL has recently published a guide, (in French), on how to bring your audience measurement tool into compliance with the GDPR with reference to the case of Google Analytics. In February 2022 the CNIL, after a process of cooperation with its European counterparts, issued formal notice to several organizations using Google Analytics because of their illegal data transfers to the US. Only modifying the configuration of the conditions of treatment of an IP address is not enough, in particular because the latter continues to be transferred to the US, says the CNIL. Another defence often put forward is that of using “encryption” of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little or no additional safeguard against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. 

However, the use of a correctly configured proxy can constitute an operational solution to limit the risks for people’s privacy, as it breaks the contact between the user’s terminal equipment and the server. Beyond the case of Google Analytics, this type of solution can also make it possible to reconcile the use of other measurement tools with the rules of the GDPR on the transfer of data. The proxy server must also be hosted under conditions guaranteeing that the data it will have to process will not be transferred outside the EU/EEA to a country that does have an adequacy decision. It will be up to the data controllers to carry out an analysis on how to put in place the necessary measures in the event that they wish to use this type of solution, as well as to verify that these measures are maintained over time, as products evolve.

The Berlin data protection authority published guidance on advertising and address trading, (in German). Advertising is relevant to data protection law whenever your personal data is used for advertising purposes. Examples are personally addressed advertising mail or e-mail advertising that is directed to e-mail addresses with personal references or addresses those affected by name. On the other hand, for example, direct mail in the mailbox that is not addressed personally or advertising inserts are not covered by data protection law. 

The address traders may collect personal data from business directories, commercial registers, telephone directories and other publications. As a precautionary measure, the regulator therefore generally recommends that consumers use their own data sparingly. When ordering online, also consider whether they  are interested in advertising from the company and, if not, object to advertising when placing the order. It also offers some sample letters for excercising data subject rights for: information about the data stored about the person, deletion of stored personal data, objection to the use of personal data stored for advertising purposes, objection to the use of personal data stored by Deutsche Post. 

And for those who can read Spanish, the AEPD has published a guide aimed at professionals in the health sector. The document addresses frequent issues such as the legitimacy to process health data, (beyond informed consent of the patient – ed.), who can access the clinical history and in what cases, the responsibility and obligations derived from these treatments, as well as the management of the rights of patients or situations that may involve communication of data to third parties. To that end, the guide attempts to respond to the various situations that arise when health professionals develop their services in hospitals or clinics, indicating the criteria that allow to identify, in each case, who is responsible for the treatment of patients’ data and of the corresponding clinical histories.

Investigations and enforcement actions: sound recording, cookies, ban on GA in Italy, unauthorised disclosure and data storage

The Polish data protection regulator UODO fined the Warsaw Center for Intoxicated Persons some 2000 euros, related to the monitoring system it used. The center was accused of recording sound in the facility without legal basis. The administrator has confirmed that the system records both video and sound, and the purpose of the processing is, inter alia, exercising constant supervision over persons brought in to sober up to ensure their safety. The monitoring record covering all rooms, including audio and video signals, is kept for 30 to 60 days, except when the recording is secured as evidence in any pending proceedings. As the legal basis, the center indicated that the data processing is necessary to fulfill the legal obligation incumbent on the controller. In addition, the administrator referred to the regulations contained in the Act on Upbringing in Sobriety and Counteracting Alcoholism. 

In the opinion of the supervisory body, the legal provisions did not authorize the controller to process sound data as well as video. In this case, sound recording is a redundant activity, which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism. Finally, the fact that audio was recorded for such a long time means that the infringement may potentially affect a very large number of people. In the opinion of the UODO, recording the voices of people who are often intoxicated, making it impossible for them to consciously formulate their statements or control the sounds produced, is an excessive, pointless activity.

The Belgian data protection authority GBA imposed a fine of 50,000 euros on the Rossel press group for its management of cookies on the websites lesoir.be, sudinfo.be and sudpressedigital.be. The fine mainly relates to violations related to the required consent for the placement of non-essential cookies. This is the second decision taken by the GBA as part of its thematic research into the management of cookies on the most popular Belgian press sites. During its investigation in this area, the GBA identified several violations on the above sites:

• several cookies were placed on the visitor’s device by these websites before the visitor’s consent,
• analytical and social network cookies placement was based on legtitmate interest, and not user’s consent,
• the cookie policy was incomplete and difficult to access,
• further browsing was considered as a sign of the user’s consent, while consent can only be considered valid if it is the result of a clear and sufficiently specific, active action to confirm the acceptance of cookies,
• the consent boxes for the placement of cookies by third parties were already pre-ticked. 

Moreover, when a user withdrew their consent, the procedure was ineffective.   

The Italian data protection supervisor Garante ruled that a website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the US, which does not have adequate levels of data protection. The regulator came to this conclusion after a complex fact-finding exercise it started in close coordination with other EU data protection authorities, after receiving complaints.

In the related case, the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the US. Based on the above findings, the regulator adopted a decision, to be followed by additional ones, reprimanding Caffeina Media – a website operator – and ordering it to bring the processing into compliance with the GDPR within 90 days. If this is found not to be the case, suspension of the GA-related data flows to the US will be ordered. The Italian authority calls upon all controllers to verify the use of cookies and other tracking tools on their websites. 

The Garante also recently imposed a fine of 2,500 euros to Isabella Gonzaga High School, for violations of Articles 5, 6, and 9 of the GDPR  for unathorised disclosure of a special category of data, Data Guidance reports. According to the complaint, the high school had published, in a special section dedicated to teachers in the electronic register, a document relating to the final timetable for the school year 2020-2021, containing a reference, next to the plaintiff’s name, to the benefits received by the same due to their disability. The regulator found that: 

• the document in question contained detailed information about personal and family events or information linked to the specific employment relationship of other teachers, (eg, maternity leave due to serious pregnancy complications), 
• the restricted document had been published due to a human error to a very wide range of unauthorised persons, namely all of the plaintiff’s colleagues among the teaching staff.

The Danish data protection agency hit Gyldendal A/S with a fine of approx. 135,000 euros for storing information about 685,000 book club members for longer than necessary. Gyldendal kept the information in a so-called “passive database”. Information on some 395,000 of the former members had been intentionally retained for more than 10 years after they had resigned from the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database. After the inspection visit, Gyldendal deleted all the information in the passive database and informed the regulator that, according to the company’s assessment, it would be necessary to store information about announced members for up to six years. Also, according to Gyldendal, only two employees had access to the passive database.

Big Tech: pregnancy-related data, coffee-shop location data, new ways to verify age, ‘watched from home’ employee monitoring

The US Tech sector is bracing for the possibility of having to hand over pregnancy-related data to law enforcement, after the Supreme Court overturned women’s constitutional right to an abortion, Reuters reports. As state laws could limit abortion after the ruling, technology trade representatives reportedly fear police will obtain warrants for customers’ search history, geolocation and other information indicating plans to terminate a pregnancy. Prosecutors could access the same via a subpoena, too. In one example, Mississippi prosecutors charged a mother with second-degree murder of her new-born baby after her smartphone showed she had searched for abortion medication in her third trimester. 

Canada’s provincial and federal regulators recently investigated privacy and data management practices of a well-known ‎coffee shop and restaurant chain, DLA Piper reports.  The received complaint alleged that the mobile app unlawfully collected a ‎significant amount of personal information and location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the US. The data collected by the app, (either on its own or combined with other data), could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. The business did not:

• conduct a privacy impact assessment before launching its application,
• adequately inform users of how the data would be collected before obtaining their consent,
• obtain clear and detailed consent for such uses of data, 
• clarify contractual obligations with the third party on the use of the data collected for its own purposes.

Privacy International investigated Office 365 and found features that can enable employers to access all communications and activities on Microsoft services. One of these features, the “Microsoft Office 365 Admin Center” can inform administrators about productivity and efficiency of employees within their company. Another source of far more granular employee information is the “Microsoft Teams Admin Center”, followed by “Audit” and “Content Search” features.  From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. These features can be operated without the employees’ knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose, PI says: “This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail”. 

Finally, Instagram is to introduce new ways to verify age. In addition to providing an ID, people will now be able to ask others to vouch for their age or use technology that can confirm their age based on a video selfie. For that Meta is partnering with Yoti, a company that specializes in privacy-preserving ways to verify age. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age (social vouching)”, says a company statement. Finally, in addition to testing the new menu of options to verify people’s ages, Meta also claims to be using AI to understand if someone is a teen or an adult. Read more in the original statement by the company. 

The post Weekly digest 20 – 26 June 2022: future US data privacy law, new ban on GA, ‘watched from home’ employees appeared first on TechGDPR.

Official guidance: smart contracts, DPOs, AI risk management, GDPR cooperation

The Spanish data protection authority AEPD analyzed smart contracts. Smart contracts are algorithms that are stored in a blockchain and that execute automated decisions. The very nature of the smart contract, when applied to data of natural persons, falls within the scope defined by Art. 22 of the GDPR. This refers to the right of an interested party not to be subject to decisions based solely on automated means, including profiling, when those decisions have legal effects on them or significantly affect them, and that the interested party can challenge that automated decision. It also establishes three exceptions to said prohibition: explicit consent, the conclusion or execution of a contract between the interested party and a data controller, or the existence of an enabling law. In any of the cases, it is necessary to identify a person responsible for the execution of the said smart contract. The most famous use case is the one known as the DAO Fork of Ethereum. 

A new practical guide for Data Protection Officers was published by the French data protection authority CNIL, (available in English). The spirit of the GDPR is to make the DPO the “orchestra conductor” of the management of personal data in the organization which designates them. The hierarchical position of the DPO must bear witness to this, and their resources must be adapted so that they can fully accomplish their job and their role of compliance coordinator. They should not work in a vacuum but be fully integrated into the operational activities of their organization, in conjunction with the CISO and the IT department, etc. The DPO guide is divided into 4 chapters: 

• the role of the DPO; 
• designating the DPO; 
• the exercise of the DPO’s tasks; 
• CNIL’s support for the DPO. 

Each theme is illustrated by concrete cases and frequently asked questions related to the subject being dealt with.

The US NIST seeks comments on the draft AI risk management framework, (AI RMF), and offers guidance on AI bias. It is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. It aims to provide a flexible, structured, and measurable process to address AI risks throughout the AI lifecycle. Similarly, bias in AI can harm individuals. The NIST researchers thus recommend widening the scope of where we look for the source of these biases — beyond the machine learning processes and data used to train AI software to the broader societal factors that influence how technology is developed. AI can make decisions that affect whether a person is admitted into a school, authorized for a bank loan, or accepted as a rental applicant. AI systems can exhibit biases that stem from their programming and data sources, (eg, machine learning software could be trained on a dataset that underrepresents a particular gender or ethnic group). Read the full draft AI RMF and guidance on AI bias here.

The EDPB adopted a couple of new guides last week:

• on Art. 60 of the GDPR, (provides a detailed description of the GDPR cooperation between Supervisory Authorities, (SAs), and helps them to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism). 
• on dark patterns in social media platform interfaces, (gives concrete examples of dark pattern types, presents best practices for different use cases, and contains specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR), and
• the toolbox on essential data protection safeguards for enforcement cooperation between EEA and third-country SAs, (covers key topics, such as enforceable rights of data subjects, compliance with data protection principles, and judicial redress).

Legal processes: cyberattack disclosure in the US

New US cyber security incident reporting mandates have been signed into law, making it a legal requirement for operators of critical national infrastructure, (CNI), to disclose cyberattacks to the government. Namely, it will require CNI owners within the US to report substantial cyber attacks to the Cybersecurity and Infrastructure Security Agency, (CISA),  within 72 hours, and any ransomware payments made within 24 hours. It enables CISA to subpoena organizations that fail to do so, with the threat of referral to the US Department of Justice for non-compliance. CISA has not said how it will use data gleaned from breach reports but has been seeking to build its capabilities and work more closely with the private sector on a voluntary basis. The CISA lists 16 broad sectors spanning health, energy, food, and transportation as critical to the US, although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents. 

Data breaches and enforcement actions: insufficient TOMs, ransomware, unwanted marketing calls, Irish/Meta fine

The Danish data protection authority Datatilsynet criticized Kombit, (IT/project organization), for violating Art. 32 of the GDPR, following data breaches reported by 30 municipalities, Data Guidance reports. An error occurred in the platform used by the municipalities, where a user could access another user’s files, which included personal data if the latter was not logged out of their computer. The IT company had not complied with the rules on data security, namely: no sufficient testing of the platform was carried out in connection with the change of the code implemented, (development of a change to the login solution in the platform), and it applied for insufficient access right controls. Additionally, Kombit along with another company could not agree on what tests could be expected to be performed in connection with the code changes, and whether another company was acting as a sub-processor or not.

The UK Information Commissioner’s Office, (ICO), announced fines totalling approx 482,000 euros to five companies responsible for over 750,000 unwanted marketing calls targeted at older, vulnerable people. Companies, (Domestic Support Ltd, Home Sure Solutions, Seaview Brokers, UK Appliance Cover, UK Platinum Home Care Services), were calling people to sell insurance products or services for large household appliances, such as televisions, washing machines, and fridges. In the UK live marketing calls should not be made to anyone who has registered with the Telephone Preference Service unless they have told the caller that they wish to receive such calls from them. The ICO also issued these companies with enforcement notices that require them to immediately stop making these predatory calls.

The ICO also fined a law firm approx 116,784 euros for contravening Art. 5 and Art. 32 of the GDPR by failing to process personal data in a manner that ensured appropriate security of the personal data, GDPRHub reports. Tuckers Solicitors, a limited liability partnership of solicitors, was the data controller. In 2020, they became aware that their systems were hit by a ransomware attack and reported the data breach to the ICO on the same day. Here are some facts and findings from the case:  

• The attack had resulted in the encryption of numerous civil and criminal legal case bundles stored on an archive server. 
• Backups were also encrypted by the attacker.
• Although the firm’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. 
• The firm installed the patch after months of its release, during which the attacker could have exploited the vulnerability. 
• The firm moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the compromised data.
• The proper encryption could have mitigated the damage, (however it would not have prevented the ransomware attack).

The ICO held that multi-factor authentication was a low-cost measure that could have substantially supported Tuckers in preventing access to its network. The firm also should not have been processing sensitive personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk.

Ireland’s data protection authority, (DPC), imposed a 17 mln euro fine on Facebook parent Meta Platforms after an inquiry into 12 data breach notifications from 2018. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data. Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 of the GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, a consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Ireland regulates Meta and a number of other large US tech giants because their EU headquarters are in the country. The DPC, which has a number of ongoing investigations into Meta, last year fined its WhatsApp subsidiary a record 225 mln euros.

Data security: password managers

An analysis by the Guardian looks at password managers for convenience and enhanced online safety. The article argues that long and complex passwords are more secure but difficult to remember, leaving many people using weak and easy-to-guess credentials. Password manager apps can resolve this problem by creating long and complex credentials for you, and remember them the next time you log in: “Password managers keep your details secure by encrypting your logins so they can only be accessed when you enter the master password.” Yet reportedly only about one in five people in the UK use one. Some other findings by UK experts are:

• Never create a virtual book or document on your computer, which could be viewable if your device is hacked.
• Password managers should be backed by two-factor authentication, whereby you are asked for something such as a one-time code in addition to a password when you log in using a new device.
• A security key is an option – a token you can insert into your device to double-secure high-risk accounts such as email. 
• Authenticator apps are another option. These generate a unique code for you to enter into the site and are very straightforward to use.
• Apple Keychain and the Google Chrome Password Manager lack the features of “full-service” ones. 
• Physical password books aren’t a bad idea, as long as you create strong, unique logins, and the book is kept somewhere secure and doesn’t leave the house.

DPIA: Zoom case

Zoom is making changes to the privacy agreements for all education and enterprise users in Europe in collaboration with SURF, (the ICT service provider for Dutch education and research).  It has removed the privacy risks identified in the DPIA from 2021 by making changes to the software, making processor agreements, and promising future changes. These contractual and technical adjustments are described in the new recently published DPIA. They include:

• Data location solutions, (all personal data be processed in the EU by the end of the year). 
• Data Subject Access Requests: Zoom to use two self-service tools for enterprise and education account administrators. 
• Clarifying the data protection role of Zoom and its customers, (universities and government organizations).
• Clarified and minimized customer personal data retention practices. 
• Privacy by design and default.
• Updated Data Transfer Impact Assessment, and much more.

Big Tech: all-new GA, apps leaking sensitive data, Tesla’s facial and optical tracking

The all-new Google Analytics 4 will be the first data measurement tool released by the company with privacy designed “at its core”, an upgrade on the privacy features in the recent Analytics 360 tool, which will be retired, along with Universal Analytics. The company says IP addresses will no longer be stored, which could ease compliance in international markets, and the EU GDPR requirements for data transfers.

Are your apps leaking sensitive user data? A study revealed that 2113 apps had vulnerabilities in their Firebase back end because of cloud misconfigurations, IAPP News reports. Certain apps had tens of millions of downloads and included popular e-commerce, social audio platform, logo design, bookkeeping sites, and even a dating app. Lost data included user names, passwords, phone numbers, bank details, and some 50,000 chat messages. A separate study also found that 14% of Android and iOS apps using public cloud back ends had similar privacy issues due to misconfigurations.

Integral to Tesla’s autopilot and full self-driving features is the fact that software looks at your eyes while you look at the road, using facial and optical tracking to check your driving. Now a driver in Illinois has filed a proposed class action against Tesla Inc. for recording and storing biometric data without informed consent, illegal under Illinois’s Biometric Information Privacy Act, (BIPA). The suit also claims Tesla failed to make its data retention policy public, and failed to inform customers where facial recognition data was stored. Damages of 5000 dollars per BIPA violation are being sought.

The post Weekly digest March 14 – 20, 2022: smart contracts, AI bias, password managers & privacy appeared first on TechGDPR.

Legal processes: use of Google Analytics in France, Privacy Sandbox commitments in the UK

The use of Google Analytics, (GA), is illegal as it threatens the privacy of French website users, concludes the French data protection regulator CNIL. In its latest decision relating to an unnamed French website manager, the CNIL decided that the analytics service developed by Google risks giving US intelligence services access to the website users’ data. GA provides statistics on website traffic. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the data associated with it is transferred by Google to the US. The CNIL, in cooperation with its EU counterparts, concludes that in the absence of an adequacy decision following the “Schrems II” CJEU ruling such transfer can only take place if appropriate guarantees are provided. Although Google has adopted additional measures to regulate data transfers in the context of the GA functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services. The CNIL ordered an unnamed website manager to bring this processing into compliance with the GDPR, if necessary:

• by ceasing to use the GA functionality under the current conditions, or 
• by using a tool that does not involve a transfer outside the EU, (and only uses anonymous statistical data). 

To go deeper on this topic you can also read the recent unfavorable decision on GA by the Austrian data protection regulator. In its defense, Google also recently posted a statement stressing that the GA tool does not track people or profile people across the internet.

Britain’s competition regulator CMA to keep a close eye on Google as it secures final Privacy Sandbox commitments. The CMA has accepted a revised offer from Google of legally binding commitments relating to its proposed removal of third-party cookies from the Chrome browser known as the Privacy Sandbox proposals. The CMA competition investigation was launched in January 2021 over concerns that the proposals would cause online advertising spending to become even more concentrated on Google, weakening competition and so harming consumers. Google has pledged not to remove third-party cookies until the CMA is satisfied.

The CMA is currently working closely with the UK Information Commissioner’s Office, ICO, to oversee the development of the proposals so that they protect privacy without unduly restricting competition and harming consumers. In one of the examples, Google commits to restricting the sharing of data within its ecosystem to ensure that it doesn’t gain an advantage over competitors when third-party cookies are removed. Google will also engage in a more transparent process than initially proposed, including engagement with third parties and publishing test results, with the option for the CMA to require Google to address issues raised by the CMA or third parties. Read more on the Privacy Sandbox initiative here and the ICO’s latest opinion on Data protection and privacy expectations from the advertising technology sector. 

Official guidance: configuration errors, payment services, EU data flows analysis

The French regulator CNIL published a guide, (in French), on security incidents related to configuration errors within public cloud storage spaces, DataGuidance reports. Malicious scenarios may be caused by a) publicly accessible ‘bucket”; b) overly permissive access rights for users, c) inadequate user authentication mechanisms. To detect unauthorized access, CNIL recommended that available logs should be analyzed, and the Data Protection Officer should be updated in a timely manner in the course of the investigation. If the incident was classified as a personal data breach, CNIL must be notified within 72 hours of discovery. Some essential steps to prevent configuration errors include: 

• knowing your infrastructure, (eg, configure security options: do not rely on default settings, in particular public and private access to containers);
• taking inventory of your cloud resources, (eg, separating the storage of personal and sensitive data from other data);
• limiting access, (eg, strong two-factor authentication for sensitive actions);
• encrypting data and performing regular backups;
• tracing, monitoring, and auditing containers and their security configurations;
• educating users on how to handle data stored in the cloud.

The EU Commission presented a new study estimating the volume of data flowing to main cloud infrastructures across the EU Member States, Iceland, Norway, Switzerland, and the UK. In 2020, the largest data flows came from the health sector, and Germany registered the largest volume of data inflow. Reportedly, by 2030, the flow of data stemming from European enterprises will be 15 times higher than in 2020. Furthermore, a follow-up study has just been started to assess the economic values of data flows within the EU, as well as with third countries such as the US and China. Both studies will complement the upcoming Data Act. It will also feed into the evaluation of EU Regulation of the Free Flow of Non-Personal Data, as well as the Digital Decade policy program. Read the full study and the interactive map here. 

A growing number of  EU payment industry associations co-signed a letter addressed to the EDPB, the European Commission, and the European Banking Authority about the final EDPB Guidelines on the interplay of PSD2, (Payment Services Directive), and the GDPR. Although it clarifies certain aspects of the interplay, other elements remain more worrying and raise new uncertainties, notably:

• the provisions on data minimisation;
• the processing of special categories of personal data;
• a lack of coherence with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication;
• the risk that national data protection authorities could start taking a differentiated approach to the interpretation of the provisions, resulting in fragmentation across the EU.

Investigations and enforcement actions: IAB Europe/APD row, extensive health data collection, unprotected visa order forms, unsolicited marketing email

The Interactive Advertising Bureau (IAB) Europe has published an FAQ on the Belgian data protection authority, (APD), decision about the Transparency and Consent Framework, and its compliance with the GDPR. The IAB Europe states that:

• There is nothing in the APD’s decision that even remotely suggests that consent pop-ups are illegal or that they should not be employed by the digital advertising ecosystem to comply with the EU data protection rules. 
• The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”.
• The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata value.
• However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data. 
• The APD’s decision only concerns IAB Europe, not any vendor, publishers, or CMPs, but it does hint at the possibility of an order for a given party to delete TC Strings if they contain personal data collected in breach of Art. 5 and 6 of the GDPR.
• It is unclear if reliance on legitimate interests as a legal ground for the processing of personal data by TCF participants is viable for all TCF purposes or solely for personalized advertising and profiling, etc.

The EDPB published an analysis of the recent decision by the Finnish Data Protection Ombudsman. An administrative fine with reprimand was imposed on the Finnish Motor Insurers’ Centre for the collection of unnecessary patient information. The Data Protection Ombudsman stated that the actions of the data controller violated the principle of data minimization provided for in the GDPR. Namely, the data controller requested unredacted patient records from health care providers in order to settle claims. The controller also collected information on the patients’ health care appointments to determine whether the health care provider charged for visits not related to the examination or treatment of injuries sustained in the claim. Information was also requested in cases where the health care recipient may have omitted information essential for claims handling. The decision by the data protection authority is not final as it is under appeal in the administrative court.

Another fine by the Finnish data protection regulator was imposed on a travel agency for multiple violations of the GDPR. In the given case, a customer suspected the travel agency was not processing the data on the electronic visa order form in compliance with data protection regulations. The customer had also requested the travel agency erase their data from the system, but the company had not fulfilled the customer’s request. The investigation showed that: 

• The travel agency used an unencrypted network connection for its visa application forms, and
• Stored personal data on a public web server. 
• The information entered on the form was saved as a PDF file in the web server’s files folder that was open to access from the internet.
• The information entered on the forms included the customer’s name, contact details, and passport number, which in particular poses a privacy risk. 

The regulator also imposed a fine on the small travel industry group that the travel agency is considered a part of.

Meanwhile, the Spanish data protection authority AEPD fined SegurCaixa Adeslas, (health insurance), 300,000  euros for sending marketing emails to the plaintiff, despite their request for deletion of their data, Data Guidance reports. This happened despite the fact that the given email address was registered in an opt-out list of people not willing to receive marketing communications. SegurCaixa Adeslas however indicated that the marketing emails were sent to insurance agents with which it maintained a commercial relationship, claiming that these insurance agents should be responsible for the activity of promoting and attracting clients. The AEPD found SegurCaixa Adeslas in breach of Art. 6, (unlawful processing), 17, (failed requests of data deletion), and 28, (no formalized data processing agreement with the contracted insurance agents), of the GDPR. 

Data security: IoT products

The US National Institute of Standards and Technology published its latest Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) products. An IoT product and its components must protect data stored and transmitted, (both between IoT product components and outside the IoT product), from unauthorized access, disclosure, and modification. Thus, maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data is protected and that protection of data helps to ensure the safe and intended functionality of the IoT product. The document provides some real-world IoT product vulnerabilities and related proposed baseline criteria. Here are some examples:

• Weak data protection in storage and transit creates vulnerabilities within home security cameras allowing adversaries to exfiltrate data. 
• Unencrypted sensitive data is available through a baby monitor, leaving the data vulnerable to access, modification, exfiltration, and misuse.
• Using weak de-identification methods leaves data vulnerable to being reidentified allowing unauthorized access to sensitive data, etc.

Big Tech: Meta annual report, TikTok promises minors privacy, AirTag dilemma, surveillance marketing by YouTube, TikTok & Co

Negotiations between the EU and US over transatlantic data transfers and their associated privacy issues need to succeed said Meta this week in its annual report to the SEC and in press releases. Failure to agree on a new transatlantic data transfer framework that complies with the EU’s GDPR could lead to Facebook and Instagram quitting Europe. Meta added and claimed 70 other companies are concerned about the impact on their business. The SEC report noted other data protection requirements at the federal, state, and international level, along with legislation restricting the collection and use of data from minors could impose limitations on Meta’s business. You can investigate Meta’s annual report here.

A TikTok news briefing revealed the company is conducting twin tests to crack down on adult content arriving on minors’ devices, Reuters reports. The company said one small test would look at how users themselves or their parents or guardians could restrict access, while a ratings approach is being trialled for app creators who want to specify adult content, similar to the film and games industries.

Apple has responded to reports its AirTag device is being used by criminals, especially stalkers, updating software and beefing up online support, according to The Guardian. Any initial user of the device will now be warned tracking people without consent is a crime in many places around the world. Guidance on what to do if you find an unwanted AirTag near you and how to disable it is being added to the website, along with links to two US helplines. Apple says additional measures, like precision detection of stalking AirTags, are on the way.

TikTok and YouTube are by far the biggest collectors of personal data among social media apps according to a report by URL Genius. While YouTube mostly collects data for its own business purposes and sells little to third-party trackers, TikTok sells nearly all its user’s data to third parties, more than three times as much, trailed by Twitter and Telegram. The report says that for users this means it is unclear where all this data goes, how it is used, and whether or not, for example, other online activity or location is being tracked, logged in to TikTok or not. The study added TikTok allowed third-party tracking even when users did not use the opt-in feature. Find many other findings on surveillance marketing in the original study report. 

The post Weekly digest February 7 – 13, 2022: France latest EU member to put pressure on Google Analytics appeared first on TechGDPR.

Legal processes: Google Analytics case in Austria, EU Parliament breach, French health database, the Irish DPC

The Austrian data protection authority, the DSB, ruled that the use of Google Analytics violates the GDPR. Presented as evidence was a case where an IP address “anonymization” function had not been properly implemented on a health-focused website – netdoktor.at. When implementing GA services, the website had been exporting visitors’ data to the US-based company in violation of Chapter V of the GDPR. While the regulator upheld the complaint against netdoktor it did not find against Google’s US business for receiving/processing the data — deciding that the rules on data transfers only apply to EU entities and not to the US recipients, TechCrunch reports. 

The complaint was filed by the NOYB privacy foundation based on the “Schrems II” CJEU decision, which invalidates the Privacy Shield framework for EU-US data transfers. The Austrian DSB assessed various measures by Google to protect the data in the US — such as encryption at rest in its data centers — but did not find sufficient safeguards to effectively block US intelligence services from accessing the data. 

Because the Austrian data exporter in the given case has merged with a German company, the DSB will raise a ban on future data transfers with the relevant authority at the new headquarters too. The Dutch data protection authority, the AP, has also warned that the use of Google Analytics may soon not be allowed. The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to decide on the future of GA. In response to the Austrian decision, Google defended itself in a blog, stating that:

• Organizations use Google Analytics because they choose to do so. They, not Google, control what data is collected and how it is used.
• They retain ownership of the data they collect using GA, and Google only stores and processes this data per their instructions —  to provide them with reports about how visitors use their sites and apps.
• Organizations can, separately, elect to share their Analytics data with Google for one of a few specific purposes, including technical support, benchmarking, and sales support.
• Organizations must take explicit action to allow Google to use their analytics data to improve or create new products and services. Such settings are entirely optional. 
• Organizations are required to give visitors proper notice about the features of GA that they use, and whether this data can be connected to other data they have about them.
• Google offered browser add-ons that enable users to disable measurement by GA on any site they visit, etc.

Meanwhile, the European Parliament was also found to be in breach of EU rules on data transfers and cookie consent. The assembly hired a company to provide mass Covid-19 testing via a dedicated website for members and officials. The page attracted a number of complaints, filed by some MEPs, also with the support of the NOYB, over the presence of third-party trackers and confusing cookie consent banners, among a raft of other compliance issues. In particular, the test booking site was found to be dropping cookies associated with US Google Analytics and digital payments company Stripe, but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers would be adequately protected. The European Data Protection Supervisor, which oversees EU institutions’ compliance with data rules, gave the assembly one month to fix the privacy flaw.

EU Commissioner for Justice Reynders refuted the criticism that has been raised against the Irish Data Protection regulator, the DPC. As the lead data protection authority for Big Tech companies that have their EU headquarters in Ireland, the DPC has been subject to criticism over insufficient investigation and cooperation actions. At the end of 2021 some Members of the EU Parliament asked to initiate infringement proceedings against the DPC. In his response Reynders stated that, a) it is too early to come to definitive conclusions as to the efficiency and functioning of the GDPR cooperation mechanism, b) the Commission is taking appropriate actions to monitor the application of the GDPR in EU Member States, and c) there is no evidence that the Irish data protection rules have not been respected by the DPC and that the cooperation mechanism has not been applied correctly.

The French government reportedly decided to withdraw a request for authorization for the Health Data Hub, HDH, to host the main national health database. Without the permission of the French regulator CNIL, the HDH cannot function as intended. The platform makes data available to authorized projects, and the most important criticism relates to its choice to host health data on Microsoft Azure. The CNIL had protested against entrusting the hosting of health data to an US-based company. It had then expressed the wish that the hosting could be reserved for entities coming under the exclusive jurisdiction of the EU. However, there is no designated “cloud of trust” for French public services, as the “Blue” initiative, with Orange and Capgemini, does not exist yet. 

Official guidance: ex officio data erasure, reuse of data by subcontractors, debtor’s data

The EDPB published its recent opinion on whether Article 58(2)(g) of the GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of unlawfully processed personal data, in a situation where such a request was not submitted by the data subject. The Board supported the fact that some cases set forth in Art. 17, (‘Right to erasure’), of the GDPR clearly refers to scenarios that the controllers must detect on their own as part of their obligation for compliance.  Thus, the EDPB concludes that Article 58(2)(g) GDPR is a valid legal basis for a supervisory authority to ensure the enforcement of the principles enshrined in the GDPR even in cases where the data subjects are not informed or aware of the processing, or in cases where not all concerned data subjects have submitted a request for erasure.

The French regulator CNIL published a new guidance for subcontractors: the reuse of data entrusted by a data controller (in French). A processor processes personal data on behalf of the controller. In this context, he only follows the instructions of the data controller and cannot, in principle, use the data for his own account. Sometimes, however, a subcontractor wishes to reuse the data, often with the aim of improving its services or products or designing new services and products. Such reuse is only possible under several conditions:

• national or European law may require them to do so;
• the controller may authorize its subcontractor to reuse the personal data for its own account. The processor then becomes responsible for this new processing;
• the subsequent  processing must be compatible with the purpose for which the data was initially collected – the “compatibility test”, (when the processing is not based on the consent of the data subject, eg, ex-subcontractor is allowed to reuse data for the purpose of improving its cloud computing services, but must not us it for commercial prospecting);
• the existence of appropriate safeguards, which may include encryption or pseudonymisation;
• the authorization of the initial controller must be established in writing, including in electronic format;
• the initial controller must inform data subjects;
• ex-subcontractors must ensure the compliance of the processing (encryption, pseudonymisation, minimisation, retention periods, legal basis, data subject rights, etc.)

The Lithuanian data regulator VDAI, has issued a recommendation on the processing of debtors’ personal data. The following personal data is usually processed in the administration of debts: name, surname, payer’s code, date of birth, address and other details. Debt recovery procedures involve financial consequences for individuals, and such processing of personal data is often very sensitive. The cases investigated by the VDAI show that there are sometimes misunderstandings between debtors, creditors or debt collection companies. There are a number of cases where complaints are declared unfounded and terminated, such as the transfer of the debtor’s personal data to a processor for legal recovery where consent is not required. VDAI also noted that the exercise of the data subject’s rights does not imply a debt review. Finally, the exercise of data subjects’ rights does not affect the debtors’ contractual obligations to the creditor, (VDAI does not have the power to decide on debt calculation methods, the existence or absence of debt etc). 

Data breaches, investigations and enforcement actions: DPO role, Europol data, IT security, credit default information, outsourced marketing

The Luxembourg data protection authority, (CNPD), fined an unnamed company for multiple violations of the GDPR, including the activity of the Data Protection Officer. The company failed to provide evidence that the DPO was appropriately involved in all matters relating to the protection of personal data, (Art. 38, 39 of the GDPR), DataGuidance reports. Although the DPO reported to company management:

• there were two hierarchical layers between them and the management, and therefore, direct access was not guaranteed;
• there was no proof that statements mentioning the formal reporting of the DPO’s activities on a quarterly basis were actually issued;
• the company did not have a formalised control plan specific to data protection. This meant that the DPO could not exercise their objective of controlling the compliance of the data controller.

Read the full decision, (available in French), which includes 11 control objectives for a valid DPO position. 

The Finnish data protection ombudsman ordered Bisnode Finland, which provided digital business information services & credit and risk management, to rectify its credit information register. The investigation referred to processing of data on payment defaults following an individual’s complaint that the company had refused to remove from its credit register default entries based on judgments in civil cases, DataGuidance reports. In particular, the regulator stated that data based on final judgments in civil cases should not have been included as a default entry in the credit information register, since only information that adequately reflects a person’s ability or willingness to pay may be used as credit information. The regulator found the company in breach of Art. 25 of the GDPR, (‘Data Protection by Design and by Default’), as well as the Credit Information Act.

A municipality in Norway was fined more than 500,000 euros over a lack of security measures. It was subjected to a serious attack in 2021. As a consequence, employees no longer had access to most of the municipality’s IT systems, the data had been encrypted and backups deleted. Approximately 30,000 documents were lost, containing some very sensitive information about the municipality’s residents and employees. The deficiencies are related to both log and log analysis, securing backup and lack of two-factor authentication or similar security measures. The firewall was inadequately configured for logging, and a lot of internal traffic was never logged. Servers were not configured to send logs to central log reception and also lacked logging of important events. Furthermore, the municipality lacked protection of backup copies against intentional and unintentional deletion, manipulation and reading, etc.

The Italian regulator Garante fined a telecommunication company, (OMNIA24), 100,000 euros for multiple violations of the GDPR. The infringements included outsourced marketing activities, methods of collection of consent and the source of the data, Data Guidance reports. It also turned out that OMNIA24’s inadequate response to individuals’ requests to access their personal data constituted a further violation of the GDPR. The investigation determined the main reason was the failure to qualify the data processor/controller roles between the business associates, which had led to an inability to guarantee the facilitation of data subjects’ rights.

Europol was ordered to erase data concerning individuals with no established link to a criminal activity. The EDPS admonished Europol in 2020 for the continued storage of large volumes of data with no Data Subject Categorisation (DSC), which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under Europol Regulation. Europol said the decision impacts its ability to analyze complex and large datasets at the request of EU law enforcement. The current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the DSC. In its decision the EDPS sets this period at six months. However, Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. 

Individual rights: Covid data in police investigations

Police in Germany are being slammed for using COVID-19 tracking data to identify witnesses as part of an investigation, IAPP news reports. Police and local prosecutors in Mainz successfully appealed to the civic health authorities and used data from the contact tracing Luca health application. The police used app logs of an individuals’ length of time at a location along with their name, address and phone number, to gather information about 21 people who may have been witnesses to a death at a local restaurant. The company that developed the Luca app, culture4life, condemned the abuse of Luca data collected to protect against infections. It added that it had received regular requests for its data from the authorities which it routinely rejected.

Big Tech: Clearview AI for FBI, YouTube fake news, Facebook/Meta competition lawsuit

In the US the FBI has signed a contract to subscribe to controversial facial recognition technology developed by Clearview AI. The company has been criticised for its policy of trawling social media platforms for pictures of people and storing them without their knowledge. The report by CyberScoop identifies more than 20 other federal agencies currently partnering with facial recognition technology contracts. Last year Clearview was found in breach of privacy rules in Canada, Australia and the UK. Finally last month the French Regulator CNIL slapped the company with an order to delete French users data.

A global coalition of fact checking organisations has fired a broadside at YouTube for being a “major conduit” of fake news. More than 80 groups signed an open letter saying YouTube allowed the “weaponization” of extremism and was not doing enough to filter out disinformation. The letter did suggest four remedial steps: a commitment to funding independent research into disinformation campaigns on the platform; providing links to rebuttals inside videos distributing disinformation and misinformation; stopping its algorithms from promoting repeat offenders; and doing more to tackle falsehoods in non-English-language videos.

Facebook/Meta is facing the first class action lawsuit of its kind in the UK for breach of competition rules. The plaintiffs, a competition lawyer and litigation fund, are seeking more than three billion dollars for all the millions of UK Facebook users in compensation for paying an “unfair price”, i.e. surrendering unfettered use of their personal and private data, in exchange for Facebook’s market-dominant services. If you were domiciled in the UK from 1 October 2015 to 31 December 2019 you could be in for a windfall even if you used Facebook just once, unless you opt out of the lawsuit.

The post Weekly digest January 10 – 16, 2022: Does the use of Google Analytics by EU entities violate the GDPR? appeared first on TechGDPR.