In Denmark, an individual has been awarded financial compensation for non-material damage resulting from a data breach (Art. 82 of the GDPR). A High Court ruled on 20 August, that a woman should receive approx. 335 euros in compensation after a municipality mistakenly shared her health information with a third party. The decision has been appealed to the Supreme Court, where the woman and her lawyer will, among other things, try to have the GDPR compensations increased and awarded to her spouse as well. 

Until now, Danish practice has been that claims for compensation without financial loss must be assessed according to the provisions of the Danish Civil Liability Act. The court has generally required a qualified damage effect. The decision from August could, if upheld by the Supreme Court, be a new breakthrough in Danish law and possibly the European law. The compensation of 335 is a small amount, but if thousands of citizens choose to file a lawsuit in connection with the same breach – for example via a class action – the consequences for companies and authorities could be extensive. 

Stay up to date! Sign up to receive our fortnightly digest via email.

EU-US data transfers and immigration control

On 17 September, the European Data Protection Supervisor (EDPS) issued an Opinion on a framework agreement between the EU and the US on the exchange of information for security screenings and identity verifications. Individual Member States would be empowered to sign bilateral agreements for the exchange of data from their national systems. It would be the first agreement concluded by the EU to entail the large-scale sharing of personal data, including biometric data (fingerprints), for border and immigration control purposes with a third country.

More legal updates

Data transfers for medical research: The German Data Protection Conference (DSK) adopted a paper on data transfers to third countries for scientific research in the medical sector. The admissibility of transferring personal data to third countries under data protection law cannot be assessed in general terms, but only on a case-by-case basis, as numerous circumstances play a role in the assessment. This also applies to scientific research for medical purposes. It must always be examined whether the data subjects have been adequately informed about the (intended) transfer in accordance with the GDPR. In scientific research for medical purposes, broad consent is an established legal basis for data processing. Since there may be special interactions between Broad Consent and the basis for transfer under the GDPR, these are explained in detail in the DSK paper (in German). 

The European Innovation Act: The European Commission concluded its consultation and evidence-gathering for an impact assessment to assist in the creation of the European Innovation Act. The Commission seeks information on ways to overcome obstacles that innovative entities encounter, including fragmented regulations, restricted access to infrastructure and funding, underutilised innovation procurement, and inadequate commercialisation of findings from publicly funded research and innovation. The Act aims to create sector-wide horizontal conditions as opposed to sector-specific programs. 

Political online targeting ban in the EU: Political parties will soon be prohibited from targeting voters online with political advertisements. A new European regulation on the Transparency and Targeting of Political Advertising (TTPA) will take effect on 10 October. It aims to prevent voters from being secretly influenced during election campaigns and to undermine trust in fair elections, which can involve the processing of personal data. 

LinkedIn AI training

Users who do not want LinkedIn to use their data to train AI models must disable this before 3 November. The European data protection authorities are urging people to do so. This data includes profile information and public content shared in the past. Once this data is in LinkedIn’s AI systems, it will be impossible to retrieve, and users will lose control over their data. All LinkedIn users’ data will automatically be used for AI training unless the setting is actively disabled.

Anyone who does not want personal data used for LinkedIn AI training must opt ​​out before 3 November via this link or in the app under “Settings & Privacy > Data Privacy >Data for Generative AI Improvement” and disable the switch.

Vehicle data in the era of the Data Act

On 12 September, the European Commission published the “Guidance on Vehicle Data, accompanying the Data Act.” The document defines the categories of data falling within the scope of he regulation and outlines the access rights granted to users and to third parties designated by them. It clarifies, first of all, that a vehicle qualifies as a “connected product” when it meets two cumulative requirements: it must generate or collect data concerning its use or its surrounding environment, and it must have the ability to communicate such data via an electronic communications service. 

More from supervisory authorities

‘Neighbour’s camera’ a major annoyance: The Dutch data protection uthority (DPA) is receiving a growing number of complaints from people concerned about their privacy due to their neighbours’ doorbells or security cameras. The regulator wants to prevent the improper use of doorbell cameras as much as possible. Therefore, the DPA is urging manufacturers to configure doorbell cameras to be privacy-friendly by default. It also wants to raise consumer awareness, for example, by providing information about what is and isn’t permitted. 

AI risks in the health profession: A bill sponsored by the California Medical Association (CMA) that addresses dangers associated with the use of AI in health care has passed out of the Legislature and is headed for the Governor’s signature. It prohibits AI systems from being misrepresented as licensed medical professionals and provides California’s state health profession boards with the authority to enforce title protections for health care workers, ensure that new technologies in health care are deployed in ways that protect patient safety, preserve trust, and support the physician-patient relationship. 

Medical records: The Swiss FDPIC has published a factsheet on the forms that are given to patients to sign when they go to the doctor. It takes account of the various opinions expressed on the subject and aims to clarify a number of issues raised by these forms: a) the distinction between the duty to provide information on data collection and the issue of patient consent to data processing; b) secure data communication; c) the question of proportionality, regarding what data a patient can legitimately be asked to provide. The document is available in English.

Digital communication and minors

In France, the regulatory authority for audiovisual and digital communication (Arcom) released the results of its study on online risks for minors,  digitalpolicyalert.org reports. Over four out of five children use at least one extremely major internet platform on a daily basis, according to the study. 42 per cent of minors use social networks before the age of 13 by lying about their age, and the average age of initial use is 12 years old.

According to the study, 83 per cent of children are regularly exposed to at least one of the six risks: harmful or shocking content, cyberbullying, dangerous challenges, malicious adult contact, and online scams. 

E-health data security

The European Union Agency for Cybersecurity (ENISA) has published a good practice guide to support entities of the health sector in strengthening their digital security. The health sector is classified among those in the risk zone, highlighting a significant gap between its cybersecurity maturity and its critical importance: medical systems and data have become growing targets of cybercrime, with ransomware and phishing campaigns on the rise. These actionable practices are designed to be simple to implement and enhance the preparedness and security of all types of health entities, from hospitals and service providers to individual medical specialists. The recommendations cover areas such as systems and network protection, safeguarding devices and patient data, addressing challenges in the ICT supply chain. 

Reporting AI incidents

The European Commission has issued draft guidance and a reporting template on serious AI incidents. Under the EU AI Act, providers of high-risk AI systems will be required to report serious incidents to national authorities. This new obligation, set out in Art. 73, aims to detect risks early, ensure accountability, enable quick action, and build public trust in AI technologies. While the rules will only become applicable from August 2026, you can already download the draft guidance and reporting template below. Both these documents will help providers to prepare. The draft guidance clarifies definitions, offers practical examples, and explains how the new rules relate to other legal obligations. 

Drone use and personal data

The Latvian data protection authority elaborated on this topic, which is becoming increasingly popular today as drones are used in defence, business, and people’s private lives. Personal data processing occurs when materials are obtained with the help of a drone that can identify a specific person. Therefore, it is not possible to say with certainty that personal data processing is performed in all cases when a drone comes into view of a person. If the materials are intended to be distributed publicly, this processing may be justified based on legitimate interests. This may be done after a balancing of interests, in which the proportionality of the processing in relation to the interests of the people depicted is assessed. Similarly, the use of drones may, in some cases, be linked to the public interest, as well as processing for journalistic purposes.

Video games and personal accounts

In the audiovisual and video game sectors, the purchase of digital content can justify a long retention of data. The French CNIL reminds professionals of the rules to follow to manage inactive accounts while respecting the rights of users. Professionals must guarantee uninterrupted access to purchased digital content, as provided for in consumer law. In the audiovisual and video game sector, this access often goes through a personal account that acts as a video library, allowing the user to find their movies, series or games at any time. The deletion of accounts for which no action has been taken by users for two years is considered proportionate. It is recommended that affected users be notified before this deadline to allow them to keep their accounts active. 

‘Facial boarding’ at airport

Italian data protection regulator Garante has recently blocked the use of facial recognition in Italian airports (so-called face boarding), with the provision adopted against Società per Azioni Esercizi Aeroportuali, to suspend the use of the specific technological solution adopted, since it is incompatible with the GDPR. Garante specifies that the use of facial recognition technologies at airports in principle is permitted, but requires technological solutions that balance the need for simplified boarding procedures with the need to protect personal data in compliance with current European regulations, particularly regarding the processing of biometric data. 

In other news

Automated-decision fine: The Hamburg Data Protection Commissioner HmbBfDI has imposed a fine of almost 500,000 euros on a financial company for violations of the rights of affected customers in automated decisions in individual cases. Despite good credit ratings, several customers’ credit card applications were rejected based on automated decisions, decisions made by machines based on algorithms and without human intervention. When the affected customers subsequently demanded a reason for the rejected applications, the company failed to adequately fulfill its statutory information and disclosure obligations. 

Hospital data fine: The Italian regulator Garante has fined a university hospital 80,000 euros for failing to properly configure its health records. The hospital used two applications, on patients and hospitalisation records, through which all healthcare personnel could conduct searches on patients’ medical histories, even if they were not involved in their treatment. They did not include adequate access profiling measures or security measures such as alerts or tracking of operations performed on the applications in dedicated log files. Furthermore, patients were unaware of the existence of the treatments performed through the records and were therefore unable to give or deny their consent to their records or decide whether to obscure certain information, such as that subject to greater protection.

HIPAA violation: A 182,000 dollar settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.

Candid cameras against theft

The French CNIL fined SAMARITAINE, which operates the store of the same name, 100,000 euros for concealing cameras in the store’s reserves. In 2023, due to the increase in cargo thefts from its reserves, SAMARITAINE placed new cameras in two reserves. These cameras were disguised as smoke detectors and made it possible to record sound. Discovered by employees, the cameras were removed shortly after that. In principle, in order to meet the requirement of loyalty, video surveillance filming employees must be visible and not concealed. However, in exceptional circumstances and under certain conditions, the data controller can temporarily install cameras that are not visible to employees. The company did report the existence of thefts committed in the reserves and explained that the device was temporary (which the technical characteristics of the device seem to confirm).

It nevertheless did not carry out any prior analysis of compliance with the GDPR, nor documented the temporary nature of the installation. 

In case you missed it

Human oversight in AI: EDPS’s latest TechDispatch episode explores the human oversight of Automated Decision-Making. While human oversight can occur at different stages of an AI system’s lifecycle, including before deployment (ex-ante), real-time oversight on system operations is considered the one that can be most consequential, when an operator can still review the system’s behaviour and intervene before its output takes effect, helping to prevent potential harm to human lives or infringements on individuals’ fundamental rights.

Dark Net: Sweden’s privacy protection authority IMY answers questions about how data controllers should handle developments following an IT attack where personal data was published on the Darknet. It is NOT recommended to search for or download the information published on the Darknet: the files found may contain, for example, additional malware. It also recommends that the organisations first and foremost, and in accordance with your data processor agreement, contact your data processor. Plus, organisations have a duty to notify the impacted data subjects of the personal data breach as soon as possible, as there is a high risk to the rights and freedoms of natural persons. 

Patients’ data and AI boom: Privacy international reports a boom for the UK’s technology sector, with American tech firms collectively investing billions of pounds into the UK’s AI and tech infrastructure. The UK government hailed these investments as an element of a new ‘Tech Prosperity Deal’. A key area mentioned as part of it is healthcare. Last summer, the UK released its 10 year health plan, which emphasised the centrality of technology, innovation and AI for the National Health Service. The plan states that to move the NHS into the 21st century, its unique advantages will be used, including the NHS’s ‘world-leading data’. 

The post Data protection digest 17 Sep – 3 Oct 2025: New Danish court ruling may change practice for GDPR compensations appeared first on TechGDPR.

The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information technology (IT) and operational technology (OT), where different security priorities meet as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced.

Deficiencies are observed in key areas such as sufficient human resources, organisations’ knowledge of their information and communications technology supply chains, and installation of up-to-date security features in products, (for services like IaaS, PaaS, and SaaS). The sector struggles with basic cyber hygiene and fundamental security measures, as illustrated by the fact that nearly all health organisations surveyed face challenges when it comes to performing cybersecurity risk assessments, while almost half have never performed a risk analysis.

Stay up to date! Sign on to receive our fortnightly digest via email.

Right of access

The EDPB published a one-stop-shop case digest on the right of access. Natural persons’ right to access personal data related to them is enshrined in Art. 8 of the EU Charter of Fundamental Rights and is, therefore, to be considered the most essential data protection right. Art. 15 of the GDPR applies to requests for access submitted after the law became applicable. It can be divided into three components: 

• Confirmation as to whether personal data related to the data subject is processed or not. 
• Access to information related to the data subject if it is processed at the time of the data subject’s access request. 
• Information about the processing and the data subject´s other data protection rights.

The CJEU has also repeatedly stated that the practical aim of the right to access, firstly, is to enable data subjects to verify that the personal data concerning them are correct and processed lawfully. In particular, the right of access is necessary to enable the data subject to exercise their right to rectification, erasure, restriction and objection to processing, as well as the right of action when they suffer damage. 

More EDPB updates

Pseudonymisation: The EDPB also awaits comments on the Guidelines on Pseudonymisation until the end of February. The GDPR does not impose a general obligation to use pseudonymisation. Similarly, the explicit introduction of pseudonymisation is not intended to preclude any other measures. However, data controllers may need to apply pseudonymisation to meet the requirements of EU data protection law, in particular, to adhere to the data minimisation principle, to implement data protection by design and by default, or to ensure a level of security appropriate to the risk. In some specific situations, Union or Member State law may mandate pseudonymisation. 

Complex algorithms: Finally, the EDPB also publishes an opinion piece on AI and effective data protection supervision. This report covers techniques and methods that can be used for the effective implementation of data subject rights, specifically, the right to rectification and the right to erasure when AI systems have been developed with personal data. However, there are several challenges:

• Limited understanding of how each data point impacts the model;
• Stochasticity of training, (random sampling of batches of data from the dataset, random ordering of the batches, and parallelisation without time-synchronisation); 
• Incremental training process, (updates relying on a specific training data point will affect all subsequent updates);
• Stochasticity of learning, (difficult to correlate how a specific data point contributed to the “learning” in the model).

AI prohibitions in the EU

From 2 February, for any organisations that offer or operate AI systems, the first key provisions of the AI Act will apply: the ban on certain AI practices in both public and private sectors, (mass surveillance, social scoring, behavoural and emotional analysis), and obligations to ensure that employees have sufficient AI skills. Additionally, manipulative AI practices that exploit human vulnerabilities are now prohibited. Particular focus is placed on protecting vulnerable groups such as children and adolescents.

From now on, such violations can not only lead to sanctions under the AI ​​Act but also trigger action from data protection authorities. 

More legal updates worldwide

China cross-border transfers: At the beginning of January, the Cyberspace Administration of China released for public consultation the draft certification measures to legitimize cross-border transfers of personal data outside of China, (CBDTs), DLA Piper reports. Chinese law requires data controllers to take one of the following three routes: a) mandatory security assessment; b) Standard Contractual Clauses filing; or c) certification.  

The certification route is available to data controllers inside China and outside the country if they fall under the extraterritorial jurisdiction of the Personal Information Protection Law, (eg, processing data of residents in China to provide products or services to them or analyse or evaluate their behaviour). Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including consent requirements, impact assessments, and maintaining records of processing activities. 

US Child privacy: On 16 January, the FTC finalized changes to children’s privacy rules, (COPPA). By requiring parents to opt into targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetising children’s data without active permission. It requires certain websites and online services to proactively obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13, provides the right to require deletion of these data and establishes data minimization and data retention requirements. Entities will have one year from the publication date to come into full compliance.

Open Data

The French CNIL alerts data controllers who use databases freely made available on the Internet or provided by a third party that they must verify that their creation, sharing or re-use is legal. These include such areas as  scientific research, development of artificial intelligence systems, commercial prospecting, as well as data brokers. To initiate and define compliance process data controllers will need to – identify legal basis, inform individuals, minimize data, obtain explicit consent for the processing of sensitive data, maintain up to  date data processing agreements and other core documentation and conduct impact assessments.

SDK and app privacy

Software Development Kit, (SDK), plays a central role in how mobile apps work. The French CNIL has made recommendations on how to integrate SDKs and conduct controls to ensure their compliance with the GDPR. The most popular SDKs offer tools for software error management, audience measurement, ad monetization, notification management, and more. 

The SDK code embedded within the app has the same level of software access as the rest of the code written by the app developer. If permission is granted to the application, all built-in SDKs have, by default, the technical capability to access the data. This access by the SDK can then escape the developer’s control and infringe on the privacy of the users of the application. It is therefore important that the publisher gives clear instructions to the developer as to the process to be implemented for the selection and configuration of the in-app SDKs.

More official guidance

Medical wearables: The Federal Office for Information Security, (BSI), in Germany has published the results of its project on the “Security of wearables with partial medical functionalities“. The project deals with the security of wearables, (marketed in Germany), that use sensors to record health and fitness status. These sensors can be used to measure or calculate heart rate, blood oxygen saturation, sleep patterns, and calorie consumption, among other things. Many of these devices use mobile apps to evaluate sensitive data and create statistics. Vulnerabilities in devices used to record health and fitness data open up a new form of personal cybercrime for criminals. On the one hand, it is conceivable that wearables could be used specifically to attack people who have the appropriate sensors. Targeted attacks could also be made on recovery processes, for example, when sick people adjust their medication based on sensor data. 

Financial apps:  In parallel, the BSI published the technical guidelines on “Requirements for applications in the financial sector” – fintech companies, such as banks, financial service providers or start-ups in the field of financial technology. The aim is to achieve a uniformly high level of security for existing banking apps and payment services – but also for financial services on smartphones or smartwatches. These may include apps that users can use to pay in the supermarket or manage accounts, but also crowdfunding platforms or microcredit initiatives, etc. The guide in German can be found here.

Selling drivers location and behaviour data

In the US, the FTC is taking action against General Motors over allegations they collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent. When consumers bought a vehicle, they were encouraged to sign up for a feature which they were often told would be used to help them assess their driving habits. 

The information notice was confusing and misleading. GM failed to clearly disclose to consumers the types of information it collected, including their geolocation and driving behavior data, such as hard braking, late night driving, and speeding, or that it would be sold to consumer reporting agencies. These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were then used by insurance companies to deny insurance and set rates. Additionally, through faulty claims on its websites and in email and social media ads, the company claimed that it deployed reasonable security and that it was in compliance with the previous EU-US and Swiss-US Privacy Shield Frameworks. 

More enforcement decisions

Loan promotion: The UK’s ICO meanwhile fined ESL Consultancy Services Ltd 200,000 pounds for knowingly sending unlawful loan promotion nuisance text messages to people who had not consented to receive them. The regulator found that in 2022 and 2023, ESL used a third party to send marketing text messages without ensuring valid consent was in place to send promotional materials. ESL also took steps to try and conceal the identity of the sender of the messages by using unregistered SIM cards. As a result the ICO received 37,977 complaints. 

Failed internal policies: An investigation of the Romanian supervisory authority revealed that the telecoms operator Vodafone Romania repeatedly  failed to ensure the confidentiality of data belonging to several customers as a result of non-compliance with internal policies. For these acts the operator had to pay an approx. 15,000 euro fine. The data security breach was caused by:

• unauthorised transmission of a picture of a data subject’s invoice to a third party;
• not hiding recipients’ email addresses and not selecting the “BCC” option when informing data subjects of changes;
• sending via WhatsApp by an employee of an authorised representative of the operator, a photo containing a screenshot of data displayed in the app interface.

Failed erasure request: The Romanian regulator also fined Orange Romania approx. 40,000 euros for a failed data erasure request. After an unsuccessful attempt to subscribe to the mobile services offered by the operator, a request was made to delete all personal data. During the correspondence, the operator requested more personal data and no complete and adequate responses were provided to the requests received. Moreover, the operator had excessively collected and stored scanned copies of documents, although they were no longer necessary for the purpose of identification related to the conclusion of a subscription contract. 

Data security

Hosting services: America’s FTC reminds us that a business website is one of the most important sales and marketing tools. It is not only the  virtual storefront, but also a repository for data – yours and your customers. Thus, when you go looking for a web host – the company that’ll store your site on its servers – security is non-negotiable. The recent FTC settlement with GoDaddy, one of the largest web hosting companies in the world, shows what can happen when security slips.

In particular, when the hosting provider neglects to inventory its assets, manage software updates, use multifactor authentication, and appropriately monitor for security threats. 

New security measures listed: The Danish data protection regulator published two new measures in its technical catalogue, both of which deal with ‘secure data transmission’. If two or more parties use external networks, such as the Internet and telecommunications networks, they often do not have the same control and protection as when rising their own networks. In such cases, the parties must assess whether the data transmission should be protected with encryption. However, encryption of data transmission can also be used to protect against “insider threats” or physical intrusion into one’s own networks. During transmission, there may also be a risk that data may become known to unauthorized persons. Validation of sender, recipient and content is thus a preventive measure that reduces the likelihood of data being read by unauthorized parties. At the same time, it can ensure non-repudiation and validation of the sender.

Valio data breach investigation in Finland

The data protection ombudsman is investigating a data security breach targeting Valio’s, (country’s largest milk processor), information network. The attacker had obtained the personnel data of Valio and its subsidiaries operating in Finland, as well as milk purchasing cooperatives. Former employees of Valio have also been targeted. In addition, the breach targeted data in the databases of the Valio Mutual Insurance Company and Valio Pension Fund. The data breach targeted a significantly larger amount of personal data than initially estimated by the data controller. 

Big Tech

Meta AI: Meta began to gradually roll out a new feature that lets its AI tool remember certain details that you share with it in 1:1 chats on WhatsApp and Messenger. The company is also rolling out a greater level of personalisation for Meta AI on Facebook, Messenger and Instagram, (by tracking and memorising details about you, including information about your personal life, ethnicity, health and family).

The changes so far only concern users in the US and Canada. The new policy promises to ”only remember certain things you tell it in personal conversations, (not group chats), and you can delete its memories at any time”. 

DeepSeek data whereabouts: Italy’s data protection regulator Garante is requesting answers from, (and temporarily blocks), the Chinese AI model DeepSeek, supposedly a low-cost and open-source alternative to US rivals, over its usage of personal data. What information has been collected, from which sources, for what purposes, on what legal basis, and whether it is stored in China? Other reports claim DeepSeek spreads misinformation, bans political prompts, and how the Chinese state might exploit users’ data. 

Open AI meanwhile warns that Chinese startups are ‘constantly’ using its technology to develop competing products. The company is reviewing allegations that DeepSeek used the ChatGPT maker’s AI models to create a rival chatbot, through a technique known as “distillation” – boosting the performance of smaller models by using larger, more advanced ones to achieve similar results, summed up in this Guardian article.

The post Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

EU-US redress mechanism

The EDPB has completed its much-anticipated Information Note and a Complaint Form for EU/EEA individuals about alleged violations of US law concerning personal data collected by US national security authorities. It applies regardless of the transfer tool used to transfer the complainants’ data to the US, (Data Privacy Framework, standard or ad hoc contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, derogations). However, this redress mechanism only applies to data transmitted after 10 July 2023. 

In short, after receiving and verifying the complaint, the data protection authority, (DPA), will transmit it, in an encrypted format, to the EDPB Secretariat. The latter will then transmit it to the US authorities for a binding decision, taken by the Office of the Director of National Intelligence’s Civil Liberties Protection Officer, (CLPO). Complainants can appeal the CLPO’s decision before the Data Protection Review Court within 60 days after receiving the notification by the DPA. There is also a possibility to complain about commercially related violations to EU DPAs. 

In July 2023, the European Commission decided that the US ensures an adequate level of protection for personal data transferred from the EU to organisations in America that are included in the ‘Data Privacy Framework List’, without the need to rely on Art. 46 GDPR transfer tools, (standard data protection clauses, binding corporate rules). The US Government in the meantime aims to introduce safeguards against bulk and targeted collection of intelligence signals, (eg, FISA Section 702), that apply to all data transferred to the US, regardless of the transfer tool used by the EU exporters.

More legal updates

FISA Section 702 reauthorised: In parallel, a new US bill just signed into law extends a key US surveillance program for another two years. Legislators claim the surveillance tool first authorised in 2008 is crucial in disrupting terrorist attacks, cyber intrusions, and foreign espionage. It permits the government to collect without a warrant the communications of non-Americans outside the country. Amendments to protect Americans’ communications when they are in contact with those targeted foreigners, by getting a prior warrant from a judge, failed the final passage. 

UK adequacy threatened: The Parliament Justice Committee, (LIBE), has criticised the overall direction of the data policies of the UK Government. Its current governmental actions are eliminating constraints arising from European or international law and limiting the impact of European court jurisdiction and interpretations on UK law. Concerns exist about UK intelligence agencies, especially their bulk collection of communication data, which is not in line with the EU Charter of Fundamental Rights. Thus, the UK could become a transit country for data that cannot be sent from the EU/EEA to “inadequate” third countries.

UK data protection reform moves on: The new Data Protection and Digital Information Bill went through the final examination of the committee stage. After the final reading, followed by the consideration of amendments stage in Parliament, (which can be a lengthy process), it will be presented for Royal Assent to become law. The new law promises to solve the complexity of the current regulatory regime, reduce compliance costs, and remove barriers to responsible innovation so that firms, public sector organisations and consumers can take “full advantage of the benefits” of data. 

Data Scraping

Data scraping by private actors is almost always illegal, explains the Dutch data protection authority AP. Scraping is the automatic collection and storage of information from the Internet. In several cases, it is already not allowed anyway, including: a) scraping the internet to create profiles of people and resell them; b) scraping information from protected social media accounts or private forums; c) scraping data from public social media profiles for insurance matters, etc. 

A widespread misunderstanding is that scraping is allowed because everything on the internet is already available to everyone. This does not imply consent by the individual. Scraping for the legitimate interest of private businesses or individuals should not be used if the sole purpose is making money. However, scraping can be justified when a company gets information from media outlets on its activities.

More official guidance

Targeted advertising: A CJEU Advocate General’s opinion in the Schrems/Meta case, (C-446/21), similarly states that processing data for personalised advertising purposes cannot be justified just by meeting “the manifestly made public” condition for special category data. It rather elevates the particular protection granted to the special categories of data under Art. 9 of the GDPR, which means that it still must be evaluated as “ordinary” personal data, treated lawfully, clearly, and proportionately, and respecting the purpose limitation principle.

BCRs maturity test: The French data protection authority CNIL published a self-assessment tool to test the level of maturity of organisations’ Binding Corporate Rules for restricted data transfers. The companies concerned are private businesses of multinational types, established in several countries of the EU and abroad.  The set of resources covers all stages of a project, from its preparation to the approval procedure. The test is to be completed by the data protection officer or any other person in charge of the BCR project.

Health Breach Notification: The US Federal Trade Commission finalised changes to the Health Breach Notification Rule. It underscores its application to health apps and similar technologies not covered by HIPAA, and obliges them to notify individuals, the Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to those vendors of related entities to notify them following the discovery of a breach.

Safe biometric technology use

The Dutch data protection authority AP answers some frequently asked legal questions about facial recognition. The document is intended for privacy professionals and organisations that want to use facial recognition. Facial recognition is in principle prohibited. One of the exceptions is when facial recognition is necessary for authentication or security purposes (eg, the security of a nuclear power plant, or military production needs). However, this applies only once the data protection impact assessment ,(DPIA), has been carried out, demonstrating that it is necessary and that there is an important public interest. 

The AP also defines under which conditions there can be ‘personal or household use’ when applying facial recognition. For example, unlocking a phone with facial recognition, if the biometric data is stored on the phone itself, and the user decides what happens to that data. It must be up to the user to decide – whether to unlock the phone using a PIN code or face recognition. 

European Health Data Space

MEPs approved the creation of the European Health Data Space, improving citizens’ access to their health data and boosting secure sharing in the public interest. Universal Electronic health records, (EHR), will include patient summaries, electronic prescriptions, medical imagery and laboratory results. They will be available for health professionals across the EU, (with the patient’s consent), and for trusted entities such as clinical researchers, statisticians and policy-makers, (in an anonymised or pseudonymised format). Once officially published after the Council’s approval, it will be applied two years later, with some temporary exceptions for specific categories of data. 

Sim cards illicit activation fine

A company in Italy that manages two phone shops will have to pay 150 thousand euros for having illicitly activated SIMs, subscriptions and charges for the purchase of cell phones and GPS trackers using the personal data of hundreds of users without their knowledge. The company had activated 1300 telephone cards using data and identity documents extrapolated from the systems of the telephone operator whose products it sold to unduly saved in-store. For instance, a complainant was charged on her credit card relating to the activation of a new contract in the name of her deceased husband.

The company had also activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents, along with selling mobile phones which had not been requested by customers nor delivered to them. The company had evaded the controls of the telephone operator and the related provisions regarding the processing of user data, thus acting as an independent data controller.

More enforcement decisions

Cookie collection without notice: The Croatian data protection regulator issued administrative fines of 15,000 and 20,000 euros on managers of gambling and betting activities due to the illegal processing of personal data through cookies, and without allowing the users to give or withdraw their informed and voluntary consent. In particular, the processing managers did not separate the cookie banner or enable respondents to consent to different purposes, (marketing, analytics/statistics). 

The processor also did not adequately inform the users about the legal basis, groups/types of cookies, the function/purpose of each cookie, and the cookie storage period. In addition, the data controller was fined for processing the respondents’ data at the very moment of loading the website, (since the respondents were not informed about the processing). 

Prohibited employment practices: The French CNIL notified a company to minimise candidates’ data collection. The company required applicants to provide their place of birth, nationality, marital status, (spouse’s name and surname, date and place of birth, their profession, the number of children and their age), as well as all salaries received in previous companies. This information was not necessary for assessing the candidate’s ability to perform the job. An aggregate level of detail reflecting the candidate’s nationality, (French, EU and non-EU categories), would suffice. The candidate could, however, on their initiative, provide any useful information, including to justify their salary claims.

Ring case

In the US, following a settlement with Ring, the Federal Trade Commission is returning more than 5.6 million dollars to customers. The company allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos. Ring also deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent. 

Data security

Ransom attack: The EDPB provided a summary of a recent Greek regulator fine where a company, (Hellenic Post Services ELTA SA), failed to implement technical and organisational measures resulting in unauthorised access by third parties. The first incident involved a breach of data which was encrypted to demand a ransom, the result of a malicious attack by third parties while the second incident involved the leakage of personal data, which was subsequently published on the Dark Web. 

Cybersecurity tool: The UK National Cybersecurity Centre issued the latest version of the Cyber Assessment Framework reflecting the increased threat to critical national infrastructure. The guide is for all organisations responsible for securing any critical network and information systems, covering remote access, privileged operations, user access levels and multi-factor authentication, (B2a and B2c principles). Other organisations may find this tool useful too.  

Strong password rule: In the UK makers of phones, TVs, and other internet-connected smart devices are now legally required to meet minimum security standards, states the Department for Science, Innovation and Technology. Manufacturers are banned from having weak default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up. 

Big Tech 

Data brokerage: A new data broker restriction was signed into law on 24 April in the US, JDSupra law blog reports. ‘Protecting Americans’ Data from Foreign Adversaries Act of 2024’ prohibits data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. This includes data on finances, genetics, health, biometrics, communication contents, exact geolocation, and data about minors. Any organisation that provides data to another organisation that isn’t serving as a service provider in exchange for a significant fee is known as a “data broker.” 

US TikTok/China row: ByteDance prefers TikTok be shut down rather than sold if the Chinese owner exhausts its legal options in fighting legislation to ban the platform from US app stores, according to Reuters. The US recently passed legislation allowing for the suspension of the popular service due to widespread concerns that China may access Americans’ data or use the app for spying. TikTok’s major assets include its algorithms, source codes, user data, and product operations and management. However, Chinese rules preserve TikTok’s intellectual property, making it difficult for US buyers to obtain source codes and similar data acquisition.

“Cookie pledge” fails: As Google delays the demise of third-party cookies, a European Commission campaign to get Big Tech companies to voluntarily commit to a “cookie pledge” has reportedly failed. The draft pledging principles ensure that users receive concrete information on how their data is processed, and the consequences of accepting different types of cookies; consent should not be asked again for a year once it has been refused. Some companies lost interest in the proposal since they depend on data harvesting for income, while others were worried that it would not comply with existing laws. 

The post Data protection digest 18 Apr – 02 May 2024: EU-US redress mechanism and European Health Data Space taking shape appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Non-material damage under the GDPR

In one of its recent decisions the CJEU clarifies the right to compensation for non-material damage for data subjects. The request was made in proceedings between a natural person and Juris GmbH, concerning compensation for the damage suffered by the claimant as a result of various processing operations involving their personal data which were carried out for marketing purposes, despite the objections he had sent to that company. The CJEU upheld its previous decision, (of 25 January 2024 MediaMarktSaturn, C‑687/21), that infringement of the GDPR which confers rights on the data subject is not sufficient to constitute ‘non-material damage’, irrespective of the gravity of the damage suffered by that person:

“The existence of ‘damage’, material or non-material, or of ‘damage’ which has been ‘suffered’ constitutes one of the conditions for the right to compensation laid down in Art. 82 (1) of the GDPR, as does the existence of an infringement of that regulation and of a causal link between that damage and that infringement, those three conditions being cumulative.” 

At the same time, it is not sufficient for the data controller, in order to be exempted from liability, to claim that the damage in question was caused by the failure of a person acting under his or her authority, within the meaning of Art. 29 of the GDPR. More legal reasoning of the case as well as rules on determining the amount of damages due as compensation for damage can be read in the court ruling. 

 ‘Pay or okay’ consent model

The EDPB adopted a long-awaited Opinion on Valid Consent in the context of Consent or Pay models implemented by Large Online Platforms. In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they only offer users a binary choice between consenting to the processing of personal data for behavioural advertising purposes and paying a fee. The EDPB underlines that personal data cannot be considered a tradeable commodity, and controllers should consider the need to prevent the fundamental right to data protection from being transformed into a feature that data subjects have to pay to enjoy. 

Thus, controllers should consider also offering a further alternative, free of charge, without behavioural advertising, with a form of advertising involving the processing of less or no personal data. 

GDPR enforcement: new rules, strict deadlines, dispute resolution

On 10 April, the European Parliament adopted amendments to a proposal laying down additional procedural rules relating to the enforcement of the GDPR. In its 2023 work programme, the Commission announced that it would propose harmonising some national procedural aspects to improve cooperation between national data protection authorities. The MEPs amendments include:

• the right of all parties to equal and impartial treatment regardless of where their complaint was lodged;
• their right to be heard before any measure is taken that would adversely affect them, and 
• their right to procedural transparency, including access to a joint case file. 

MEPs want to standardise procedural deadlines for a supervisory authority to acknowledge that they have received a complaint and declare it admissible or inadmissible. Then, the authority would have to determine if the case is a cross-border one, and which authority should be the lead authority. Draft decisions must be delivered within nine months of receiving the complaint, outside of certain exceptional situations.

MEPs also want to clarify the rules involving amicable settlements, (consensual, negotiated resolutions to disputes). However, these do not prevent a DPA from starting its own initiative investigation into the matter. Finally, all parties to complaint procedures have the right to effective judicial remedies, for example when DPAs do not take necessary actions or comply with deadlines. 

FISA Section 702 reauthorisation

Last week the US House of Representatives voted to reauthorise Section 702 of the Foreign Intelligence Surveillance Act, (FISA), which includes a crucial provision allowing for American citizens to be surveilled without a warrant for another two years. The law has made it possible to monitor foreign communications in great detail, but it has also resulted in the gathering of phone conversations and correspondence from US individuals. 

Some privacy protections, such as the ban on sweeping up communications about a target along with communications to or from the target, were maintained. However, other amendments, including a new definition of internet service providers, might broaden FISA’s application. Prior to the statutory expiration of Section 702 on April 19, the measure now goes to the Senate. More analysis by the Lawfare Institute can be read here. 

More legal updates

Child safety online: On 10 April, the European Parliament endorsed certain derogations to the E-Privacy Directive to combat online child sexual abuse. In particular, MEPs adopted a temporary extension that allows the voluntary detection, by internet platforms, of child sexual abuse material, (CSAM), online. The implementation measures follow strict data protection safeguards pursuant to the GDPR, (legal basis for data processing, data retention policies, restricted data transfers, etc.). The derogation will be extended until 3 April 2026 so that an agreement on the long-term legal framework can be reached. The provisional rules will now have to be formally adopted by the Council before they can become law. 

US privacy legislation: Last week, a bipartisan group of lawmakers in Congress announced the Federal Privacy Bill, (APRA), with the likelihood of long months of discussions before the bill’s passage. This comprehensive draft legislation promises clear, national data privacy rights and protections for Americans, boosts data minimisation in the commercial sector and curbs large data holders and brokers, harmonises the existing state data privacy laws, and establishes new enforcement mechanisms and a private right of action for individuals. At the same time, the Federal Trade Commission would still have the authority to provide further recommendations and rules covering a significant portion of the APRA. 

Right of access basics 

The Luxembourg data protection authority has published a new illustrative factsheet, (only available in French), on the right of access. Any individual can ask a private or public entity, (the data controller), whether it holds their personal data and obtain a copy of the data processed. This right allows in particular to check whether the data is correct. The organisations can be asked to provide the categories of data processed, retention periods, explanations on how to exercise your rights, the lawful basis for processing, other recipients of your data, data transfers to third countries, data sources, and explanations on decisions made by automated processing or profiling. 

However, the right of access is not an absolute right. The organisation may refuse to provide you with data about third parties in some cases or a confidentiality obligation may be imposed by law. The organisation must respond to the request within one month including the justifications for refusal or possible delays in providing information. If the organisation does not respond, does not meet deadlines or you are not satisfied with its response, you can submit a complaint to the data protection authority. 

AI development and data protection guide

The French data protection authority CNIL has published its first recommendations on the development of artificial intelligence, in a way that respects personal data. The recommendations, (in French only), concern the development of AI systems involving the processing of personal data, (Machine Learning, general purpose AI, systems that are trained “once and for all” or continuously). The points addressed in the initial recommendations make it possible to:

• determine the applicable legal regime;
• define a purpose;
• determine the legal qualification of the actors;
• define a legal basis;
• perform tests and verifications in case of data reuse;
• carry out an impact assessment if necessary;
• take data protection into account when making system design choices;
• take data protection into account in the collection and management of data.

More official guidance

Legal basis for customer health data processing: When obtaining data from a person about their health condition, their explicit consent is required – confirms an administrative court in Poland. In the related case, a law firm contacted people injured in traffic accidents to represent them against insurance companies in courts in order to obtain compensation and pensions, as well as reimbursement of treatment and rehabilitation costs. The company obtained information about potential customers based on, among other things, press releases, online publications or content available on social media, as well as information provided or disseminated by organisations engaged in charitable activities. 

Subsequently, when meeting prospective clients, a representative of the law firm received only oral consent to the processing of personal data ahead of a possible conclusion of a contract with these persons but did not record or register it in any way. Also, the collection of this data was not necessary to perform the contract, because the persons from whom the data was obtained were not yet customers. However, this data was processed for other purposes, (eg. examining the profitability of concluding a contract with a potential customer and possibly establishing contact with such a person again). 

Recruitment data: The Latvian data protection regulator reminds us that an employer must avoid excessive data processing when selecting applicants. For example, a job advertisement should indicate as specifically as possible what information the employer expects from the candidate, and develop its own CV form. Also, after submitting their data, applicants as data subjects have the right to submit information requests asking for clarification on various aspects related to the processing of their personal data, so the employer must ensure that it is able to respond to such requests. Finally, there must be established procedures for how information obtained during the selection process, including applicants who are not hired, is stored and deleted. 

In the event that, after data collection, the employer concludes that data processing could also be carried out for a purpose different from that originally collected, the employer must assess whether this purpose is compatible with the initial processing, and also ensure that the applicant is informed. If the employer chooses to use the services of recruitment companies to find suitable employees, it is important to determine the role of such service providers and if the company is considered a data processor, an agreement on the data processing must be concluded. 

Avast non-anonymised data fine

Internet security company Avast has contested a fine of approx 13 mln euros from the Czech data protection agency over transferring the non-anonymised data of 100 million users to its subsidiary Jumpshot in 2019. Although Avast stated that it used robust anonymisation techniques, it was proven that at least some of the data subjects using its antivirus program and browser extensions could be re-identified. Moreover, the purpose of processing this data was not (only) to create statistical analyses, as Avast stated. 

In fact, the pseudonymised Internet browsing history was linked to a unique identifier. Jumpshot, among other things, presented itself as a company that made data available to “marketers,” providing them with insight into online consumer behaviour and offering “atomic-level” tracking of user journeys. The decision, (a cross-border case under the EU one-stop-shop procedure), comes after a 16.5 million fine from the US Federal Trade Commission and restrictions on selling user data for advertising. Avast, now part of Gen Digital, faces challenges both in the Czech Republic and the US.

Other enforcement decisions

Biometrics abuse in the workplace: In the UK, dozens of companies including national leisure centre chains are reviewing or pulling facial recognition technology and fingerprint scanning used to monitor staff attendance after a clampdown by the Information Comissioner’s Office. In February, the regulator found that the biometric data of more than 2,000 employees had been unlawfully processed at 38 centres managed by Serco Leisure. The ICO’s latest recommendations require companies to consider alternative and less intrusive options rather than biometrics scanning to meet their staff management objectives. In light of the ICO decision, a number of other leisure centre operators, like Virgin Active and 1Life, are either reviewing or stopping the use of similar biometric technology, according to The Guardian.  

Ransom attack on a healthcare system: Italian privacy regulator Garante issued fines on several technical and administrative entities, (in the Lazio region), in proceedings opened after a cyber attack on a regional healthcare system back in 2021. The ransomware was introduced into the system through a laptop used by an employee. It blocked access to many health services, preventing, among other things, management of reservations, payments, collection of reports or registration of vaccinations. Local health authorities, hospitals and nursing homes were unable to use some regional information systems, through which data on the health of millions of patients is processed, for a period of time that ranged from a few days to a few months. 

Outdated systems and inadequate management of the data breach failed to mitigate the negative consequences of the attack – from the inability to determine which of the servers were compromised by the IT service provider, to the inability to avoid further propagation of malware targeting numerous healthcare facilities under the umbrella of the data controller, (the regional administration). 

Audit methodology

The UK ICO conducted a consensual data governance audit of East Surrey College, (ESC). The recommendations by the regulator not only provided the ESC with independent assurance of compliance but also could serve as guidance for other organisations concerning:

• Data Governance and Accountability, (creating a privacy culture; comprehensive and up-to-date data maps and ROPA; training needs analysis).
• Records Management, (eg, creating a local-level asset register alongside the ROPA; correct use of attachments, encryption and the security of personal data in transit).
• Data Sharing, (reviewing, updating and creating data sharing policies, procedures and registers; documenting and appropriately justifying the lawful basis for sharing personal data;  data sharing agreements containing sufficient detail;  documenting and regularly reviewing technical and organisational security arrangements with data sharing parties, etc). 

Data security

Underestimated risks to data subjects: The Dutch national data protection agency AP claims that an excessive number of Dutch organisations that suffer from cyberattacks neglect to notify individuals that their personal information has been compromised. Approximately 70% of the time, organisations underestimate the likelihood of an attack. Therefore, the individuals whose personal information was compromised are unable to defend themselves against potential fraud or other crimes committed by online criminals.  They often target IT suppliers that manage large amounts of personal data. However, the organisations contacting them generally remain responsible if anything happens to this data. 

Countering cyber threats: An organisation that takes security measures seriously will not only be able to protect its data but will also be a trusted partner and a role model for others. The Estonian privacy regulator reiterates some simple but important recommendations on how to safely handle personal data in everyday work: 

• data encryption and pseudonymisation for long-term data storage;
• strong password rules or at least two-factor authentication;
• monitoring system activity and detecting unusual activity or requests;
• an incident response plan that is reasonable and clear;
• regular training or testing so that employees recognise scams and phishing emails;
• security audits, testing; 
• involvement of the data protection specialist;
• implementation of the information security standards;
• authorised processor due diligence.

The post Data protection digest 3 – 17 Apr 2024: non-material damage dilemma when losing control of your data appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

AI and data protection standardisation

The French CNIL elaborates on the contribution of ISO/IEC 27701 and 42001 standards on compliance with data protection laws. For many years, IT security has benefited from two recognised international standardisation frameworks: ISO/IEC 27001, and 27002, which detail best practices for implementing the necessary security measures. The ISO/IEC 2770, published in 2019, complements these two standards by defining and detailing a “privacy management system”. 

At the same time, the new ISO/IEC 42001, published in 2023, proposes a “management system for AI” for organisations. This standardisation tool describes the processes for managing concerns related to the reliability of AI systems: security, safety, fairness, transparency, and data and system quality throughout the lifecycle. In addition, it provides a series of operational measures to implement them including the various impacts and risks of an AI system, ensuring responsible development and use and documenting and monitoring. 

Public tasks and AI

The Swedish IMY is starting a regulatory sandbox project to test how generative AI can create more efficient data processing when issuing public documents. The goal of Lidingö city’s project “Right to transparency 2.0” is to be able to use generative AI to get help with masking personal data and confidential information. In addition to IMY, the Atea Sweden company will participate with technical expertise and know-how. 

CPPA enforcement

California’s Privacy Protection Agency has issued its first enforcement advisory – on applying data minimisation to consumer requests. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information. For example, it shall not require a consumer to provide additional information beyond what is necessary to send the opt-out signal, (of selling/sharing their data), or when determining the method by which to verify the consumer’s identity. What is the minimum personal information that is necessary to achieve this purpose? Read in the original guidance.

More official guidance

Patient medical apps: The Italian ‘Garante’ has published a guide on apps and sites that connect patients with healthcare professionals, including general practitioners and pediatricians, concentrating on free choice, the booking of visits, and the sending and archiving of health documents, (in Italian only). The compendium provides clarifications concerning three macro types of processing: 

• patient data, necessary to offer them online services,
• data of healthcare professionals processed for various purposes,
• data on the health of patients, processed for diagnosis and treatment purposes.

Tech vendors and HIPAA: The US government reminds us of the correct use of online tracking technologies by covered entities and business associates under the Health Insurance Portability and Accountability Act, (HIPAA). As a rule, they are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of protected health information, (PHI), to tracking technology vendors, (eg, via user webpages and mobile apps). This primarily includes the disclosures of PHI for marketing purposes without a user’s HIPAA-compliant authorisation.

AI-powered employment practices: Privacy International has responded to the UK ICO’s draft guidance for employers and recruiters on deploying AI tools. Its response focuses on the processor/controller designation of recruiters and the third-party LLMs they outsource and candidates’ employment rights that may be undermined by algorithmic decision-making.  PI’s submission relates to the different technologies used and different types of data collected, the use of candidate data for model training purposes, the role of DPIAs and what constitutes meaningful human intervention. 

UK standard clauses

As of 21 March 2024, any contracts depending on the old EU SCCs for data transfers with the UK should have been upgraded to the UK IDTA or UK Addendum. From 21 September 2022, organisations had to utilise the IDTA or the Addendum if they intended to engage in new, (or update the existing), arrangements for transfers that are subject to the UK GDPR. The deadline is further explained by the TechGDPR blog post. 

German healthcare data

The country’s new Health Data Use Act entered into effect on 26 March, IAPP News reports. By allowing pharmaceutical corporations to access patient health data for research reasons, the act seeks to further health research. Researchers will only be permitted to access pseudonymised data, and any violations of patient privacy would result in administrative sanctions. The original legal text in German can be consulted here. 

More legal updates

Florida’s under 16 law: The Florida Governor signed a bill that bans children aged under 14 from social media platforms and requires 14 and 15-year-olds to get parental consent. The measure requires social media platforms to terminate the accounts of people under 14 and those of people under 16 who do not have parental consent. It also requires the use of a third-party verification system to screen out those who are underage. On 1 January 2025, the measure will become law. The critical views can be read in the original analysis by Reuters.

Australia’s doxxing reform: The Government proposes new provisions to address doxxing as part of the Privacy Act Review. ‘Doxxing’ is the intentional online exposure of an individual’s identity, private information or personal details without their consent, (eg, for de-anonymising, targeting purposes). A new statutory tort for serious invasions of privacy would allow individuals to seek redress through the courts if they have fallen victim to doxxing, as well as access, objection and erasure rights, and the right to correct their personal information.

Chinese restricted transfers: The Cyberspace Administration finalised guidelines setting out exemptions to certain cross-border data transfer laws, DLA Piper reports. This includes collection outside of mainland China, cross-border HR management, cross-border contracts, volume thresholds and others. The guidelines include updated filing templates for those still falling outside the exemptions and a reminder that consent and contractual/other measures remain in place. More details on the current security assessments and standard contracts for data exporters are available here. 

UK data protection reform

UK civil society organisations have issued an alert on the financial surveillance powers proposed in the UK Data Protection and Digital Information Bill, (in the Committee stage now). It introduces mass algorithmic surveillance aimed at scrutinising banks and any third-party accounts purportedly to detect welfare fraud and errors. Reportedly, there are no restrictions on the type of information that can be requested. Enacting a law that allows for disproportionate mass surveillance could also impact the adequacy status of the EU. 

Facial recognition abuse at the workplace

Facial recognition to check attendance in the workplace violates employee privacy, stated the Italian ‘Garante’ when sanctioning five companies all engaged in various capacities at the same waste disposal site, for having unlawfully processed the biometric data of a large number of workers. In particular, three companies had shared the same illegal biometric detection system for more than a year, without having adopted adequate technical and security measures. The companies had not provided clear and detailed information to workers nor had they carried out an impact assessment. They should have more appropriately used less invasive systems to control the presence of their employees in the workplace, (such as by badge). 

More enforcement decisions

Cookie walls: The Danish data protection authority has confirmed its decisions in the cases concerning JFM’s, (media company), and GulogGratis’, (online marketplace), approach to using cookie walls. In particular, statistics were not a necessary part of the paid access alternative – the processing of personal data to generate statistics was not directly linked to financing the content. The marketing purpose – unlike the statistical purpose – made it possible for advertising partners to buy access to banner advertisements etc. on the website to process personalised ads and thus generate advertising revenue. 

Access and log control: The Norwegian data protection authority has issued an approx. 1.7 mln euro fine and several injunctions to the Norwegian Labor and Welfare Agency, (NAV). NAV lacked management and understanding of the importance of safeguarding data confidentiality through access management and log control. The majority of Norwegian citizens receive benefits from NAV at one time or another during their lives. 

There is therefore an inherently high privacy risk in NAV’s operations. But in fact, local offices were given greater freedom to organise themselves in their own ways. As a result, special categories of personal data were often treated for a long time and involved a large number of people, without the necessary security measures being established, and despite repeated calls for compliance.

Retailer’s indefinite data storage: The Finnish data protection commissioner has ordered Verkkokauppa.com to pay an administrative fine of 856,000 euros, as the company had not defined how long the data of online store customer accounts would be kept. The limitation of the data retention period was left to the responsibility of the customer. In addition, Verkkokauppa.com’s policy of making online purchases require the creation of a customer account violates data protection regulations. 

Data breaches

Ransom attack: The Estonian privacy regulator explains the recent Asper Biogene data leak. Sensitive personal health data was leaked. The company learned of the intrusion through a ransom demand. Thanks to the notification made by the data controller, people learned about the situation – this allowed them to protect themselves from possible fraudulent letters. The data leak involved a healthcare service provider and an authorized processor, (Asper Biogene). In this case, the agreement concluded between the controller and the authorised processor largely helped to confirm the parties’ roles and goals in data processing. 

Data security 

Human factor: What is the weakest link in the data security chain? The Estonian regulator states that it is still a person that interacts with that data. Therefore every month there are cases where the requirements for personal data processing are violated due to an employee’s mistake, carelessness or lack of organisation in the workplace. Some recent cases resolved by the regulator included: 

• an intranet was accessible from the public Internet, where the only measure to protect its content was the same username and password used by multiple persons.
• the employees of a cafe discovered that paper documents concerning the inmates of a detention facility had been left there.
• a hosting company sent a newsletter to its customers in a way where the e-mail addresses of others were visible to all recipients.
• an employee of a financial company was mistakenly given access to a bank account used for salary payments of the company’s employees.
• the publication of people’s debt data in various default registers without a legal basis. 
• a ransomware and code injection attack, hijacked employees emails and phishing. 

Latest technology guide: The French CNIL has published a new edition of its Personal Data Security Guide, (available in English). The new version restructures the guide and introduces new fact sheets, including tips on artificial intelligence, mobile applications, cloud computing, and application programming interfaces. For instance, current practices such as the use of BYOD have been added to the existing fact sheets. This guide references DPOs, CISOs, IT specialists, and the CNIL assessments. 

Big Tech

Google Incognito data deletion: The Guardian reports that Google settled a lawsuit alleging it surreptitiously monitored the internet activities of users who believed they were surfing incognito on its Chrome browser, and it agreed to delete billions of data sets. Users alleged that Google’s analytics, cookies and apps let the Alphabet unit improperly track people who set Google’s Chrome browser to “incognito” mode and other browsers to “private” browsing mode. This included Google’s analytics, cookies and apps. As part of the settlement, Google will update its disclosures on the data it gathers during “private” surfing. Users in incognito mode will also be able to disable third-party cookies.

Mozilla/Onerep data brokerage case: The nonprofit that supports the Firefox web browser is winding down its new partnership with Onerep, an identity protection service recently bundled with Firefox that offers to remove users from hundreds of people-search sites. The move comes just days after a report by US cybersecurity expert Brian Krebs forced Onerep’s CEO to admit that he has founded dozens of people-search networks over the years. 

In the US, data brokers, people-search services like Onerep, and online reputation management firms exist because virtually all US states exempt so-called “public” or “government” records from consumer privacy laws. Those include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, social media data and known associates.

The post Data protection digest 18 Mar – 02 Apr 2024: AI and DP standardisation, patient medical data, human factor in data security appeared first on TechGDPR.

Stay tuned! Sign up to receive our fortnightly digest via email.

Personal data gaps in information systems

The Spanish data protection agency AEPD examines the distinction between addressing security by focusing exclusively on information systems or from the perspective of the treatments carried out. Under the GDPR rules, a data controller must evaluate the risks to the rights and freedoms of natural persons whose data is being processed and apply measures to mitigate them. Therefore security focused on processing activities is a broader concept than security focused exclusively on systems. The scope of application of the GDPR is the processing of personal data, understood as processes with an ultimate and specific purpose, while the scope of application of other regulations, such as cybersecurity or artificial intelligence, is oriented to information and communications systems. 

An example that illustrates this difference is the case of access control operations in personal data processing – when third parties use compromised credentials to log into a service or application. Some controllers may incorrectly claim that a breach within the meaning of the GDPR has not occurred since, according to their opinion, the information systems have not been compromised. These controllers understand that the use of valid credentials to log in to the system has not led to a personal data breach in the processing as the system has functioned correctly.

“Consent or Pay” initial guidance

Some businesses are considering giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. In principle, data protection law does not prohibit business models that involve “consent or pay”, states the UK ICO. However, some types of access mechanisms aren’t likely to comply with expectations in data protection law for consent to be ‘freely given’. The relevant context may include power imbalance, equivalence, appropriate fees, privacy by design, and information obligation:

“Being upfront and honest with people about what happens to their personal information when they use the service is a good thing.”

More official guidance

Data obtained as part of work duties: The Latvian regulator DVI explains the legality of data processing through information systems that hold personal information and to which access is authorised through employment. We may directly or indirectly come into contact with other people’s data while carrying out our job, including customers, coworkers, and residents.

The organisation that grants its employees access to the systems must ensure, (if technically possible), that the employee accesses only the information necessary to perform the duties of their position. Personal interest or curiosity is no longer an adequate basis for looking into a database. In the case of a data processing infringement, the organisation should anticipate that, as the data controller, they would be the main responsible. 

Automated decisions: The Spanish AEPD has updated guidance on the degree of human intervention in automated decisions, (Art. 22 of the GDPR). Many automated decisions involve some degree of human intervention. However, to be considered as such, it has to be active and not just a symbolic gesture, that is, it has to have a certain degree of relevance and capacity. Evaluating whether human supervision is possible and effective involves evaluating both the system used and the treatment and its context. To carry out this evaluation systematically, it is recommended to objectively assess a person’s participation in the decision process. More details in the original publication (in Spanish). 

Public affairs: As part of their activity, public affairs professionals, (public affairs or lobbying consulting firms, internal departments), collect personal data relating to individuals in sectors such as government, administrative, associative, parliamentary, media actors, etc. To help them comply with the GDPR, several associations representing business and public relations professionals have jointly developed a guide, drafted in consultation with the CNIL, (in French). 

Legal  processes

EU AI Act: The Guardian analyses the practical implications of the upcoming regulations for customers and businesses. The act will soon become law and go into effect gradually over the following three years. Customers will feel more certain that the AI technologies are configured for safe use as a result. Similar to how the GDPR role model worked, the legislation will likewise have an impact outside the EU. However, the EU’s proposed cap on computing power used to train AI models is far lower than equivalent laws in the US. Consequently, European companies could even decide to relocate west to get around EU regulations, warn some tech businesses.

European Health Data Space: EU legislators have struck a provisional agreement on the exchange and access of health data at the union level. Currently, the level of digitalisation of health data in the EU varies from one member state to another. The proposed regulation requires all electronic health record systems to comply with the specifications of the European electronic health record exchange format, ensuring that they are interoperable at the EU level.

Patients still will have the right to opt-out from primary and secondary use of their data or restrict access to it with some exceptions, (eg, scientific research, public interest, vital interests). 

IAB Europe: The CJEU holds, as argued by the Belgian data protection regulator, that a structured character string capturing internet users’ preferences such as IAB Europe’s TC string can be considered personal data. TC String constitutes personal data, in particular, because its purpose is to link advertising preferences to a specific individual. As a sectoral organisation which standardises and prescribes the method for capturing and transmitting user preferences, IAB Europe can be indeed considered a (joint) controller concerning the processing carried out following this method.

Data erasure request

Another ruling by the CJEU states that the supervisory authority of a Member State may order the erasure of unlawfully processed data even in the absence of a prior request by the data subject. Such erasure may cover data collected from that person and data originating from another source if such a measure is necessary to fulfil its responsibility for ensuring that the GDPR is fully enforced. The case relates to the provision of financial support to persons who have been made vulnerable by the COVID-19 pandemic, (in Hungary), and the data breaches committed by a local administration affecting eligible persons who had not applied for the support. 

Bank security failed

The Italian data protection authority Garante fined UniCredit 2.8 million euros and the company responsible for carrying out its security tests 800,000 euros. The violation had occurred due to a massive cyber attack on the mobile banking portal. The attack caused the illicit acquisition of the name, surname, and other identifiers of approximately 778,000 customers and former customers and, for over 6,800 of the customers, it had also led to the disclosure of the portal access PIN. The data was made available in the HTTP response provided by the bank’s systems to the browser of anyone who tried to access, even unsuccessfully, the mobile banking portal. 

More enforcement decisions

Invalid consent in cookie walls: The Danish data protection authority Datatilsynet ruled the use of cookie walls on Berlingske.dk must take place within the framework of the data protection rules. Berlingske’s specific approach is to greet users with a cookie wall when they try to access embedded content, (eg, video players or blog posts). This means that the content is unavailable unless the user accepts the processing of their data for statistical and marketing purposes through the use of cookies. 

European Commission’s use of  Microsoft 365: Following its investigation, the EDPS has found that the European Commission has infringed several key data protection rules when using Microsoft 365.  The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. More details of the case can be read here. 

Commercial prospecting: The French CNIL fined Foriou company 310,000 euros for using data provided by data brokers for commercial prospecting purposes. It conducts telephone canvassing campaigns to promote the loyalty programs and cards it sells. The misleading appearance of the collection forms implemented by the brokers at the origin of the collection did not make it possible to obtain valid consent from the persons concerned. The size of this fine, which represents approximately 1% of the company’s turnover, was decided in light of the seriousness of the breach. 

Information security audit

Moorfields Eye Hospital NHS Foundation Trust has undergone a consensual data protection audit conducted by the UK’s ICO. The scope areas were determined following a risk-based analysis of the trust’s processing of personal data. The suggestions for improvement included some tips on information security and data sharing, and included the following advice:

• The permanent roles which make up the Information Security function should be filled quickly to ensure that operational responsibility is clearly in place.
• A template letter should be in place to notify data subjects of a data breach which includes all appropriate information including details of the DPO, a description of the likely consequences of the breach and the measures which have been taken.
• Appropriate reviewing processes should be in place for all data-sharing agreements, which include review schedules and review logs.
• The trust should have measures in place to ensure that relevant staff receive appropriate training, and ensure this is periodically refreshed.

Among best practices, the ICO recognised that the trust tests their physical security on-site, with police officers being shown around and then returning at a later date in plain clothes to assess the security, for example by seeing if they can get into secure areas or move around unchallenged without appropriate ID. 

When user login data is made public

The Lithuanian data protection authority VDAI reminds us that upon receiving information about potentially leaked login names and passwords, an organisation, (the data controller), should conduct a preliminary investigation and determine whether there has been a violation of the confidentiality, integrity or availability of personal data. For example, it should establish whether the personal data processed in the organisation’s information systems has been compromised.  

1. If the processed personal data has not been accessed by unauthorised persons, the data controller still must assess the risks, prevent possible negative consequences, and let users know what action they can take in this situation, (eg, block user accounts whose login data matches the leaked data, generate new temporary passwords and send them to affected data subjects, activate two-factor authentication, etc.) 

2. If the processed personal data has been accessed by unauthorised persons, (eg, illegal logins to user accounts are detected or it is not possible to unequivocally determine that there were no such logins, illegal actions on accounts are detected, etc.),  the organisation must conduct a full investigation, take immediate measures, notify the data subjects, and report to the regulator within 72 hours of becoming aware of the breach. 

As a general precaution, VDAI also advises individuals to take the following precautions in similar situations:

• Change your password to a new and unique one. If you have used the same password on other systems, please change them as well.
• It should consist of at least 12 characters: letters, numbers, at least one capital letter and a special character.
• Do not store your passwords in browsers.
• Watch for news or announcements from your service provider, or authorities.
• Install and regularly update antivirus software on your devices.
•  If you notice any suspicious activity in your account or related systems, notify your service provider immediately.

Big Tech

OpenAI “Sora”: Italian regulator Garante has opened an investigation against OpenAI that in recent weeks has announced the launch of a new AI model, ‘Sora’, which, according to the announcement, can create dynamic, realistic and imaginative video sequences from short text instructions. OpenAI will also have to clarify several issues: 

• how the algorithm is trained; 
• what data is collected and processed to train the algorithm, especially whether it is personal data; 
• whether particular categories of data, (religious or philosophical beliefs, political opinions, genetic data, health, sexual life), are collected, and 
• which sources are used.

Crackdown on mass data collectors: Several recent FTC enforcement actions reflect a heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data, states an FTC blog post. Taken together, browsing and location data paint an intimate picture of a person’s life, including their religious affiliations, health and medical conditions, financial status, and sexual orientation. None of the underlying datasets at issue in the FTC’s proposed complaints, (against Avast, X-Mode, or InMarket), are alleged to have contained people’s names, social security numbers, or other traditional standalone elements of personally identifiable information. 

What makes the underlying data sensitive springs from the insights they reveal, (eg, through proprietary algorithms), and the ease with which those insights can be attributed to particular people. People also have no way to object to how their data is collected, retained, used, and disclosed when these practices are hidden from them. Moreover, any safeguards used to maintain people’s privacy are often outstripped by companies’ incentives and abilities to match data to particular people. 

The post Data protection digest 3-17 Mar 2024: Personal data gaps in information systems, TC string, mass data collectors appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Terms of Service and User Privacy

America’s FTC warns AI developers and other companies that quietly changing terms of service could be unfair or deceptive. While businesses creating AI products have strong financial incentives to utilize user data as fuel for their systems, they also have established policies in place to safeguard users’ privacy. A business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data. Some companies may attempt to make these changes and inform users covertly by making retroactive amendments to their terms of service or privacy policy, (eg, to use that data for AI training). 

Last summer, the FTC alleged that a genetic testing company violated the law when the company changed its privacy policy to retroactively expand the kinds of third parties with which it could share consumers’ sensitive data, adding supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data, or obtaining their consent. Additionally, it did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it, according to the complaints. The company stored it in publicly accessible “buckets” on a cloud storage service with thousands of health reports about consumers and raw genetic data, sometimes accompanied by a first name, despite promising users its security practices would exceed industry-standard security practices. 

Other official guidance

Employment data: The Italian privacy regulator launched the Code of Conduct for employment agencies. The agencies that adhere to the code undertake to process only data strictly necessary for the establishment of the employment relationship and must therefore not carry out investigations into jobseeker’s political, religious or trade union opinions or carry out pre-selections based on information regarding marital status, pregnancy, disability, even if candidates have given their consent. 

Agencies must not obtain information by consulting social profiles intended for interpersonal communication. Online information can be collected only if made available on professional social channels. Furthermore, employment agencies will not be able to acquire the candidate’s professional references from previous employers and communicate them to their clients, without “prior explicit authorization from the candidate”.

Camera systems: The Czech data protection authority has published a new methodology for the design and operation of camera systems, (in Czech). The methodology applies to camera systems, (including security cameras), that record as well as camera systems in online mode, minimum technical and organisational measures for them, and use cases. The methodology is not a legally binding document and it remains the duty of personal data administrators to always proceed following the GDPR and EDPB Guidelines No. 3/2019.

New procedures for GDPR enforcement

MEPs have adopted a draft position laying down additional procedural rules for enforcing the GDPR. It deals with cooperation and dispute resolution mechanisms of the GDPR and introduces deadlines for cross-border procedures and disputes. Concerning amicable settlements, such settlements should require the parties’ explicit consent, and should not prevent a supervisory authority from starting an own-initiative investigation into the matter. The MEP’s position also ensures that all parties to complaint procedures have the right to effective judicial remedies, for example when the regulator does not take necessary actions or comply with deadlines. 

Digital Services Act is now fully applicable 

The DSA has applied to online platforms and search engines with more than 45 million users in the EU since 25 August 2023. From 17 February, it applies to smaller platforms and online intermediaries, (goods, content or services), on the European market. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. For instance, if you complain about what you suspect is illegal content, the service provider must handle the matter and inform you of its solution. 

Compliance will be supervised by the specialised agencies in the Member States, and certain obligations by consumer protection and data protection authorities. To avoid disproportionate constraints, small companies, (with less than 50 employees and an annual turnover of less than EUR 10 million), and micro-enterprises are exempted from the application of various measures, (transparency reports, internal complaints handling system, etc.). More details on the enforcement framework under the DSA are here. 

More legal updates

Main establishment in the EU: The EDPB clarified the notion of the main establishment under the GDPR rules. A controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if: 

• it makes the decisions on the purposes and means of the processing of personal data and, 
• it has the power to have such decisions implemented. 

Furthermore, the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there is considered to be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.

CPRA enforcement: California’s Third District Court of Appeal held that the California Privacy Protection Agency’s authority to enforce its amended privacy regulations should have been effective on July 1, 2023. The decision restores the CPPA’s authority and overturns a lower court ruling. The agency has been vigorously enforcing the statutory rights approved by Californians – Proposition 24, the California Privacy Rights Act of 2020 (CPRA). Some of the new and amended regulations implementing the CPRA, which largely define and clarify how businesses must honour those rights, were previously deemed unenforceable by the lower court.

Video gaming and children’s data

The ICO has carried out an age-appropriate design code audit of Gameforge’s processing of UK children’s data. The majority of their games are rated as suitable for children aged 0-12 years. Gameforge does not collect any user data to confirm their ages or identify child users, and subsequently has chosen to apply safeguards to all users by implementing pseudonymisation of all user account data, and not implementing higher risk processing activities such as location tracking or profiling. Gameforge does not use personal data to promote or market third-party products or services, and Gameforge’s online services do not include any third-party advertising.

As notably good practice, the ICO underlined the high level of qualifications and involvement of the data protection team. In particular, Gameforge has made two DPO-certified members key signatories to the company accounts and new/changed contracts. However, opportunities for improvement were also identified, such as a clearer privacy policy, and DPIA that records consultation and feedback/approval with key stakeholders. An assessment also should be undertaken to consider and document the potential ages of users, which can be achieved non-intrusively by using anonymous or aggregated data such as market research. 

Cookie-banners supervision

The Dutch regulator promised to intensify the checks of websites and explained, one more time, how organisations should set up cookie banners to properly request permission: 

• to provide information in clear text about the purpose;
• not to automatically enable checkboxes;
• give all choices in the first layer, (don’t hide certain choices and don’t make someone make extra clicks);
• not to use a discreet link in the text;
• be clear about withdrawing consent;
• carefully choose the legal basis, (do not confuse consent with legitimate interest).

The Bavarian data protection authority meanwhile checked the cookie banners of hundreds of websites and apps and found numerous violations. Many operators, (around 350 websites), now have to change their pages. The regulator has successfully developed a tool which makes it possible to automatically check websites to see whether, in addition to the “Accept All” option, there is also an equivalent option for not granting consent. The test is initially based on the use of a very common consent management platform, (CMP), but will be expanded to include other CMP providers and thus an even larger number of websites in future iterations.

Enforcement decisions

Data storage periods: The French CNIL fined the company which publishes the pap.fr website, allowing individuals to view and publish real estate ads, 100,000 euros. The company had defined a retention period of ten years for the customer accounts using paid services on the site, against the consumer code on which it relied. The company informed individuals through an incomplete and unclear privacy policy. The password complexity rule was insufficiently robust and passwords and related data were stored unencrypted. All data relating to inactive user accounts was kept unsorted. 

Online dating site: The Italian data protection authority has fined the manager of a well-known online dating site 200,000 euros for violating the personal data of about 1 million members. Registration on the platform, which has about 5 million members worldwide required the insertion of numerous data, (meeting interest, country, region, city of residence, date of birth, e-mail), and photos, which customers uploaded within the public profile or in the reserved area, without being provided with adequate information on the use that would be made of that data. The information also did not contain any indication of the possibility for data subjects to exercise their rights provided for by privacy legislation. 

The owner of the site did not have a specific privacy policy regarding the storage of the data processed, limiting itself to randomly proceeding with the deletion of accounts that are no longer active and the information contained, as well as unsuccessful registration requests. Finally, although the company was required to do so, it had not drawn up a register of processing activities, had not appointed a DPO, nor had it prepared an impact assessment (DPIA). 

Viamedis and Almerys data breach

The French CNIL is conducting investigations into a data breach which has affected Viamedis and Almerys, operators managing third-party payment for numerous complementary health insurance and mutual insurance companies. More than 33 million people are affected. The data concerned civil status, date of birth and social security number, and the name of the health insurer. Data such as banking information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not be affected by the breach. 

Shoplifter identity

The Dutch data protection authority has granted 500 permits for a collective shopping ban. Shopkeepers with such a permit can warn each other in a defined area about shoplifters and people who cause nuisance, sharing their names and photos. Shopkeepers may only share such a ‘blacklist’ with each other under strict conditions. For example, someone from the police, the municipality or the public prosecution service must always be involved.

Big Data

UK health care data: The Good Law Project NGO raises concerns about the lack of transparency in the contract allowing Palantir to run the NHS’s new system – the Federated Data Platform. The organisation has now taken legal action to challenge the NHS’s data governance. Despite the massive scale of redactions in Palantir’s 500+ page contract, the NGO insists no reasons for the secrecy have been given by the public bodies. The NHS has also signed a contract with the biotech IQVIA, to provide “Privacy Enhancing Technology” for the platform. Around three-quarters of the contract is also completely redacted, including a section on personal data protection. 

Pupil surveillance: Privacy International reports that some UK schools have bought and installed sensors in toilets that ‘actively listen’ to pupils‘ conversations to try to detect keywords spoken by pupils. Such sensors do not record or save any conversations but send alerts to staff when triggered. At the same time, some schools are also pairing them with surveillance cameras, so when activated by a vaping sensor they capture students leaving bathrooms. 

Ulez fines: Italy is investigating the case of Italian police allegedly accessing thousands of EU drivers’ data and sharing it with firms collecting fines on behalf of Transport for London, (TfL). Some other Member States have also claimed that a police department that has not been named has abused its authority by providing personal information about EU drivers to Euro Parking Collections. TfL uses this company to levy fines to enforce low and ultra-low emission zones, (Ulez). Due to national regulations permitting the UK to access EU individuals’ data only for criminal offenses and the fact that breaking Ulez guidelines is considered a civil violation, it is believed that the fines have been unlawfully levied since Brexit.

The post Data protection digest 3-16 Feb 2024: Sneakily changing terms of service and privacy policy won’t help your business appeared first on TechGDPR.

Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

Official guidance

DPOs duties: The Swedish data protection agency published the results of a coordinated investigation, initiated by the EDPB, on the role and position of data protection officers. It investigated 50 organisations in the public and private sectors. Here are some of the statistics: 

• Several data protection officers have other tasks/roles in addition to the role of data protection officer, which in certain situations can potentially mean a conflict of interest.
• There are differences in how many hours data protection officers spend on skills development around data protection issues.
• There is a wide variation in the number of resources and methodological support needed to complete DPO’s duties.
• The organisations to some extent have different ideas about what should be included in the data protection officer’s mission.

Interestingly, most, but not all, organisations believe that the DPO should participate in the handling of personal data incidents whereas only two-thirds of the organisations believe that the DPO should be consulted in the planning of new personal data processing. 

Sandbox invite for innovative tech: Organisations have until the end of this year to submit expressions of interest in entering the UK Information Commissioner Office’s Regulatory Sandbox in 2024. If you’re part of an organisation that’s tackling complex data protection considerations as you create innovative new products and services, the ICO’s team wants to hear from you. Expressions of interest will be assessed based on whether the product or service being developed is innovative and could provide a demonstrable benefit to the public, whether you’re a start-up, SME or larger organisation, from the private, public or voluntary sectors. 

Server colocation: The Danish data protection authority has considered whether an IT company that provides (server) colocation should be considered a data processor for the organization for which the service is provided. The assessment is negative, in particular, if the supplier of colocation does not have access to the personal data that is processed on the servers. The provision of colocation primarily concerns the provision of a service other than the processing of personal data, in particular physical facilities as well as internet and power supply. However, this is only a starting point. Several circumstances can lead to the colocation company being considered a data processor to a certain extent: 

• the company provides additional services beyond physical facilities,
• the company can and may be tasked with moving, restarting or otherwise handling the servers where the information is processed,
• the company can and may have the task of replacing hard drives, and memory, (firewall, backup services, etc).

AI code of conduct: The Canadian government published a voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems. Generative systems can be adapted by organisations for various uses – such as corporate knowledge management applications or customer service tools. Firms developing and managing the operations of these systems both have important and complementary roles. 

Signatories of this code would develop and apply standards, and share information and best practices with other members of the AI ecosystem, prioritising human rights, accessibility and environmental sustainability. See the measures to be undertaken under the Code of Conduct in the original publication. 

Encryption evaluation tool: The Spanish data protection agency launched the ValidaCripto tool to evaluate encryption systems. Encryption is a procedure by which information is transformed into a seemingly unintelligible set of data, helping to protect the information from a possible personal data breach. The tool runs in the browser, without recording or transmitting any data to the Agency, and allows information to be stored locally and reports to be generated. It has a help section where its operation is explained step by step, from selecting the impact of the encryption system on the treatment, categorising the most critical elements, reviewing the suggested controls and generating follow-up documentation. 

Workplace monitoring: The UK Commissioner’s Office has published guidance to ensure lawful monitoring in the workplace. Monitoring can include tracking calls, messages and keystrokes, taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activity. If an organisation is looking to monitor workers, it must take steps including: 

• Making workers aware of the nature, extent and reasons for monitoring.
• Having a clearly defined purpose and using the least intrusive means to achieve it.
• Having a lawful basis for processing workers’ data – such as consent or legal obligation.
• Only keeping the information which is relevant to its purpose.
• Carrying out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers.
• Making the personal information collected through monitoring available to workers if they make a subject access request.

Legal processes

EU-US DPF tried in court: The EU General Court rejected the request for interim suspension of the EU-US data Privacy Framework but has yet to examine the substance of the case. The request was introduced by a French member of parliament, who is also a member of the French data protection authority CNIL, requesting that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for US security purposes. He also observed that the wording of the DPF ruling, which is currently only available in English, should be translated into the EU’s official languages. 

Delete Act: California’s Governor signed the Delete Act into law. It revises the California Consumer Privacy Act by making it easier for residents to submit universal requests to registered data brokers for deletion of personal data. According to the Guardian analysis, Californians already have the right to request that their data be destroyed under current state privacy regulations, but doing so requires filing a request with each corporation.  The revised measure emphasizes that all data brokers must register with the privacy protection agency, and mandates it to create a simple and cheap means for Californians to request that all data brokers in the state remove their data through a single page, regardless of how that information was obtained. 

Consumer profiling: The EDPB-EDPS published a joint contribution to the public consultation on the draft template relating to the description of consumer profiling techniques. Under the new Digital Markets Act, designated gatekeepers now shall submit to the European Commission independently audited descriptions of any techniques for profiling consumers that they apply to or across their core platform services. The regulators wonder whether the Commission should expect to receive detailed audited descriptions of profiling techniques for each of the core platform services of the gatekeeper. 

The regulators are also concerned that the template alone would not provide sufficient safeguards against low-quality or otherwise unreliable audits on behalf of gatekeepers. The EDPB and the EDPS underline that any approval or statement from the European Commission on how a gatekeeper processes personal data for consumer profiling or how it informs consumers about profiling techniques does not automatically mean that the gatekeeper is complying with the GDPR, which is for supervisory authorities to verify.

Health research in France: The CNIL has adopted two new reference methodologies to allow public and private bodies, (in addition to healthcare institutions and their federations, as well as healthcare manufacturers), except insurers, to process data from the main database of the National Health Data System. The data controller should indicated in their protocol:

• the components of the main database concerned by the access request;
• the target population;
• the targeting period;
• the data or categories of data required;
• the historical depth of the data;
• the requested access period. 

As there are many ways to access these data, any controlled environment that meets the conditions set in new methodologies may host the data as part of the research projects concerned.

Enforcement decisions

Case studies book: The Irish data protection authority published detailed case studies, (based on 126 real cases), illustrating how data protection law is applied, how non-compliance is identified and how corrective measures have been imposed, from the past five years. It concentrates on such topics as access request complaints, the accuracy of personal data, cross-border cases, data breach notifications, unauthorised disclosure, direct marketing, objection to processing, the right to be forgotten, and much more. 

“My AI” fine: the UK Information Commissioner has issued a preliminary enforcement notice against Snap and its generative AI chatbot “My AI”. The investigation provisionally found Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17. If a final enforcement notice were to be adopted, Snap may be required to stop processing data in connection with ‘My AI’. Snap launched the ‘My AI’ feature for UK Snapchat+ subscribers in February, with a rollout to its wider Snapchat user base in the UK in April. The chatbot feature, powered by OpenAI’s GPT technology, marked the first example of generative AI embedded into a major messaging platform in the UK. As of May Snapchat had 21 million monthly active users in the UK.

Employee geolocation data: The Italian data protection authority fined Shardana Working 20,000 euros following a complaint by three individuals employed by the company. The company is responsible for reading gas, electricity and water meters. The three workers, to verify the correctness of their pay slips, had asked the company to provide the information used to process mileage reimbursements and the monthly hourly salary, as well as the procedure for establishing the compensation due.

In particular, they had asked to know the data collected through the company smartphone on which a geolocation system had been installed which allowed workers to identify the route to take to reach the meters. The regulator found that Shardana Working had not adequately informed the employees of the data processed through the GPS installed on their smartphones. Even if the company deemed that it could not fully respond to the employees’ requests, it should have at least indicated the specific reasons why it could not comply with the access requests. 

Dismissal based on geotracking: A similar instance occurred recently in France, according to the Ius Laboris legal blog. The highest civil court in France has intervened in an employee discharge based on geolocation data from his work car.  An employee of an equipment rental firm was fired for making unnecessary trips. The geolocation process had been declared to the French Data Protection Agency CNIL to locate employee vehicles and ensure the safety of goods and people on site. The employee had been informed of this. The Supreme Court, on the other hand, held that the trial judge should have evaluated whether the company’s geolocation system was also intended, as stated to the regulator, to monitor the employee’s professional activities and working hours, and if the employee had been told about such a purpose. 

Electronic ticketing: The Greek data protection authority carried out an extraordinary on-site inspection at the Athens Urban Transport Organization, (OASA), examining the protection of personal data processed in the framework of the automatic fee collection system, a system also referred to by the term “electronic ticket”. A total fine of 50,000 euros and a compliance order referred to the determination of the data retention times for the various processing purposes, (of 20 years), the anonymity of travel card holders and their movements, (eg, of employment categories), and a review of the personal data impact assessment and other documentation, (not available at the time of the audit). 

Big Data

Biometric surveillance: According to The Guardian, dozens of cross-party MPs and privacy campaigners in the UK have joined a campaign calling for an “immediate stop” to the use of live face recognition monitoring by police and commercial companies. Live face recognition has lately been used by British police at large-scale public events such as King Charles’ coronation. The announcement follows the policing minister’s announcement of government intentions to make UK passport images searchable by police: to link data from the police national database, the Passport Office, and other national databases to allow officers to identify a match with the “click of a button.” 

Google user data:  Google will give users in the EU better choice as to how Google processes their data according to commitments undertaken by the company. This is the result of proceedings conducted by the Bundeskartellamt, (German Federal Cartel Office), based on the new instrument under competition law, which allows intervention when competition is threatened by large digital companies. Commitments concern situations where the company would like to combine personal data from one Google service with personal data from other Google or non-Google sources or cross-use these data in Google services that are provided separately. 

Such an obligation already results from the new Digital Markets Act.  Relevant core platform services listed in the Commission’s designation decision are thus not covered by the commitments, (Google Shopping, Google Play, Google Maps, Google Search, YouTube, Google Android, Google Chrome and Google’s online advertising services). However, Google’s commitments provided to the Cartel Office do concern data processing across services involving more than 25 other services (including Gmail, Google News, Assistant, Contacts and Google TV).

The post Data protection digest 2 – 17 October 2023: DPOs duties and methodology should be clarified – latest study appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.