Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Legal processes and redress

The Council of Europe strengthens its legal arsenal on disclosure of electronic evidence between governments and with service providers. A Second Additional Protocol to the “Budapest Convention“ will extend the rule of law further into cyberspace. As of today, the increasing complexity of obtaining electronic evidence that may be stored in foreign, multiple, shifting or unknown jurisdictions and the powers of law enforcement are limited by territorial boundaries. As a result, only a very small share of cybercrime that is reported is leading to court decisions. The Protocol provides a legal basis for disclosure of domain name registration information and for direct co-operation with service providers for subscribers’ personal information and traffic data, (excluding anonymised data), an effective means to obtain subscriber information and mutual assistance tools along with personal data protection safeguards. The latter stipulates each party to a request shall provide notice to the individual whose personal data has been collected, with regard to: 

• the legal basis for and the purpose(s) of processing, (eg, the important public interest  for investigation of criminal offences); 
• any retention or review periods of recipients or categories of recipients to whom such data is disclosed; 
• and access, rectification and redress available. 

However, once made public at trial, an individual’s data passes into the public domain. In these situations, it is not possible to ensure confidentiality or DP safeguards for the investigation or proceedings for which the material was sought. The text should be opened for signature in May 2022.

Similarly, the CJEU’s Advocate General Opinion reiterates that general and indiscriminate retention of traffic and location data relating to electronic communications is permitted, but only in the event of a serious threat to national security. It must not include the prosecution of offences, including serious ones. Namely, national legislation which requires electronic telecommunications undertakings to retain traffic data on a general and indiscriminate basis for investigating market manipulation and abuse is contrary to EU law. Moreover, the time limit imposed on that storage does not remedy the issue, since, apart from the situation justified by the defence of national security, the general storage of electronic communications entails serious interference with fundamental rights to private and family life and the protection of personal data, irrespective of the duration of the period for which access to this data is requested. 

The Hanover Administrative Court saw an important decision on extensive data collection, Data Guidance reports. It dismissed an action by an online mail-order pharmacy against the Lower Saxony data protection authority. The regulator had instructed the plaintiff to refrain from collecting customers’ dates of birth unless the information was required in relation to the drug ordered, and to avoid using gender-specific titles based on information collected during the ordering process. The plaintiff had agreed to insert the option ‘no information’ into the order form in relation to titles but argued as they were obliged to provide age-appropriate advice a corresponding query on date of birth had to be made in the ordering process. The court found that the ordering process in question only related to products that could be purchased without a prescription, and as such, questions regarding a customer’s date of birth during the ordering process should be omitted. 

The EDPB has published its statement on the EU Digital Services Package and Data Strategy. The EU Commission has presented several legislative proposals, most notably the Digital Services Act, the Digital Markets Act, the Data Governance Act, the Regulation on a European approach for Artificial Intelligence, and proposal for a Data Act. The EDPB draws attention to a number of overarching concerns: lack of protection of individuals’ fundamental rights and freedoms; fragmented supervision; and risks of inconsistencies. The EDPB considers that, without further amendments, the proposals will negatively impact the fundamental rights and freedoms of individuals and lead to significant legal uncertainty that would undermine both the existing and future legal framework.

Official guidance

The EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V of the GDPR. By clarifying the interplay between the territorial scope of the GDPR and the provisions on international transfers, it aims to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. In particular, the guidelines specify three cumulative criteria that qualify processing as a transfer: 

• the data exporter, (a controller or processor), is subject to the GDPR for the given processing; 
•  the data exporter transmits or makes available personal data to the data importer, (another controller, joint controller or processor); 
• the data importer is in a third country or is an international organisation.

The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.

Finland’s data protection ombudsman reminds data controllers that event log data stored in connection with personal data breaches in the information system must be kept as part of the documentation obligation. The Data Protection Officer may request log information to process a breach notification. Log files refer to chronologically recorded records of events and their causes in data networks, applications, systems, and data content. For example, it can capture all login sessions to a network, along with account lockouts, failed password attempts, etc.

Meanwhile, the French regulator CNIL published, (in French), recommendations on the implementation of logging measures. The purpose of logging tools in the context of multi-user systems is to ensure traceability of access and actions by various people accessing the information systems and, more specifically, the processing of personal data implemented within the organization. The data thus collected and processed by these tools contain information on the persons administering or accessing the resources, such as the user identifier, the date and time of access, the identifier of the equipment used, etc. In general it is always recommended to save logging data for access, creation, modification and deletion actions when processing personal data. 

The CNIL also publishes its guidance on why and how to appoint a data protection officer, and what resources should be given to this person to do their job. Today nearly 30,000 professionals in France perform this function, (natural and legal persons combined), for 80,000 organisations that have appointed a DPO. Of these, the public administration, education and health sectors are the most represented.

The Danish data protection agency published a new guiding text with reference to use cases, (in Danish), on data responsibility between private suppliers and public authorities. It emphasizes the importance of defining data processor and controller roles. While some cases are classical, (eg, an IT provider acts solely on instructions from a public authority), others can be more complex, namely, when private individuals are suppliers to public authorities. It is thus the content of the parties’ contractual agreement, including which service is to be provided, that is decisive for the role of the supplier. If, for example, receiving and storing information so as to fulfill an agreement without this treatment in itself having been agreed would mean the supplier would be independently responsible for the processing of the data.

Data breaches, investigations and enforcement actions

Known across the EU the Vinted platform – the online clothing sales marketplace,  is under scrutiny by several data protection authorities. A significant number of complaints concerning vinted.com, operated by Lithuanian company Vinted UAB have arrived on the desks of supervisory authorities from France, Lithuania and Poland, who are cooperating to investigate this website’s GDPR compliance. Today the website operator requires a scan of an identity card in order to unblock funds received from sales on a user’s account. The legal justification for this may be an issue, as are procedures and criteria to block an account and the corresponding retention periods. 

Cyprus’s regulator has fined WS WiSpear Systems,  end-to-end WiFi surveillance solutions for the intelligence and public safety markets),  925,000 euros for violating the principle of lawful, fair, and transparent processing, (Art 5. of the GDPR). The company had collected Media access Control addresses and International Mobile Subscriber Identity data from various devices, in the context of testing and presentation of technologies, without the knowledge of users of these devices. The case highlights how data collected in combination with the geographical location of devices at different times can lead to the identification of device users, DataGuidance reports.  

Spanish regulator the AEPD punished a couple of companies: an ambulatory health care service whose doctors accessing their former patients medical records, a natural gas and electricity trader company for  unexpected changes in customer contracts, (on behalf of a tenant), in a prima facie example of identity theft, and a Spanish multinational telecommunications company for violating national Information Society Services and Electronic Commerce law for direct marketing communications to a customer without their consent.

Polish data protection regulator the UODO has fined a bank for not reporting the violation and not fully informing people about a data breach, as well as an unsatisfactory level of cooperation. A courier company happened to lose bank correspondence with personal data, including names, surnames, registration addresses, bank account details, and identification numbers given to the bank’s customers. The bank considered that the risk of negative consequences for the persons affected was moderate, and therefore decided not report the breach to the supervisory authority or comply with the GDPR obligation to notify the data subjects.

Opinion

If a company is the victim of a data breach it is required to identify and notify an unknown number of individuals impacted by the breach. In order to determine which individuals to notify, the company must identify which documents contain protected information, extract data on impacted individuals from those documents and use that data to determine who to notify and by what means. This process requires a large and complex data review of documents from sources with varying degrees of uniformity and accessibility—ranging from scanned hard copy files to spreadsheets containing data for thousands of individuals. A Mayer Brown LLP article examines the pros and cons of using technology that could be used in the data review project, comparing traditional text recognition, and relatively new pattern recognition software driven by artificial intelligence.

Big Tech

Meta, which already uses end-to-end encryption on its WhatsApp product, is delaying rolling out the same feature on Facebook and Instagram messages until 2023. Messenger already has encrypted video and voice calls. Originally planned for next year, the delay is due to fears it could provide anonymity to abusers and terrorists. The opposition has been especially fierce in the UK, where leading children’s charity the NSPCC insists private messaging is “the frontline of child sexual abuse online”, and the Interior Minister says the social media behemoth’s encryption plans are “simply unacceptable”.

At the same time Meta denies that its Facebook and Instagram platforms are gathering browsing data from under-18s,  the Guardian reports. The platforms’ parent company had announced in July that it would allow advertisers to target young users based on three categories only – age, gender and location – rather than a range of options including their personal interests. However, research by a trio of campaign groups states that Facebook and Instagram have retained the use of software, known as conversion APIs, that gathers details of teens’ web browsing activities. Their study set up fake accounts for a 13-year-old and two 16-year-olds. Campaigners were able to view the data harvested by the company’s software across the platforms as the “users” visited sites such as local newspapers and clothing retailers, clicked on buttons, searched for items or put products in baskets.

The Shanghai Consumer Council has publicly questioned Chinese tech giant Tencent Holdings over how it is handling data collection and personalised ads on super app WeChat amid Beijing’s intensified regulatory scrutiny and the roll-out of the new privacy law. The Council requested clarity on whether Tencent has stopped collecting user data, or whether it would continue collecting the data but not use it, if users opt out of personalised ads. The council also queried Tencent’s statement in its privacy policy about collecting data for “other services” while complying with relevant laws and regulations.

Mozilla has released the latest edition of its “Privacy Not Included shopping guide”, aiming to provide Christmas shoppers with a list of how the most popular items handle privacy issues. Mozilla researchers spent over 950 hours examining 151 popular connected gifts in the US, identifying 47 that had what they called “problematic privacy practices.” The researchers sought to figure out whether items had cameras, microphones or location tracking features as well as any other tools that collected data on users. Mozilla also examined whether devices used encryption or forced users to have strong passwords. The report notes that because of privacy laws passed in California, many companies have added sections specifically governing those that live in the state. But many companies have no privacy policy at all or make it difficult to find and hard to read.

The post Weekly digest November 15 – 21, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.