Legal processes and redress

Electronic evidence: The European Parliament voted to adopt new rules on the exchange of electronic evidence by law enforcement authorities to make cross-border investigations more effective. It will allow national authorities to request evidence directly from service providers in other member states, (“production orders”), or ask that data be stored for up to 60 days. Evidence can consist of content data, (text, voice, images, video or sound), traffic data, (timestamps, protocol and compression details, and information about recipients), or subscriber data. Currently, the exchange depends on various bilateral and international agreements on mutual legal assistance, resulting in a fragmented landscape and, often, lengthy procedures. However, authorities can refuse the requests when they have concerns about media freedom or fundamental rights violations in the requesting member state. 

From MiCA to MiCAR: The Market in Crypto Assets Regulation has been published in the Official Journal of the EU and will apply in all EU Member States through 2024. The new rules cover issuers of utility tokens, asset-referenced tokens and so-called ‘stablecoins’. It also covers service providers such as trading venues and the wallets where crypto-assets are held. It ensures that crypto transfers, as is the case with any other financial operation, can always be traced and suspicious transactions blocked. Information on the source of the asset and its beneficiary will have to “travel” with the transaction and be stored on both sides of the transfer.

In addition to the MiCAR, the EU financial digital package contains a Digital Operational Resilience Act, (DORA), that covers crypto-asset service providers as well, and a proposal on distributed ledger technology, (DLT) pilot regime for wholesale uses.

Draft AI Act: The European Parliament also adopted its negotiating position on the Artificial Intelligence Act, and is ready to discuss the final form of the law with the Council and the Commission. MEPs have enlarged the list of AI systems with an unacceptable level of risk to people’s safety and would therefore be prohibited to include: 

• “real-time” remote biometric identification systems in publicly accessible spaces;
• “post” remote biometric identification systems, with the only exception for serious crime law enforcement;
• biometric categorisation systems using sensitive data, (gender, race, ethnicity, etc.);
• predictive policing systems, (based on profiling, location or past criminal behaviour);
• emotion recognition systems in law enforcement, border management, the workplace, and educational institutions; and
• untargeted scraping of facial images from the internet or CCTV footage to create facial recognition databases. 

MEPs added exemptions for research activities and AI components provided under open-source licenses. The so-called regulatory sandboxes, or real-life environments will be established by public authorities to test AI before it is deployed, along with an individual’s  right to complain and receive information.

CJEU Opinion

Data subject rights: A CJEU Advocate General’s opinion states that a data subject must have available judicial recourse against an independent supervisory authority where they exercise their rights through that authority. In the related case, an individual was refused by the Belgian National Security Authority a ‘security clearance certificate’ because he had participated in various demonstrations in the past. He asked the national supervisory body for police information, (“OCIP”), to identify the controllers responsible for the data processing at issue and to order them to provide him with access to all the information concerning him. The OCIP replied that it had carried out all necessary checks without providing any further details. Unsatisfied with that answer, the individual brought an action against the OCIP. 

The opinion clarifies that in the above case, the level of information provided by the supervisory authority to the data subject on the outcome of the check may not always be restricted to the minimum information that all necessary verifications have been carried out, but may vary depending on the circumstances of the case applying the principle of proportionality. Read more legal reasoning on the case in the original opinion. 

Official guidance

UK Children’s Code: The latest evaluation report shows that a fifth of UK children are familiar with the code and a third are aware of data privacy due to the implementation of the Children’s Code, (a statutory code of practice since 2020). The code applies to any ISS provider, (including ed-tech products and services), that processes the data of children in the UK, including some organisations that are not based in the UK. For the supervision and enforcement phase, there were initial resource challenges around the integration of Children’s code activities into ‘business as usual’. Also, there could have been greater external expectation management around supervision and enforcement activities, as these were only possible once the transition period ended. Key skill gaps identified included technology professionals lacking awareness of:

• how ISS providers operate as well as supporting technology (eg; age assurance technology);
• the importance of communication and engagement policies, as without them  knowledge and experience embedded within the organisation is lost when a project or phase finishes. Read the full report here.  

Input data for triage algorithms: The Spanish data protection authority examined the performance of a running algorithm that could be compromised by inaccurate input data. Their analysis looked at the triage algorithms of the emergency health system, which must optimize resources in order to save lives. The authority suggests assessment of the algorithm used in the triage processing should just be a part of the wider assessment, including factors such as data gathering operations, data checking, human involvement and the way in which decisions are executed, reviewed and contested. 

A lack of definition of the input data could lead to errors or biases that are not part of the algorithm itself. Thus, the accuracy principle should be implemented for the input data, the output data, and even in the intermediate data of the whole processing activity. The precise definition of every input data, (gathered both directly and indirectly), and its semantics, must be set up “by design” and properly documented. Even more importantly, the value range, (“yes/no”, “0 to 10” or “high/medium/low”), should be defined and assessed in the context of the processing. 

Explainable AI: The latest analysis by the EDPS states that modern AI models often work as opaque decision-making engines, truly black boxes reaching conclusions with little transparency or explanation on how a given result is obtained. Explainable AI, or XAI, focuses on developing AI systems that can not only provide accurate predictions and decisions. Individuals using XAI would be able to understand the reasoning behind an automated decision and to take the appropriate, and informed, course of action. Obtaining clear information about the behaviour of AI also has an impact on the ability of its users, such as data controllers and processors, to evaluate the risks that this tool may pose to individuals’ rights to data protection and privacy.  

DSARs: Guernsey’s data protection authority has published new guidance on ‘data subject access requests, (for data controllers and individuals). One of the most commonly-used rights is the right of access, also sometimes referred to as a ‘subject access request’, or ‘data subject access request’. This is where individuals ask what personal data a controller holds about them and why. An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit or assess performance at work, (except where this information is a trade secret). In short, a DSAR is when an individual asks you:

• what do you know about me?
• what do you think about me?
• what do you think you know about me?
• what are you doing with all this information? 

Another guidance for individuals who may wish to make a DSAR contains information about how to make one, what you should receive back, and what to do if you’re not happy with what you receive.

CCTV: Another comprehensive guidance from the Guernsey regulator looks at CCTV use by data controllers, (with exceptions for household, journalistic, and artistic activities). It is based on seven principles that require you to do the following: 

• Be clear about how personal information is used, for what purpose and on what legal basis.
• Use personal information only for specific, explicit and legitimate purposes.
• Collect no more information than is needed.
• Make sure personal information is accurate and kept up to date. 
• Keep information for no longer than necessary. 
• Keep information secure. 
• Be responsible and accountable for how personal information is used.

Loyalty programs: What rules should an entrepreneur follow when creating customer loyalty programs? A loyalty program is an additional service and the initial legal basis, which is the performance of the contract, is not applicable. The customer must give their consent to the processing of their personal data for one or more specific purposes. If the entrepreneur includes customer data transfer to other partners as part of the loyalty program, then the customer must not only be informed about it but also their consent must be obtained. 

There should be no direct or indirect pressure on the client. The entrepreneur must also take into account that the customer has the right to withdraw their consent to the processing and demand it cease, along with the deletion of all their personal data that is no longer necessary for the performance of the contract.

Enforcement decisions

Wildcat telemarketing and confiscated databases: The Italian data protection authority confiscated databases, for the first time, at two call centre companies allegedly conducting illegal and unregulated telemarketing activities. The operation was conducted by the finance branch of the Special Privacy Protection and Technological Fraud Unit in collaboration with the military. Four companies were fined between 200,000 and 800,000 euros in the operation. The sanctioned companies, through the acquisition of specific illegally-produced lists, contacted tens of thousands of subjects without their having ever given the necessary consent for the processing of their data for marketing purposes, proposing offers from various energy companies.

Clairvoyance consultations: The French privacy regulator has imposed a 150,000 euro fine against KG COM. It collected data excessively, including sensitive data, without prior and explicit consent, and did not sufficiently ensure data security. KG COM operates several websites offering clairvoyance consultations via an online dialogue interface, (chat), or by telephone. The investigation found that: 

• it systematically recorded all telephone calls between teleoperators and prospects;
• it kept health data relating to sexual orientation without obtaining consent; 
• it kept customers’ banking data beyond the time strictly necessary to carry out the transaction, (while the legal basis for the retention of bank data for anti-fraud purposes is a legitimate interest, this does not apply to retention for subsequent purchases, for which the company should have obtained consent);
• it systematically recorded all conversations for the purposes of service quality  control, proof of contract subscription and potential judicial requisitions;
• it implemented insufficiently strong passwords for user accounts and failed to secure access to them by using HTTP instead of HTTPS;
• it also used a mechanism to encrypt banking data that was vulnerable.

Spotify fine: The Swedish privacy authority has reviewed how Spotify handles customers’ right to access their personal data, and sanctioned the company to the tune of around 5 mln euros. Spotify has divided the customers’ personal data into different layers. One layer contains the customer’s contact and payment details, which artists the customer follows and the listening history for a certain period of time. If the customer wants more detailed information, for example, all technical log files relating to the customer, it has also been possible to request these from another layer. 

The regulator believes that although Spotify releases personal data the company processes when individuals request it,  the company does not inform customers clearly enough about how this data is used by the company. Often the individual receiving sufficient information is a prerequisite for exercising other rights; for example, the right to have incorrect information corrected or removed. 

Audits

College group: The UK Information Commissioner’s Office has conducted a consensual audit of the Chichester College Group concerning its data protection measures. Various areas requiring improvement were found, as the college group does not have a complete and fully documented information governance, (IG), policy and framework:

• the flow of information between the senior management team, the data protection office, the audit and risk committee and other key IG committees and groups have not been finalised,
• implementation of a process that ensures information risks need to be fully documented and managed throughout the organisation,
• there is no ongoing compliance monitoring of staff who are involved in the processing of personal information,
• the group must ensure that an appropriate written contract is in place with each of its data processors,
• a central record of data processor contracts and a data processor procurement, due diligence and compliance process need to be finalised,
• the group must ensure that an appropriate written contract is in place with each of its data processors.

Data security

Mobile applications: Users of mobile applications, before installing or starting to use mobile applications, should familiarize themselves with the privacy notices and rules of use of such applications, as well as carefully evaluate the requested collection of personal data or the permissions granted, states the Lithuanian data protection authority. The mentioned information must be available, (on the website that offers the app and on the app itself), to the user even before entering their personal data, granting permissions or creating accounts. Before using mobile applications, it is important to assess what goals are being pursued. For example, when using applications for direct communication, it is possible to restrict access to photos, and the device’s camera.

It is important to note that access to mobile applications may be restricted during application installation or at any other time chosen by the user. For example, restricting access to location data is also relevant if the location functionality is not needed by the user at that time. Similarly, it is advisable not to grant permission to the contacts saved on the user’s mobile device for social networking, dating, and messaging mobile applications, but to add specific persons selected by the user to such an application separately.

2FA: The Office of the Privacy Commissioner in New Zealand recommended all firms use two-factor authentication to secure the information they store. Any firm should exercise caution by implementing 2FA wherever applicable, as this would be a particularly valuable mitigating argument when defending against regulatory fines and other legal ramifications that may result from a data breach. In this scenario, what is appropriate is determined by the organization’s size as well as the scope and sensitivity of the personal information it has.

Big Tech

MOVEit cyberattack: According to the Guardian, British Airways, Boots, the BBC, Ofcom, Transport of London and others are probing the potential theft of personal information from employees following a cyber-attack. It targeted MOVEit software used by Zellis, a payroll provider. Zellis stated that a “small” number of its clients were affected by a vulnerability in the company’s file transfer technology. Microsoft’s threat intelligence team blamed the MOVEit assaults on a group known as Lace Tempest. Names, surnames, employee numbers, dates of birth, email addresses, first lines of home addresses, and national insurance numbers might have been among the information compromised in the hack. 

Airdrop and Bluetooth restrictions in China: Meanwhile, China is developing new guidelines to govern file-sharing systems such as Airdrop and Bluetooth. Service providers would be required to prevent the spread of harmful and unlawful material, maintain records, and report their discoveries. The Chinese Cyberspace Administration has produced draft regulations on “close-range mesh network services” and initiated a month-long public consultation. When conducting inspections, service providers would also be required to offer data and technical support to the authorities, including internet regulators and police. Users must also register their true names. Furthermore, features and technologies that have the potential to mobilise public opinion must be subjected to a security evaluation before they may be implemented.

The post Data protection digest 2 – 16 June 2023: rules on electronic evidence, explainable AI, and wildcat telemarketing appeared first on TechGDPR.

Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Official guidance: first European data protection seal, GDPR harmonisation rules, data breach notification, children’s data protection, artistic and literary works

The EDPB approved the very first GDPR certification seal, (see the detailed opinion here). Europrivacy became the first certification mechanism that demonstrates compliance. It was developed through the European Research Programme Horizon 2020 and is continuously updated by the European Centre for Certification and Privacy in Luxembourg and its International Board of Experts. Companies and services can use the certification scheme to increase the value of their businesses and trust in their services. They can use Europrivacy to:

• assess the compliance of their data processing activities,
• select data processors,
• assess the adequacy of cross-border data transfers,
• assure citizens and clients of the adequate processing of their data.

The scheme applies to a wide variety of data processing activities while taking into account sector-specific obligations and risks, such as AI, IoT, blockchain, automated cars, smart cities, etc. It is supported by a ledger-based registry of certificates for authenticating delivered certificates and for preventing forgery. The GDPR certification seal has an innovative format for criteria, which is both human and machine-readable. It is also aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001). 

The EDPB is also asking the European Commission for clarification and harmonisation of rules on procedures that still differ in each European Member State. This includes clarity about the rights of people making a complaint, criteria for handling complaints, the scope and nature of the documents that must be shared in complex investigations, deadlines for handling cases, how to close cases, investigative powers, and the publication of decisions. Additionally, complaints can sometimes be resolved in a non-contentious way, for example after the intervention of the SA has facilitated the exercise of a data subject’s rights. However, the current lack of harmonisation regarding amicable settlements creates challenges. 

To support children, their parents and educators in the digital world, the French regulator CNIL provides practical sheets, games, and videos, in clear and straightforward language, (in French only). This includes a digital vocabulary for children explaining what terms like IP address, cookies or paywalls mean, but also teaches children the right reflexes when doing things such as subscribing to a social network,(“TacoTac”), downloading online games on parents’ devices, sharing “funny” images/videos of people online, and much more. 

Latvia’s data protection authority DVI explains the principles of data processing within artistic and literary expression, as creators’ final results may contain other people’s data. An artist or writer, when evaluating the result of their work and before making it available to the general public, must conclude that it:

• It was created within the framework of the artist’s right to freedom of speech and expression.
• The right to privacy and data protection of natural persons whose data is included in the artistic or literary object is not threatened.
• Does not threaten the interests of the data subject, which are more important than the interest of the public to get to know the creation.
• It would not be desirable to publish works, (eg, photos), in which natural persons are depicted offensively, or which may cause personal injury, moral or other harm, thereby infringing the right to privacy of that person.
• If the involved natural persons are informed about the planned purpose, it must be expressed clearly, without hidden intentions. 

The EDPB is seeking public comments on updated guidelines on personal data breach notification under the GDPR. Back in 2017, Working Party 29 adopted the document, which was endorsed by the EDPB. The new one is a slightly updated version of those guidelines. In particular, the EDPB noticed that there was a need to clarify the notification requirements concerning personal data breaches at non-EU establishments. The paragraph concerning this matter has been revised and updated. Any reference to the WP29 Guidelines on Personal data breach notification should, from now on, be interpreted as a reference to these EDPB Guidelines.

Legal processes:  test databases, MiCA draft regulation, bank AML monitoring, debt information collection

The CJEU delivered judgment related to retention and purpose limitation principles: creation and long retention of a database to carry out tests and correct errors, and compatibility of such processing with the purposes of initial collection. The request was made in proceedings between ‘Digi’, one of Hungary’s main internet and television providers, and the country’s data protection regulator NAIH, concerning a Digi test database breach, (by an ethical hacker). Digi had not deleted the test database, with the result that a large amount of personal data had been stored without any purpose for almost 18 months. However, data copied into the test database had been lawfully collected to conclude and perform the subscription contracts. On the request of the Budapest High court, the CJEU clarified that:

• Processing of a database set up for testing and error correction is not exempt from the legitimate expectations of those customers as regards the further use of their data, (such errors are liable to be harmful to the provision of the contractually provided service). 
• It is not apparent that all or part of that data was sensitive or that the subsequent processing had harmful consequences for subscribers or was not accompanied by appropriate safeguards.
• At the same time, a database created for testing and correcting errors should not be kept for a period exceeding what is necessary to carry out those tests and to correct those errors. 

The final text proposal for a Regulation on Markets in Crypto-assets (MiCA) has been endorsed by the European Council, and now awaits formal approval in the European Parliament. MiCA attempts to provide a harmonised framework for the protection of holders of digital assets, including their data. Currently some crypto-assets fall outside of the scope of EU financial services legislation. There are no rules, other than AML rules, for services related to these unregulated crypto-assets, including for the operation of trading platforms for crypto-assets, the service of exchanging crypto-assets for funds or other crypto-assets, or the custody of crypto-assets. The lack of such rules leaves holders exposed to risks, in particular in areas not covered by consumer protection rules. 

The proposed regulation states that the issuing, offering, or seeking admission to trading of crypto-assets and the provision of crypto-asset services could involve the processing of personal data. Any processing of personal data under this regulation should be carried out by applicable Union law on the protection of personal data. Furthermore, crypto-assets shall not be considered to be offered for free where purchasers are required to provide or to undertake to provide personal data to the offeror. Also, regarding the transfer of personal data to a third country, the European Banking Authority shall apply Regulation 2018/1725 (‘on the protection of natural persons concerning the processing of personal data by the Union institutions’). 

The Dutch data protection authority, (AP), is concerned that a new anti-money laundering law opens the door to unprecedented mass surveillance by banks. Part of the proposal is to monitor all bank transactions of all Dutch account holders in one centralized database, using algorithms. In addition, banks must start exchanging customer data with each other. In many cases this monitoring could be outsourced to an algorithm-capable third party. Combined, the risks associated with this system are disproportionate to the purpose of the bill, believes the AP. For instance, this system could lead to people losing access to their bank accounts completely wrongly. Banks are already required to carry out individual checks on people or companies that may be laundering money or financing terrorism. And they must report unusual transactions to the authorities. 

The Norwegian data protection authority Datatilsynet responded to the government’s proposal to extend the debt information scheme to also include mortgage-secured debt. The regulator recognizes that banks and other creditors need to process information about existing mortgages and car loans in connection with the assessment of a loan application. However, the proposal conflicts with the data minimisation principle, states Datatilsynet. Banks and other credit institutions already have access to information about mortgages and car loans. It appears that the real purpose of the proposed extension of the debt information scheme is to make the creditors’ collection of information about mortgage-secured debt more efficient. This needs to be done in a more privacy-friendly way, and the regulator also points out that citizens’ debt information is attractive for both public and commercial actors, increasing the risk of purpose slippage.

Investigations and enforcement actions: lost DSAR, generic responses to DSARs, whistleblowing reports management, Clearview AI fine, Zoetop data leak

The Italian privacy regulator Garante fined BPER Banca 10,000 euros for violating Art. 12 and 17 of the GDPR. The complainant asked the bank, via email, to delete his professional account from a job application database. This email was acknowledged by the company, which asked him to repeat the request accompanied by identity documents, which the bank duly received at the same email address. However, this last communication was not followed by any effective action by the person in charge, (HR planning and development service), following an internal misunderstanding: changes in the company’s e-mail system generated some problems in communication flows between the various corporate functions. The account deletion request was finally fulfilled when the complainant’s lawyer sent a registered letter presenting alleged pecuniary and non-pecuniary damage due to the non-cancellation. However, the company noticed that some of the applicant’s data would still need to be processed for administrative, accounting, operational and organizational reasons. Other statutory retention periods would also apply for other litigation, or administrative/judicial proceedings. 

Garante also imposed a 10,000 euro fine on Clio S.r.l for violating Art 5, 6, and 30 of the GDPR, and in connection with similar decisions issued against the Municipality of Ginosa and Acqua Novara.VCO, Data Guidance reports. Clio supplies and manages on behalf of various public and private entities an application used for the acquisition and management of whistleblowing reports. Garante found that Clio had failed to regulate the relationships with various customers, who acted as data controllers, as a result of which Clio had carried out data processing activities in the absence of an appropriate legal basis. In addition, Clio had failed to keep a register of the processing activities carried out on behalf of the data controllers. Garante however noted the collaborative behavior of Clio in the course of the investigation.

The Croatian data protection authority AZOP recently issued a negative statement on a generic response to data subject access requests, (in this case, the location of stored data), by a telecoms provider. The complainant received a generic notice listing the category of data collected along with the legal bases, and was told that any information on the processing of data, (collected with his consent), could only be obtained from the point of sale. Since the applicant was not satisfied with the generic answer, he repeated his inquiry on the same day in greater detail, specifically about where his data was stored, but he did not receive an answer from the company. 

The French regulator CNIL imposed a penalty of 20 million euros, (the maximum financial penalty under Art. 83 of the GDPR), on CLEARVIEW AI and ordered the company to stop collecting and using, without any legal basis, the data of people in France and to delete data already collected. CLEARVIEW previously was given two months to comply with the formal notice and justify it to the CNIL. However, it did not provide any response. CLEARVIEW scrapes photographs from a wide range of websites, including social media, that can be consulted without logging into an account, and extracts accessible images and videos from distribution platforms. Through this collection, CLEARVIEW creates, expands, and markets access to its search engine in which an individual can be searched for using images. The company offers this service to law enforcement agencies. CLEARVIEW boss Hoan Ton-That stated to the media that his company had no clients or premises in France and was not subject to EU privacy law, adding that his firm collected “public data from the open internet” and complied with all standards of privacy.

The New York Attorney General secured 1.9 million dollars from an e-commerce retailer, Zoetop, (owner of SHEIN and ROMWE), for failing to properly handle a data breach that compromised the personal information of tens of millions of consumers. Zoetop was targeted in a cyberattack. Worldwide, 39 million SHEIN account credentials were stolen, including the credentials of more than 375,000 New York residents. Attackers stole credit card information and personal information, including names, email addresses, and hashed account passwords. Zoetop did not detect the intrusion and was later notified by its payment processor that its systems appeared to have been compromised. Zoetop also represented, falsely, that it had seen no evidence that credit card information was taken from the systems.

Data security: data breaches, software support practices, password management

A quick reminder from the Latvian data protection authority DVI was published on what constitutes a data breach and how to report it. Breaches can be classified according to three well-known information security principles:

• Confidentiality incident, (hackers have found a security “hole” in the organisation’s information system and retrieved the personal data of customers).
• Integrity incident, (due to an incorrectly organized SQL queue, the integrity of records of a customer database stored in the cloud has been lost. As a result, the new records are assigned to inappropriate reference fields and related information of one customer is attributed to another customer).
• Availability incident, (due to the organisation’s incorrect backup copy policy, the existing database is overwritten with a half-year-old backup copy, without the possibility of restoring to a more current version of the database).

An organisation must therefore have developed and implemented an internal procedure for determining whether a breach has occurred, as well as a procedure for assessing the risks arising. If it is determined that it is likely that the breach could reasonably pose risks to the rights and freedoms of a natural person: the organisation must notify the supervisory authority within 72 hours. If, however, the notification takes place later, the reasons for the delay must be explained. Finally, the causes of the breach must be thoroughly investigated and measures must be taken to prevent repeated breaches in the future.

Privacy International looked into the software support practices for 5 of the most popular smart devices, (smartphones, personal computers, gaming consoles, tablets, and smart TVs), and concluded that they fail to meet the expectations of the vast majority of consumers. The majority of EU consumers surveyed expect their connected devices to receive security updates for a much longer period than what manufacturers currently offer. This is also the case when software updates, including security updates, are provided for a period that is shorter than the product’s expected life cycle. And when it comes to accessibility of information, only a few companies appeared to have detailed policies online. It is therefore critical that software remains up to date for a long time to ensure a device is secure and reduce risks to consumers’ privacy and security, stated PI.

In the context of increasing compromises of password databases, the French CNIL updates its recommendation to take into account the evolution of knowledge and allow organisations to guarantee a minimum level of security for this authentication method. According to a 2021 Verizon study, 81% of global data breach notifications are related to a password issue. In France, about 60% of notifications received by the CNIL since the beginning of 2021 are related to hacking and a large number could have been avoided by following good password practices, (two-factor authentication or electronic certificates). 

If operations relating to password management are entrusted, in whole or in part, to a subcontractor, roles and responsibilities must be precisely defined and formalised and the level of security required and the security objectives assigned to the processor must be clearly defined, taking into account the nature of the processing and the risks it is likely to generate. Finally, if simple software publishers are not subject to the legal framework for data protection, users must comply. In this sense, the documentation of password management software must specify in detail the modalities of generation, storage, and transmission of passwords.

Big Tech: human behaviour that leads to data breaches, Australia data leaks, Meta’s Pixel tracking tool, AI hiring tools, speech to identify mental health problems

London-based cybersecurity company OutThink has raised 10 million dollars in early-stage investments as it looks to help organisations identify human behaviour that can lead to data breaches. The company, which claims human behaviour is the source of 91% of data breaches, uses machine learning, natural language processing, and applied psychology to identify, understand and manage the attitudes, intentions, and sentiments of individuals.

Australia envisages increased penalties for data breaches following major cyberattacks. Australia’s telco, financial, and government sectors have been on high alert since Optus, the country’s second-largest telco, disclosed a hack that saw the theft of personal data from up to 10 million accounts. The attack was followed by a data breach at health insurer Medibank Private, which covers one-sixth of Australians, including medical diagnoses and procedures. Australia’s Woolworths Group also said its online retailer MyDeal identified that a “compromised user credential” was used to access its systems that exposed data of nearly 2.2 million users, Reuters reports. 

At least 47 proposed class actions have been filed since February claiming that Meta Platforms Inc.’s Pixel tracking tool sent the plaintiffs’ video consumption data from online platforms to Facebook without their consent, in violation of the federal Video Privacy Protection Act, a Bloomberg Law analysis of court dockets found. Almost half of the new cases were filed in September alone. The complaints allege they knowingly disclosed protected information by allowing Meta’s embedded Pixel code to share a digital subscriber’s viewing activity and unique Facebook ID with the social media platform.

AI hiring tools do not reduce bias or improve diversity, Cambridge University researchers say in a study of the evolving technique the BBC called “pseudoscience”, reporting on the study. In particular, claims one of the research team, these tools can’t be trained to only identify job-related characteristics and strip out gender and race from the hiring process, because the kinds of attributes we think are essential for being a good employee are inherently bound up with gender and race. Some companies have also found these tools problematic, the study notes. For instance, a German public broadcaster found wearing glasses or a headscarf in a video changed a candidate’s scores. 

Finally, software that analyses snippets of your speech to identify mental health problems is rapidly making its way into call centers, medical clinics, and telehealth platforms, putting privacy activists on alert, according to Axios news. Unlike Siri and Alexa, vocal biomarker systems analyse how you talk — prosody, pauses, intonation, pitch, etc. — but not what you say. While the voice sample is run through a machine-learning model that uses a capacious database of anonymized voices for comparison, it may increase systemic biases towards people from specific regions, backgrounds, or with a specific accent.

The post Data protection & privacy digest 12 – 24 October 2022: first GDPR certification seal, test databases, password management appeared first on TechGDPR.