A new regulation came into force on 1 January, supplementing the GDPR. It speeds up the work of data protection authorities in enforcement cases that involve multiple countries in the EU/EEA. The regulation provides, among other things, for time limits, stages of investigation, the exchange of information between authorities, and the rights of the parties concerned. In future, data protection authorities will have to issue a resolution proposal on a cross-border case as a rule within 12-15 months. In the most complex cases, the deadline can be extended by 12 months. The regulation will apply from April 2027. 

Stay up to date! Sign up to receive our fortnightly digest via email.

UK Adequacy decision

The European Commission adopted two new adequacy decisions for the UK – one under the GDPR and the other under the Law Enforcement Directive, until 27 December 2031.  In accordance with the new decisions, transfers of personal data from the EU to the UK can continue to take place without any specific framework. Following Brexit, the Commission adopted two adequacy decisions vis-à-vis the UK in 2021. Sunset clauses had been introduced in each of the decisions. The decisions expired in mid 2025, but have been extended until the end of the year. The EDPS has since issued an opinion on these decisions.

More legal updates

US consumer privacy updates: In Kentucky, as well as Indiana, Rhode Island and several other states, GDPR-enhanced legislation related to consumer data privacy took effect on January 1. In Kentucky, in particular, the new legislation establishes the rights to confirm whether data is being processed, to correct any inaccuracies, to delete personal data provided by the consumer, to obtain a copy of the consumer’s data, and to opt out of targeted advertising, the sale of data, or profiling of the consumer along with requirements for entities that control and process their data.

Similarly, in January, new regulations became effective in California regarding a risk-assessment framework for certain high-risk data processing activities, as well as transparency and notice requirements, disclosure of sensitive personal information, data breach reporting, consumer rights requests, and data collection and deletion by data brokers. 

AI use by banks

The Hungarian data protection regulator issued a report on the processing of personal data by AI systems used by banks in Hungary (available in English). Some good practices indicated by the report include:

• AI recognition of images, voices and texts must be reliable, without compromising data security. Principles of data minimisation and storage limitation must be observed.
• The quality of the data used for AI training is important, as well as identifying whether or not the training data needs to be linked to a specific natural person. In many cases, pseudonymisation or anonymisation can be used to mitigate privacy risks before training.
• The use of ‘Shadow AI’ is becoming a new phenomenon. It covers all cases where, in an organisation, users use AI systems in an unregulated, non-transparent, uncoordinated manner from the point of view of the organisation, either for work or for some personal use, using the organisation’s IT infrastructure. 
• In their operations, certain banks under review also use analytical models to analyse and predict creditworthiness and product affinity, the precise classification of which may raise questions. They often operate on a statistical basis, but may also have an AI-based component, and it is necessary to apply the appropriate safeguards. 

More from supervisory authorities

EU Data Act: The French privacy regulator CNIL explained how the EU Data Act is going to reform the EU digital economy, gradually implemented through 2026-2027. The Act sets fair rules on the access and use of personal or non-personal data generated by connected objects. It allows anyone who owns or uses connected products to access the data generated by this object. It also facilitates their sharing with other actors, in particular by prohibiting unfair contractual clauses.

The implementation of this regulation must be done in conjunction with the GDPR. In particular, it provides that in the event of a contradiction between the two texts, it is the GDPR that prevails when personal data is concerned.

Similarly, the Digital Governance Act should be taken into account, which has set up new trusted intermediaries to encourage voluntary data sharing.

Bodycam use: At the end of December, the CJEU ruled in a case regarding a data controller’s obligation to provide information when collecting personal data via a body-worn camera worn by ticket inspectors on public transport. The collection of personal data by means of body-worn cameras constitutes collection directly from the data subject. The information obligation must therefore be respected at the time of collection, Article 13 of the GDPR. The information obligation can operate at several levels, where the most important information is, for example, stated in a warning sign, while the remaining information can be provided in another appropriate (and easily accessible) way.

Disney US settlement

On 31 of December, a federal judge required Disney to pay 10 million dollars to settle FTC allegations that the company allowed personal data to be collected from children who viewed child-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule). A complaint alleged that Disney violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids”.

The complaint alleged that by mislabeling these videos, Disney allowed for the collection, through YouTube, of personal data from children under 13 who viewed child-directed videos and used that data for targeted advertising to children.

More enforcement decisions

TikTok investigations: According to vitallaw.com, the Spanish and Norwegian data protection authorities have issued warnings to TikTok users regarding the company’s transfer of personal data to China, where national laws could require that data be shared with Chinese authorities. TikTok already faces EU fines over violations of the GDPR and was ordered to stop transferring personal data to China. 

So far, TikTok has been granted an interim injunction that allows the company to continue transferring personal data to China until the case is resolved. As a result, regulators are warning users to read the online platform’s notifications and privacy policies, check their privacy settings and think about what they share in the app. It is also recommended that businesses consider whether to continue using TikTok and conduct risk assessments.

PCRM software fine: Finally, the French CNIL has fined Nexpublica 1,700,000 euros for failing to provide sufficient security measures for a tool for managing the relationship with users in the field of social action.  Nexpublica (formerly Inetum Software), specialises in the design of computer systems and PCRM software used in particular by homes for disabled people.

At the end of 2022, Nexpublica customers made data breach notifications with the CNIL, because users of the portal had access to documents concerning third parties. The CNIL then carried out inspections of the company, which revealed the inadequacy of the technical and organisational measures. It is considered that the vulnerabilities found:

• were mostly the result of a lack of knowledge of the state of the art and basic safety principles;
• were known and identified by the company through several audit reports.

Despite this, the flaws were only patched after the data breaches.

The post Data protection digest 3 Jan 2026: Improvements are being made to GDPR enforcement, US consumer privacy, and emerging “Shadow AI” concerns appeared first on TechGDPR.

The European Data Protection Board (EDPB) announced the topic for Coordinated Enforcement Action 2026 on transparency and information obligations. Articles 12, 13, and 14 of the GDPR require that individuals be informed when their personal data is processed, ensuring transparency and enabling greater control over personal information. Participating data protection authorities will join this action voluntarily in the coming weeks, with enforcement activities scheduled to launch during 2026. 

Experian credit checks fine

As the background example of the above transparency obligations, the Dutch data protection authority AP last week imposed a 2.7 million euro fine on Experian Nederland. Experian provided credit ratings on individuals to its customers until 2025. The company collected data on factors such as negative payment behavior, outstanding debts, and bankruptcies. The AP found that Experian violated the GDPR by improperly using personal data, and failed to adequately inform individuals about this.

Experian created credit reports on individuals at the request of clients such as telecom companies, online retailers, and landlords. People started contacting the AP after they could no longer pay installments or because they suddenly had to pay a high deposit when switching energy suppliers. Only afterward did it become clear that this could be due to Experian’s credit scores. Because people weren’t aware of the credit check, they couldn’t check in time whether the information was accurate. Experian collected data about people from various sources, both public and private, and failed to adequately explain why this data collection was necessary.

Experian acknowledged violating the law and will not appeal the fine. It has ceased operations in the Netherlands and will delete the database containing all personal data.

Stay up to date! Sign up to receive our fortnightly digest via email.

More legal updates

DMA and GDPR: The EDPB and the European Commission endorsed joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The DMA and the GDPR both protect individuals in the digital landscape, but their goals are complementary as they address interconnected challenges: individual rights and privacy in the case of the GDPR and fairness and contestability of digital markets under the DMA. However, several activities regulated by the DMA entail the processing of personal data by gatekeepers and refer to definitions and concepts included in the GDPR (eg, on how to lawfully combine or cross-use personal data in core platform services). 

Italy’s new AI law: On 10 October, the Italian law on Provisions and Delegation to Government on Artificial Intelligence, including an age verification requirement, entered into force. It is the first comprehensive legislation adopted by an individual EU member state on research, testing, development, adoption, and application of AI systems and models, with a human-centric approach. The government has appointed the Agency for Digital Italy and the National Cybersecurity Agency to enforce the legislation, which received its final approval in the parliament after a year of debate. The enforcement measure imposes even prison terms on those who manipulate technology to cause harm, such as generating deepfakes. 

US Bulk Data: The US Department of Justice’s Sensitive Data Bulk Transfer Rule is in effect as of October 6, JD Supra law blog reports. This means if your organisation transfers US sensitive data (from demographic data to cookie data) that hits the bulk thresholds, you need to develop and implement a compliance program, either a stand-alone program or as part of the compliance program (through due diligence and audit procedures). 

Electronic patient files

In Germany, the electronic patient record (ePA) for everyone has been tested in model regions since January 2025. Since 29 April, it has been available for use nationwide by practices, hospitals, and pharmacies, among others. As of 1 October, it is generally mandatory for practices and other medical facilities to fill out the records. At the same time, the information (eg, on ongoing or further treatment) can only be included in the ePA for everyone if the insured person has not fundamentally objected to this with their health insurance provider.

Finally, special consent requirements apply to information from genetic testing for diagnostic purposes, as well as on children and adolescent records.

California privacy updates

At the end of September, California finalised regulations to strengthen consumer privacy that go into effect on 1 January, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decision-making technologies, as well as updates to existing CCPA regulations. The final regulations and supporting materials will be posted on the regulator’s website as soon as they are processed.

ISO/IEC 27701

On 14 October, ISO released ISO/IEC 27701:2025, the latest version of the global Privacy Information Management System (PIMS) standard. For the first time, ISO/IEC 27701 is now a standalone standard, no longer just an extension of ISO/IEC 27001. The standard is designed for personally identifiable information (PII) controllers and processors, who hold responsibility and accountability for processing PII to:

•  Strengthen data privacy and protection capabilities
•  Help demonstrate compliance with global privacy regulations such as the GDPR
•  Support trust-building with partners, clients and regulators
•  Align with existing ISO/IEC 27001 systems to streamline implementation
•  Facilitate accountability and evidence-based privacy management

Cookie updated guidance

The Swiss FDPIC published an updated version of its cookie guidelines, which contains specific clarifications and additions intended to improve the comprehensibility of the text and clarify practical issues. In particular, the FDPIC found it useful to clarify why the use of cookies for the purpose of delivering personalised advertising may require the consent of the data subjects. This is the case when the website operator provides third parties with access to visitors’ personal information in return for payment by integrating third-party cookies or similar technologies, and these third parties are embedded in several websites. As the latter are enabled to carry out high-risk profiling, this constitutes a particularly intensive intrusion into the privacy of the data subjects.

AI systems development guidance

In Germany, the Data Protection Conference (DSK) publishes guidance on AI systems with Retrieval Augmented Generation (RAG). It provides legal and technical information on how to harness the potential of such AI systems while simultaneously reducing the risks for those affected. RAG is an AI technology that augments large language models with targeted access to company or government agency knowledge sources to deliver context-specific answers. 

Typical application examples include in-house chatbots that access current business data and scientific assistance systems that leverage research databases. 

Thus, RAG use must be designed in compliance with data protection by design and by default. Controllers must ensure transparency, purpose limitation, and the protection of data subjects’ rights at all times. Controllers wishing to implement such RAG systems must conduct data protection assessments of the various processing operations on a case-by-case basis and always keep their technical and organisational measures up to date. 

More from supervisory authorities

Union membership: The Latvian data protection authority DVI explains whether an employer needs to know about a worker’s union membership. The answer is that the employer cannot request such information from the employee at any time. The most appropriate justification for processing such data is when such rights are established for the employer by law; however, there is also the possibility of obtaining the employee’s consent or finding out this information when the employee has disclosed it themself. 

Such a question should not be asked during a job interview, when drawing up an employment contract or during an employment relationship, as long as the employer does not intend to terminate the employment relationship with the employee in question. If an employee is to be dismissed, asking about union membership is important because union members may have special protections, such as the need to obtain the union’s consent to termination. 

Commercial robocalls: The DVI also explains what a company should consider if it wants to use commercial robocalls. The regulatory framework stipulates that the use of automated calling systems, which operate without human intervention for the purpose of sending commercial communications, is permitted only if the recipient of the service has given their prior free and explicit consent. Thus, sending commercial communications in this way is lawful only if the person concerned has previously (before making the call) given their free and explicit consent to be disturbed by automated calling devices. 

Google Analytics fine confirmed by court

In 2023, Sweden’s data protection authority IMY decided after an inspection that Tele2 (mobile network provider) must pay a penalty fee of SEK 12 million because they violated the GDPR. The Court of Appeal has now ruled in favor of IMY. The violation concerned the fact that the company, in connection with the use of Google Analytics, transferred personal data to the US without adequate protection.

IMY assessed that the data transferred to the US via Google’s statistical tool was personal data, since the data transferred could be linked with other data that Google had access to and thus enabled Google to distinguish and identify specific persons. 

Minors’ data in the EU

On 16 October, the European Parliament’s Committee on the Internal Market and Consumer Protection adopted its report on the Protection of minors online. The report calls for an EU-wide digital minimum age of 16 for accessing social media, video-sharing platforms and AI companions without parental consent, and a minimum age of 13 for any social media use. It urges the European Commission to strengthen enforcement of the Digital Services Act and to swiftly adopt guidelines on measures ensuring a high level of privacy, safety, and security for minors. The Parliament is expected to vote on the final recommendations during the November plenary session.

Microsoft use of children data

The Austrian data protection authority ruled on a complaint regarding Microsoft’s handling of children’s data under the GDPR. It found that the Federal High School and the Federal Ministry for Education, acting as joint controllers, violated the complainant’s right of access and right to be informed. They failed to provide complete and timely information on data processed through Microsoft Education 365, including cookies and third-party data transfers, (content, log, and cookie data). Microsoft was also found to have infringed the complainant’s right of access by not providing complete information on cookie data, its own processing purposes, and transfers to third parties such as LinkedIn, OpenAI, and Xandr, digitalpolicyalert.org reports. 

Doping scandals and personal data

A CJEU Advocate General has ruled on the publication of the name of professional athletes who have infringed anti-doping rules. In the related case in Austria, four athletes concerned submit that that publication contravenes the GDPR. Such publication is provided for by law. It aims, first, to deter athletes from committing infringements of the anti-doping rules and thus to prevent doping in sport.

Second, it aims to prevent circumvention of the anti-doping rules by informing all persons likely to sponsor or engage the athlete in question that he or she is suspended. In that context, the Austrian court asked the Court of Justice to interpret the GDPR. The first opinion was that such practice is contrary to EU law. The principle of proportionality requires account to be taken of the specific circumstances of each individual case. In the Advocate General’s view, publishing the relevant name, but limited to the relevant bodies and sports federations, accompanied, for example, by pseudonymised publication on the internet, would make it possible to achieve both those objectives.

In other news

Clearview AI fine confirmed: On 7 October, the UK Upper Tribunal confirmed that Clearview AI’s facial recognition business is subject to the EU and UK GDPRs. Clearview had argued that its scraping of billions of online images to produce facial recognition services for sale to foreign law enforcement agencies placed it outside of GDPR’s material and territorial scope. The tribunal rejected the claim and made it clear that Clearview’s activities involve ‘behavioural monitoring’. Clearview sought a narrow interpretation of the GDPR, but the tribunal rightly adopted a broader one that clearly encompasses automated processing.

This decision follows the Information Commissioner and Privacy International’s appeal against a 2023 First Tier Tribunal ruling that had quashed Clearview’s 7,552,800 pounds fine. Clearview trawls through sites like Instagram, YouTube and Facebook, as well as personal blogs and professional websites. It uses facial recognition technology to extract the unique features of people’s faces, effectively building a gigantic biometrics database. Clearview has previously been found to be in breach of the GDPR in France, Italy, Austria and Greece, resulting in fines totalling 65,200,000 euros.

Meta AI bots: The Guardian reports that parents will be able to block their children’s interactions with Meta’s AI character chatbots. The social media company is adding new safeguards to its “teen accounts”, which are a default setting for under-18 users, by letting parents turn off their children’s chats with AI characters. These chatbots, which are created by users, are available on Facebook, Instagram and the Meta AI app. Parents will also be able to block specific AI characters and get “insights” into the topics their children are chatting about with AI. Meta said the changes would be rolled out early next year, initially to the US, UK, Canada and Australia. 

In case you missed it

AI for everyday tasks: As more and more companies are using their users’ personal data to train AI models, the French data protection regulator CNIL explains how to oppose it for the main platforms. The practical cases include: Google – Gemini, Meta – Meta AI, Open AI – ChatGPT, Microsoft – Copilot, X – Grok, DeepSeek, Mistral – The Cat, Anthropic – Claude, and LinkedIn.

‘Self-aware’ AI: Guernsey’s data protection authority meanwhile publishes its observations on how AI has formed the basis of a number of companion apps and the creation of numerous digital friends and partners. It is important to remember, for all of us, personally and professionally, that such products are not ‘living beings’, while more and more news stories continue to emerge of tragic outcomes in which a digital companion played a part. Individuals have the right not to be subject to automated decision making which is at the core of such products, without appropriate safeguards being in place. And for organisations functioning as data controllers, these are vested with the responsibility on any decisions AI makes or advice it provides to people. 

The post Data protection digest 4-18 Oct 2025: Transparency the GDPR’s 2026 enforcement goal, and the Experian case as a model NOT to follow appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Terms of Service and User Privacy

America’s FTC warns AI developers and other companies that quietly changing terms of service could be unfair or deceptive. While businesses creating AI products have strong financial incentives to utilize user data as fuel for their systems, they also have established policies in place to safeguard users’ privacy. A business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting users’ data. Some companies may attempt to make these changes and inform users covertly by making retroactive amendments to their terms of service or privacy policy, (eg, to use that data for AI training). 

Last summer, the FTC alleged that a genetic testing company violated the law when the company changed its privacy policy to retroactively expand the kinds of third parties with which it could share consumers’ sensitive data, adding supermarket chains and nutrition and supplement manufacturers, without notifying consumers who had previously shared personal data, or obtaining their consent. Additionally, it did not encrypt that data, restrict access to it, log or monitor access to it, or inventory it, according to the complaints. The company stored it in publicly accessible “buckets” on a cloud storage service with thousands of health reports about consumers and raw genetic data, sometimes accompanied by a first name, despite promising users its security practices would exceed industry-standard security practices. 

Other official guidance

Employment data: The Italian privacy regulator launched the Code of Conduct for employment agencies. The agencies that adhere to the code undertake to process only data strictly necessary for the establishment of the employment relationship and must therefore not carry out investigations into jobseeker’s political, religious or trade union opinions or carry out pre-selections based on information regarding marital status, pregnancy, disability, even if candidates have given their consent. 

Agencies must not obtain information by consulting social profiles intended for interpersonal communication. Online information can be collected only if made available on professional social channels. Furthermore, employment agencies will not be able to acquire the candidate’s professional references from previous employers and communicate them to their clients, without “prior explicit authorization from the candidate”.

Camera systems: The Czech data protection authority has published a new methodology for the design and operation of camera systems, (in Czech). The methodology applies to camera systems, (including security cameras), that record as well as camera systems in online mode, minimum technical and organisational measures for them, and use cases. The methodology is not a legally binding document and it remains the duty of personal data administrators to always proceed following the GDPR and EDPB Guidelines No. 3/2019.

New procedures for GDPR enforcement

MEPs have adopted a draft position laying down additional procedural rules for enforcing the GDPR. It deals with cooperation and dispute resolution mechanisms of the GDPR and introduces deadlines for cross-border procedures and disputes. Concerning amicable settlements, such settlements should require the parties’ explicit consent, and should not prevent a supervisory authority from starting an own-initiative investigation into the matter. The MEP’s position also ensures that all parties to complaint procedures have the right to effective judicial remedies, for example when the regulator does not take necessary actions or comply with deadlines. 

Digital Services Act is now fully applicable 

The DSA has applied to online platforms and search engines with more than 45 million users in the EU since 25 August 2023. From 17 February, it applies to smaller platforms and online intermediaries, (goods, content or services), on the European market. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. For instance, if you complain about what you suspect is illegal content, the service provider must handle the matter and inform you of its solution. 

Compliance will be supervised by the specialised agencies in the Member States, and certain obligations by consumer protection and data protection authorities. To avoid disproportionate constraints, small companies, (with less than 50 employees and an annual turnover of less than EUR 10 million), and micro-enterprises are exempted from the application of various measures, (transparency reports, internal complaints handling system, etc.). More details on the enforcement framework under the DSA are here. 

More legal updates

Main establishment in the EU: The EDPB clarified the notion of the main establishment under the GDPR rules. A controller’s “place of central administration” in the EU can be considered as a main establishment under Art. 4(16)(a) GDPR only if: 

• it makes the decisions on the purposes and means of the processing of personal data and, 
• it has the power to have such decisions implemented. 

Furthermore, the One-Stop-Shop mechanism can only apply if there is evidence that one of the establishments of the controller in the Union takes decisions on the purposes and means for the relevant processing operations and has the power to have these decisions implemented. This means that, when the decisions on the purposes and means of the processing are taken outside of the EU, there is considered to be no main establishment of the controller in the Union, and therefore the One-Stop-Shop should not apply.

CPRA enforcement: California’s Third District Court of Appeal held that the California Privacy Protection Agency’s authority to enforce its amended privacy regulations should have been effective on July 1, 2023. The decision restores the CPPA’s authority and overturns a lower court ruling. The agency has been vigorously enforcing the statutory rights approved by Californians – Proposition 24, the California Privacy Rights Act of 2020 (CPRA). Some of the new and amended regulations implementing the CPRA, which largely define and clarify how businesses must honour those rights, were previously deemed unenforceable by the lower court.

Video gaming and children’s data

The ICO has carried out an age-appropriate design code audit of Gameforge’s processing of UK children’s data. The majority of their games are rated as suitable for children aged 0-12 years. Gameforge does not collect any user data to confirm their ages or identify child users, and subsequently has chosen to apply safeguards to all users by implementing pseudonymisation of all user account data, and not implementing higher risk processing activities such as location tracking or profiling. Gameforge does not use personal data to promote or market third-party products or services, and Gameforge’s online services do not include any third-party advertising.

As notably good practice, the ICO underlined the high level of qualifications and involvement of the data protection team. In particular, Gameforge has made two DPO-certified members key signatories to the company accounts and new/changed contracts. However, opportunities for improvement were also identified, such as a clearer privacy policy, and DPIA that records consultation and feedback/approval with key stakeholders. An assessment also should be undertaken to consider and document the potential ages of users, which can be achieved non-intrusively by using anonymous or aggregated data such as market research. 

Cookie-banners supervision

The Dutch regulator promised to intensify the checks of websites and explained, one more time, how organisations should set up cookie banners to properly request permission: 

• to provide information in clear text about the purpose;
• not to automatically enable checkboxes;
• give all choices in the first layer, (don’t hide certain choices and don’t make someone make extra clicks);
• not to use a discreet link in the text;
• be clear about withdrawing consent;
• carefully choose the legal basis, (do not confuse consent with legitimate interest).

The Bavarian data protection authority meanwhile checked the cookie banners of hundreds of websites and apps and found numerous violations. Many operators, (around 350 websites), now have to change their pages. The regulator has successfully developed a tool which makes it possible to automatically check websites to see whether, in addition to the “Accept All” option, there is also an equivalent option for not granting consent. The test is initially based on the use of a very common consent management platform, (CMP), but will be expanded to include other CMP providers and thus an even larger number of websites in future iterations.

Enforcement decisions

Data storage periods: The French CNIL fined the company which publishes the pap.fr website, allowing individuals to view and publish real estate ads, 100,000 euros. The company had defined a retention period of ten years for the customer accounts using paid services on the site, against the consumer code on which it relied. The company informed individuals through an incomplete and unclear privacy policy. The password complexity rule was insufficiently robust and passwords and related data were stored unencrypted. All data relating to inactive user accounts was kept unsorted. 

Online dating site: The Italian data protection authority has fined the manager of a well-known online dating site 200,000 euros for violating the personal data of about 1 million members. Registration on the platform, which has about 5 million members worldwide required the insertion of numerous data, (meeting interest, country, region, city of residence, date of birth, e-mail), and photos, which customers uploaded within the public profile or in the reserved area, without being provided with adequate information on the use that would be made of that data. The information also did not contain any indication of the possibility for data subjects to exercise their rights provided for by privacy legislation. 

The owner of the site did not have a specific privacy policy regarding the storage of the data processed, limiting itself to randomly proceeding with the deletion of accounts that are no longer active and the information contained, as well as unsuccessful registration requests. Finally, although the company was required to do so, it had not drawn up a register of processing activities, had not appointed a DPO, nor had it prepared an impact assessment (DPIA). 

Viamedis and Almerys data breach

The French CNIL is conducting investigations into a data breach which has affected Viamedis and Almerys, operators managing third-party payment for numerous complementary health insurance and mutual insurance companies. More than 33 million people are affected. The data concerned civil status, date of birth and social security number, and the name of the health insurer. Data such as banking information, medical data, health reimbursements, postal addresses, telephone numbers and emails are not be affected by the breach. 

Shoplifter identity

The Dutch data protection authority has granted 500 permits for a collective shopping ban. Shopkeepers with such a permit can warn each other in a defined area about shoplifters and people who cause nuisance, sharing their names and photos. Shopkeepers may only share such a ‘blacklist’ with each other under strict conditions. For example, someone from the police, the municipality or the public prosecution service must always be involved.

Big Data

UK health care data: The Good Law Project NGO raises concerns about the lack of transparency in the contract allowing Palantir to run the NHS’s new system – the Federated Data Platform. The organisation has now taken legal action to challenge the NHS’s data governance. Despite the massive scale of redactions in Palantir’s 500+ page contract, the NGO insists no reasons for the secrecy have been given by the public bodies. The NHS has also signed a contract with the biotech IQVIA, to provide “Privacy Enhancing Technology” for the platform. Around three-quarters of the contract is also completely redacted, including a section on personal data protection. 

Pupil surveillance: Privacy International reports that some UK schools have bought and installed sensors in toilets that ‘actively listen’ to pupils‘ conversations to try to detect keywords spoken by pupils. Such sensors do not record or save any conversations but send alerts to staff when triggered. At the same time, some schools are also pairing them with surveillance cameras, so when activated by a vaping sensor they capture students leaving bathrooms. 

Ulez fines: Italy is investigating the case of Italian police allegedly accessing thousands of EU drivers’ data and sharing it with firms collecting fines on behalf of Transport for London, (TfL). Some other Member States have also claimed that a police department that has not been named has abused its authority by providing personal information about EU drivers to Euro Parking Collections. TfL uses this company to levy fines to enforce low and ultra-low emission zones, (Ulez). Due to national regulations permitting the UK to access EU individuals’ data only for criminal offenses and the fact that breaking Ulez guidelines is considered a civil violation, it is believed that the fines have been unlawfully levied since Brexit.

The post Data protection digest 3-16 Feb 2024: Sneakily changing terms of service and privacy policy won’t help your business appeared first on TechGDPR.

Sign up to receive our fortnightly digest via email.

Children at risk

Last week, the CEOs of Meta, X, TikTok, Snap and Discord were questioned before the US Congress over alleged harms to young users on their platforms – access to drugs and subsequent overdoses, harassment, grooming and trafficking exploitation, leading in some cases to death. Legislators stated that the industry, through its constant pursuit of engagement and profit, failed to adequately invest in trust and child safety. Executives highlighted controls and tools they have introduced to mitigate harm. 

US legislators are pushing forward legal solutions to the existing crisis through the debated Kids Online Safety Act and anti-CSAM legislation, as well as changes to the COPPA rule. Meanwhile in neighbouring Canada, (British Columbia province), some of the measures have just been enforced.

In the EU, a draft Parliament position was adopted by the LIBE Committee at the end of last year, now awaiting further enforcement. The privacy regulators meanwhile warn about present risks to children and their personal information online. For instance, the Guernsey data protection authority recently identified a local Snapchat group that includes children as young as seven, possibly encouraging them to share explicit images of themselves. The police now advise parents:

• to have conversations with their children regarding the reputational and long-term risks associated with sharing personal information via such networks, and 
• ensure children are not using social networks or apps if they’re under the authorised age for those networks/apps, (13 for Snapchat). 

In the UK, the Information Commissioner’s Office also created a toolkit of free resources to promote responsible data sharing to safeguard children and renewed its age assurance opinion, an important part of its world-leading Children’s code, reflecting developments over the past two years. A similar age-assurance design code was passed into law in California in 2022.

Legal updates

Draft AI Act: The draft legislation received a unanimous endorsement from all 27 European Union member states. Negotiations over the shape of the law concluded last December, with the main focus on safeguards for foundation models and the use of facial recognition software. According to Euractiv analysis, the primary opponent of the political agreement was France, which, together with Germany and Italy, asked for a lighter regulatory regime for powerful AI models, that support general-purpose AI systems, (protecting domestic start-ups). Nonetheless, the Parliament insisted on the need for strict guidelines for these models. In April, Parliament will hold its final vote on the law.

German employee data protection: DLA Piper’s legal analysis looks at the data protection provisions relating to employees and other workers in Germany. Currently, it is largely determined by case law, and national legislators are very cautious about using Art. 88 of the GDPR – the adoption of provisions that specify data protection requirements in the employment context. Even more problematic, relevant provisions of the Federal Data Protection Act, (BDSG),  after being clarified by the CJEU last year, did not meet the conditions set out in the GDPR. Read more on the envisaged Single Employee Data Protection Act in Germany, in the original analysis. 

Automated decisions

The Isle of Man data protection commissioner reminds the public of Art. 22 of the GDPR which provides individuals with the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. It is permitted to use such methods only: a) with the explicit consent of the individual; b) if necessary for entering into, or performing a contract between the individual and the data controller; or c) is authorised by law. The controller must also have safeguards in place to allow individuals to obtain human intervention regarding the decision, to contest it in certain cases or to express their point of view. 

AI checklist

The Bavarian data protection authority for the private sector published a draft ‘Data Protection and AI’ checklist, (in German). In addition to a legal basis for the creation of AI models and the operation/use of AI applications, the rights of those affected and other compliance requirements of the GDPR must also be implemented. The data protection risk model must be documented and regularly checked to ensure that it is up-to-date and complete. If necessary, the test points, (see them here), can be checked as part of the control activities by the data protection officer.

Software for schools

The Danish supervisory authority has investigated the use of Google Workspace in Danish schools in 53 municipalities. The report considers that the municipalities have had no reason to forward student data to Google for the development and measurement of services, ChromeOS and the Chrome browser. The data protection authority also reminds the municipalities that they should have found out how Google processes the transmitted personal data before implementing the tools. Municipalities now have to bring the processing in line with the rules:

• Municipalities should no longer pass on personal data to Google for these purposes. This will likely require Google to develop a technical option for the data streams in question to be intercepted.
• Google must itself refrain from processing the information for these purposes.
• The Danish Parliament provides a sufficiently clear legal basis for disclosure for these purposes.

A similar investigation on the use of Google’s teaching platform in schools was conducted in Finland in 2021. The decision does not prohibit the use of the educational platform but states that a legal basis must be defined for the processing of students’ data in Google services.

Purpose limitation

How to comply with the principle of purpose limitation? The Latvian data protection authority explains that when your data is transferred to someone else, it is usually done with the confidence that the data will be used for a specific purpose that is clearly understood by you. The principle of purpose limitation is closely related to other principles established in the GDPR, such as the principle of transparency, because only by knowing the specific purpose of data processing can a person understand what to expect within the scope of their data processing. 

Likewise, determining the exact purpose is related to the principles of data minimisation and storage limitation, because depending on the purpose, the amount of data needed to achieve it can be determined, as well as how long the data needs to be stored. The connection is also with the principle of legality because only the data that is planned to be used to achieve a clearly defined purpose will be able to establish an appropriate legal basis. When concluding processing for a different purpose, the controller must first assess whether this purpose is compatible with the initial processing, including the following aspects:

• the connection between the purposes;
• the context in which data has been collected;
• nature of data;
• the consequences that further processing would have for the data subject;
• the existence of adequate safeguards in both initial and intended subsequent processing operations.

EDPB documentation

The EDPB published a One-Stop-Shop case digest on Security of Processing and Data Breach Notification. The relevant decisions were initially filtered using Art. 32 of the GDPR, (security of processing), as the main legal reference. This article establishes an obligation for both data controllers and data processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. The analysis of decisions will provide insights into how regulators interpret these obligations in concrete situations, such as how to protect organisations against hacking, how to ensure meaningful and robust encryption, how to build strong passwords, etc. 

The EDPB has launched a website auditing tool that can be used to help analyse whether websites are compliant with the law. It can be used by both legal and technical auditors at data protection authorities, as well as by controllers and processors who wish to test their websites. The tool is Free and Open Source Software under the EUPL 1.2 Licence and is available for download on code.europa.eu. The source code is available here. 

Enforcement decisions

Prospect data: The French CNIL fined TAGADAMEDIA, (online competition and product testing websites), 75,000 eurost. The data collected by brokers is sent to the company’s partners for commercial prospecting. The prospect questionnaire did not allow free, informed and unambiguous consent to be obtained. The highlighting of the button allowing users to give their consent contrasted to the one allowing users refuse consent, which also featured an incomplete text of reduced size, alongside a strong encouragement for users to agree to the transmission of their data to partners.

Insurance companies: An administrative court in Finland upheld the data protection commissioner’s decisions on the handling of health data by insurance companies. In some situations, insurance companies request personal health information directly from healthcare providers. However, data should be identified and precisely defined, which means only the necessary information from the provider and for the period that is relevant in assessing the insurance company’s liability is required. Also, the insurance applicant’s data from health services cannot be processed before concluding the contract.

Intrusive scientific research: The Italian regulator sanctioned a municipality for conducting two scientific studies, using cameras, microphones and social networks. The projects, financed with European funds, aim to develop technological solutions to improve safety in urban areas. It involved footage from video surveillance cameras already installed in the municipal area, as well as audio obtained from microphones specifically placed on the street. One of the projects also analysed hateful messages and comments published on social media, detecting any negative emotions and processing information of interest to the police. The municipality has not proven the existence of any legal framework for the processing: the data was unlawfully shared with third parties and partners. Furthermore, the anonymisation techniques proved insufficient.

Data breaches

Undetected attacker: America’s FTC’s proposed action against Blackbaud alleges that the company’s failure to implement some basic safeguards resulted in the theft of highly sensitive data about millions of consumers, including Social Security numbers and bank account information. South Carolina-based Blackbaud provides a wide variety of data, fundraising, and financial services to more than 45,000 companies, including nonprofits, foundations, educational institutions, and healthcare organisations. 

In 2020, an attacker purportedly used a Blackbaud customer’s login and password to access certain Blackbaud databases. The attacker rummaged around undetected for three months until Blackbaud finally spotted a suspicious login on a backup server. By then, the attacker had stolen data from tens of thousands of Blackbaud’s customers, which compromised the personal information of millions of consumers. Blackbaud eventually agreed to pay 24 Bitcoin, (valued at about 250,000 dollars), in exchange for the attacker’s promise to delete the stolen data. But Blackbaud hasn’t been able to verify that the attacker followed through. 

Data processor supervision: The Danish data protection authority reported Capio A/S to the police for not having supervised data processors. The private hospital may face a fine of approx 200,000 euros. In particular,  the hospital has not been able to ensure and demonstrate that personal data is processed for legal and reasonable purposes and in a way that ensures sufficient security for the sensitive personal data of the large number of data subjects in question, over several years.

Data security

TOMs: The Swiss data protection authority has revised its guide on technical and organisational security measures, (in English). The guide is primarily intended for people in charge of information systems, whether technicians or not, who are directly confronted with the problem of personal data management. 

Cloud: The French CNIL published factsheets on encryption and data security, (in French). It offers a detailed analysis of the different types of encryption applied to a cloud computing service: encryption at rest, in transit and in-process, and e2ee. The guide also looks at various tools to secure cloud services, (anti-DDoS, WAF, CDN, load balancer), and key vigilance points.

Login: What to do if you detect a credential-stuffing attack? The Lithuanian data protection authority recommends responding quickly and proactively:

• determining whether the attacker managed to use the available accesses,
• blocking potential malicious activity,
• notifying users of an attack and encouraging them to change their passwords,
• notifying the regulator about the personal data security breach that has occurred,
• conducting a thorough incident investigation and implement additional security measures to prevent similar attacks in the future, (2FA, automatic attack detection systems, password policy).

Finally, if the attack is systemic or involves multiple platforms, it is recommended to collaborate with other data controllers in analyzing the incident.

Cybersecurity program: As cybersecurity threats continue to mount, you need to show improvements over time to your CEO and customers. How do you measure your progress and present it using meaningful, numerical details? America’s NIST offers a Draft Guidance on Measuring and Improving Your Company’s Cybersecurity Program. It is aimed at different audiences within an organisation –  security specialists and C-suite and can help organisations move from general statements about risk level toward a more coherent picture founded on hard data. 

Big Tech 

Amazon “stalking” employees: The French data protection authority fined Amazon France Logistique 32 mln euros for putting employees under constant surveillance. The company manages the Amazon group’s large warehouses in France, where it receives and stores items and then prepares parcels for customer delivery. Each warehouse employee is given a scanner to document the performance of certain tasks in real time. Each scan results in the recording and prolonged storing of data used to calculate employee quality, productivity and periods of inactivity, (the “error” margin was set to less than 1.25 seconds or longer than 10 minutes). The company was also fined for video surveillance without information or sufficient security. 

Uber has been fined 10 mln euros by the Dutch data protection authority for violating privacy regulations related to its drivers’ data. Uber failed to specify in its terms and conditions the duration for which drivers’ data is retained and the security measures in place, particularly when transferring data to non-European countries. The fine was imposed following a complaint by over 170 French drivers, which was then forwarded to the French data protection authority and subsequently to the Dutch regulator, as Uber’s European headquarters is in the Netherlands. 

The post Data protection digest 18 Jan – 2 Feb 2024: social media industry grilled over child safety and mental health appeared first on TechGDPR.

Regulatory updates

5 years of the GDPR: The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. It is too early to revise the regulation, although several important challenges lie ahead, such as procedural rules relating to cross-border enforcement. The EDPB will keep on supporting the implementation of the GDPR in particular by SMEs, seeking greater clarity and uniformity of guidance and powers available. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. In addition, the supervisory authorities need sufficient resources to continue carrying out their tasks. 

“Cookie fatigue”: The EDPB also welcomed the voluntary business pledge initiative by the European Commission to simplify the management of cookies and personalised ads choices by consumers. It would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. However, the EDPB flagged that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive.

COPPA: The US Federal Trade Commission plans to strengthen children’s privacy rules to further limit companies’ ability to monetize children’s data. The new rule would require targeted ads to be off by default, limit push notifications, restrict surveillance in schools, limit data retention, and strengthen data security. COPPA rules require US websites and online services that collect information from children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from these children, (persistent identifiers, geolocation data, photos, videos, and audio). 

UK BCRs

The UK Information Commissioner updated a guide on the binding corporate rules for organisations managing data transfers between the UK and EU. Organisations with an existing EU BCR can add the UK Addendum thus creating a new UK BCR, to include UK-restricted transfers. It contains all relevant provisions of Art. 47 of the UK GDPR, meaning that your EU BCR will work in the UK. Finally, under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.

Log data access

An administrative court in Finland has published a decision regarding the right to inspect log data. An employee of the bank, who was also a customer of the bank, demanded to know the persons who had reviewed his customer information during the bank’s internal audit. The bank refused to disclose the identity of the employees because the log data resulting from viewing the data was the personal data of the employees in question. However, the bank did give the reason why customer data had been viewed. 

The person complained about the bank’s procedure to the data protection commissioner’s office. The regulator rejected the request and stated that the bank does not need to provide information about the identity of employees. The case ended in the CJEU. The EU top court ruled that everyone has the right to know the times and reasons for queries made to their data. However, there is no right to receive information about persons who have processed information under the authority of their employer and by the employer’s instructions.

Health data processing

Certain processing of health data is subject to the performance of preliminary formalities with the data protection authority. To facilitate the procedures of the bodies concerned and the compliance of their processing, the French regulator CNIL has published, (in French), reference standards to which they must refer: 

• “soft law” and guide frameworks (eg, data retention periods,  processing of personal data for the management of pharmacies); and
• the repositories for processing subject to authorisation, (eg, creation of a health data warehouse, research requiring the collection of consent).

Other official guidance

Sports archives: The storage of sports archives must comply with the regulations on the protection of personal data. Some personal data collected on athletes, federal officials or club presidents, such as results, awards, photographs and posters, may be of historical interest, invoked by the players in the ecosystem, (in particular institutions, clubs, sports federations, professional leagues), to justify the retention of data without limitation in time. In practice, the purposes associated with the retention of this data are very numerous, and the retention periods will vary. 

Also, depending on the status of the person who produced or received them, these records are either public or private. For example, the results of a sports competition organised by a delegated federation, (eg, the results of the championships of France), constitute public archives. On the other hand, in the context of a gala, if a sports competition is organised by the same delegated federation, the documents produced constitute private archives (the gala does not fall within the scope of the public service missions assigned to the organising delegated federation).

Purchase data: The Finnish data protection authority considers that keeping purchase data for the entire duration of the customer relationship does not adhere to the data minimisation principle. In the related Kesko, (retail company), case, the purchase data of a loyalty system, detailed and product-specific, had been processed for various reasons including for business development, and targeting of marketing. The customers themselves had been able to see their purchase information for five years. Kesko was then ordered to clearly define retention periods, clarify the purposes of the use of personal information, and delete or anonymize data that had been stored longer than necessary. 

Cross-border enforcement

Joint controllership: The EDPB published the final decision of the Hungarian supervisory authority about infringement of Art. 26 of the GDPR. The Slovak supervisory authority objected to processing carried out by a foundation as the presumed controller of two Hungarian–language websites. Certain recordings available on the foundation’s websites presumably feature children performing and singing specifically from a Slovak primary school. The Hungarian regulator established that there was no arrangement between the foundation and the school within the meaning of Art. 26 (1) of the GDPR, concerning joint processing and their respective responsibilities.  

Sanctions

Illegal university telemarketing: In the US, the Federal Trade Commission has sued Grand Canyon University for deceptive advertising and illegal telemarketing. The agency says the university, its marketer, and its CEO deceptively advertised the cost and course requirements of its doctoral programs and made illegal calls to consumers. Prospective students were told that the total cost of “accelerated” doctoral programs was equal to the cost of just 20 courses.

In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The defendants also used abusive telemarketing calls to try to boost enrollment. The university advertised on websites and social media urging prospective students to submit their contact information on digital forms. Telemarketers then used the information to illegally contact people. 

AI facial recognition banned: Also in the US, Rite Aid will be prohibited from using facial recognition technology for surveillance purposes to settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in hundreds of stores. From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behaviour. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were falsely accused of wrongdoing. 

Deleted CCTV footage: The Greek data protection agency fined Alpha Bank for failure to satisfy the right of access of its customer, who exercised the right of access to the recorded material from the store’s video surveillance system. It emerged that the bank failed to deal with the complainant’s request promptly, resulting in the material being scheduled to be deleted when the retention period expired. The authority found a violation of Art. 12 and 5 of the GDPR.

Audit reports

Cyber security framework: The UK Information Commissioner has carried out a voluntary data protection audit of Lewisham and Greenwich NHS Trust. One of the areas of improvement found included a cyber security framework that should be further embedded, by integrating new cyber staff roles into the organisation, and ensuring staff with key cyber security responsibilities complete additional specialised training relevant to their responsibilities. 

This should be supported by continuing security controls in place, such as plans to implement multi-factor authentication to protect higher risk or more sensitive personal data processing activities, and a regular programme of practical social engineering or phishing tests to ensure staff are familiar with such scams and what action to take.

Cyber risks relating to third-party suppliers should be reviewed periodically to ensure the Trust has assurance that cyber security controls are in place and effective. Further to this, Data Protection Impact Assessments should identify cyber risks and mitigating controls. Additionally, Information Asset Owners should be actively involved in assessing the cyber risks and monitoring the effectiveness of the mitigating controls. 

Ongoing work to replace or decommission legacy devices that cannot receive security patches and phase out or update servers with unsupported operating systems should continue. All network devices should be able to receive security patches that address cyber vulnerabilities, and systems approaching the end of life should be removed or updated on time.

Data breaches

Car parking data stolen: Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data. EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack, the Guardian reports. The breach brings to light the centralisation of parking services, as physical meters and parking attendants are gradually replaced by websites and apps. 

Data security

Children’s privacy: The Spanish data protection authority presented its age verification system. It consists of the principles that an age verification system must comply with, a technical note with project details and practical videos that demonstrate how the system works on different devices and using several identity providers. The risks of the age verification systems currently used on the Internet, eg self-declaration or sharing credentials with the content provider, have demonstrated clear risks of the location of minors, lack of certainty on the declared age, exposure of the identity to multiple participants, and mass profiling. 

PETs: Privacy-enhancing and preserving technologies generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals. While there is no unified definition denoting a technology as a PET, the Centre for Information Policy Leadership’s year-long study investigates and provides 24 case studies on its three main categories: 

• cryptographic tools that allow certain data elements to remain hidden while in use; 
• distributed analytics tools where data is processed at the source; and 
• tools for pseudonymisation and anonymisation. 

Authentication: Logging in with a password is still one of the most commonly used forms of authentication. Depending on what you have to protect, this may also be enough, states the Dutch data protection authority. Yet logging in with a single factor remains unsafe. It is better to use multiple factors, such as a password combined with a code via SMS. Using biometric data, even if very reliable, demands extra protection and must therefore meet stricter security requirements. Another alternative is a digital token – the unique series of numbers is not generated from your characteristics but is stored on a chip in your access card. However, it would only work if it is and remains strictly personal. 

Big Data

TikTok Australia: The Australian Information Commissioner has launched an inquiry into the platform’s use of marketing pixels to track people’s online habits, The Guardian reports. This can include where they shop, how long they stay on websites and personal information, such as email addresses and mobile phone numbers of non-TikTok users. The probe will determine whether TikTok is harvesting the data of Australians without their consent. Chinese conglomerate, ByteDance, which owns the video-sharing platform has denied it violated Australian privacy laws. New privacy legislation in response to a review of the Privacy Act is expected to land in the Australian parliament this year and will allow more inquiries like this.

Body-related data: Organisations building immersive technologies, from everyday consumer products like mobile devices and smart home systems to advanced hardware like extended reality headsets, often rely on large amounts of data about individuals’ bodies and behaviours, states the Future of Privacy Forum. Thus, it offers detailed and illustrated instructions, on how to document body-related data categories, (raw voice recording, facial geometry, fingerprints), handle complicated data practices, (eg, eye tracking), evaluate privacy and safety risks, and implement best security practices. Download the framework here. 

Cookie depreciation: Google begins the next step toward phasing out third-party cookies in Chrome: testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. The company will roll this out to 1% of Chrome users globally, (a key milestone in their Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024).  Participants for Tracking Protection are selected randomly — and if you’re chosen, you’ll get notified when you open Chrome on either desktop or Android.

The post Data protection digest 18 Dec – 2 Jan 2024: EDPB says too early to revise GDPR, cross-border enforcement challenge ahead appeared first on TechGDPR.

Official guidance

Website analytics: There are many website analytics and tracking tools on the market notes the Norwegian data protection regulator, but that doesn’t necessarily mean it’s legal to use them on your website. Be prepared to follow the GDPR, even if you do not know the name or identity of those visiting your site. The analysis tools collect a lot of information, which either alone or in combination can constitute personal data. If you currently have an analysis tool that collects information that you do not use for anything, you are breaking the law:

• You must have a legal basis for processing. 
• There are many requirements for user consent to be valid. The mere existence of the cookie banner is not enough.
• Choose tools that promise to only process personal data on your behalf and as you decide. 
• On some websites, the visitors’ behaviour can in itself reveal special categories of personal data, (eg, mental health care).
• Many service providers have offices or subcontractors in countries outside the EU/EEA. You must check this before using the tool. 
• Make sure you provide honest and easily understandable information to the visitors, and respect their data subject rights.

Health care data aggregation: The French data protection regulator published recommendations for actors in the digital health sector, (in French). The sandbox projects included federated learning between several health data warehouses, a diagnostic aid solution in oncology, anonymous statistical indicators of populations in medical research, and a therapeutic game. The GDPR states that data processing in the field of health must be implemented in the public interest, and can only be mobilised by public entities, or legal entities entrusted with a public service mission. 

Thus, commercial projects, (start-ups), should be based on their legitimate interests. People’s consent in many cases was also ruled out as the companies are not in a position to collect it, particularly for the reuse of data from healthcare establishments. Finally, whenever non-anonymous data is exported, an ad hoc risk analysis must be performed to determine the necessary security measures. Continuity of security measures outside of the workplace should be ensured as much as possible. 

Customer location data: More retailers and companies are transferring their loyalty programs to mobile applications. These often demand access to the customer’s location-related data to personalise offers for each customer, taking into account their habits and other information. Regardless of the legal basis applied by the merchant for the data processing, (both consent and legitimate interest are possible), the customer has all the rights specified in the GDPR. Completely ceasing the loyalty program if the customer withdraws consent only to the processing of geolocation data will not comply with regulatory requirements. Therefore, when developing an application, it is necessary to take into account different possible levels of the loyalty program, granular consent, and withdrawal.

EdTech development: The French regulator also published a summary of the main recommendations, (in French), based on the “sandbox” project in the EdTech sector. That included actors developing a portfolio of learning skills, a communication solution in the school context, creating a warehouse of learning traces with a view to their publication and analysis and providing a “ personal cloud ” for students connected to their digital workspace. During the “sandbox” support, among other things, the technical architecture of solutions was analysed with the data controllers and their subcontractors. It has to be noted that:

• State establishments, (eg, primary schools), do not have a legal personality; teachers and directors are acting as agents of the administration of national education. 
• When onboarding a technical solution, the Ministry of national education must be considered as the only data controller, (in joint controllership with the municipality). 
• The company offering technical solutions would become a subcontractor. 
• For processing operations that pursue “school” purposes the legal basis of the ” mission of public interest ” has been considered the most appropriate to establish.
• Other treatments may demand individual, (eg, parental) consent. 
• Only authorised subcontractors and recipients of pupils’ data are allowed. 
• Information notices must be adapted to different age groups, and more generally to the degree of maturity of the pupils concerned. 

Legal processes and redress

Non-material damage under the GDPR: The Dublin District Court awarded 2000 euros compensation to a plaintiff regarding the use of CCTV footage of him by his employer, which led to victimisation from colleagues, serious embarrassment, and loss of sleep. As part of a meeting involving quality control and other managers and supervisors, CCTV video was displayed to various personnel. The plaintiff was not present at the meeting and found out afterwards that the tape had been utilised. The company’s data protection policies regarding CCTV were not clear or transparent, and no legitimate interest assessment about the remote control of the workers was carried out. Read more details of the case in the original analysis by the Irish lawyers. 

US state privacy legislation: The most recent comprehensive state consumer data privacy law has been passed in Oregon. The law has some unique provisions despite being similar to consumer data privacy laws passed in different states. It applies to nonprofit organisations, has broad definitions of covered data, (including categories of sensitive and biometric data, as well as derived data), a smaller HIPAA, (protected health information), carveout, and grants Oregon residents the right to request a list of the third parties to whom controllers disclosed their data, opt-out options and more. Meanwhile, the Colorado Privacy Act has been enforceable since 1 July, making Colorado the third state after California and Virginia to pass a comprehensive privacy law to protect its residents.

COPPA 2.0: Amendments to the Children’s Online Privacy Protection Act, (and the Kids Online Safety Act), have been approved by a Senate Committee. It would close a loophole allowing companies to abuse minors’ data with little accountability, making it harder for the regulator to prove violations. It would be unlawful for a digital service or connected devices directed at children or teens, to collect, use, disclose to third parties, or compile their data for profiling and targeted marketing unless the operator has obtained consent from the relevant minor, (“verified parental consent”). The operators must also treat each user as a child or minor unless content is deemed to be directed to mixed audiences.

Enforcement decisions

Security measures: Open Bank was fined 2.5 million euros by Spain’s data protection regulator for failing to implement a framework to permit encrypted communication. In order to comply with anti-money laundering legislation, the complainant was asked to confirm the origin of funds received in their bank account. However, the only possibility was to provide the information by email, (rather than through a secure direct channel). The information requested by Open Bank is classified as ‘financial data,’ which requires the implementation of strengthened safeguards. The regulator decided that Open Bank did not implement a data protection strategy from the start, neither before nor during treatment.

In another recent example, the Polish regulator punished a firm to the tune of almost 9000 euros for losing employees and contractors’ personal data in a ransomware attack. The organisation failed to complete a risk assessment, notify the regulator of the breach within 72 hours of becoming aware of it, and notify the data subjects affected by the breach. The regulator also claimed that the company did not comply fully throughout its inquiry. In particular, the company’s communication was frequently inconsistent.

Non-registration with the regulator: Guernsey’s data protection authority is to pursue legal action for failure to register. It is a legal requirement for any organisation, (including sole traders) that handle people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the Guernsey regulator.  If you are not sure if you need to register, there are three clear criteria:

• You, (whether a sole trader, organisation, business, charity, landlord, business association etc.), are established in the Bailiwick of Guernsey.
• You are working with personal data, (any information that may identify individual people, such as staff members, your clients, your business contacts, your service users, your tenants etc.), either as a ‘controller’ or a ‘processor’.
• The activity you are performing is not part of your personal/household affairs.

Non-cooperation with the regulator:  According to Data Guidance, the Polish data protection authority fined a company 8000 euros for failing to cooperate, (Art. 58 of the GDPR). The regulator received a complaint alleging that the firm had improperly shared personal information with a third party. The regulator sent the business several letters demanding further information, including the legal basis and purpose of processing. The organisation, however, did not react to any of the letters. 

Reimbursement app: A one million euro fine was imposed by the Italian privacy regulator on Autostrade per l’Italia (ASPI) for having illegally processed the data of around 100,000 registered users of the toll reimbursement app, called Free to X. The critical issues of the service – which allows the total or partial refund of the cost of the motorway ticket for delays due to construction sites – had been reported by a consumer association. The authority has ascertained that Autostrade plays the role of data controller and not of data processor, as erroneously indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app.

Meta behavioural ads:  The Norwegian data protection authority has prohibited Meta from adapting advertising based on monitoring and profiling of users in Norway. The decision comes shortly after the CJEU stated that Meta’s data practices still do not take place legally. When Meta decides which ads you get to see, they also decide which content you don’t get to see. This affects freedom of expression and information in society. There is a danger that behaviour-based marketing reinforces existing stereotypes or that it can lead to unfair discrimination between different groups. Behaviour-based targeting of political advertisements is particularly problematic.

Medical data anonymisation for research: The Italian regulator fined a company for processing the health data of numerous patients collected from around 7000 general practitioners without adopting suitable anonymisation techniques. The GPs adhering to the international health research initiative had to add to their management system “Medico 2000” a function, (“data extractor” add-on), aimed at automatically anonymising patient data and transmitting them to the above company. But in fact, the tool only pseudonymised data assigned to the patients. There was also the erroneous attribution of the role of the data controller to GPs, and therefore the absence of a legal basis for data processing by the company. 

Data security

Videoconferencing tool: The EDPS has found that the use of Cisco Webex videoconferencing and related services by the CJEU meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. However, the decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity.  

With regard to technical safeguards, the court confirmed that support information is encrypted in transit, while case attachments are encrypted both in transit and at rest, in order to secure personal data from accidental loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 

The court also took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA: in case Cisco needs to have remote access to the court’s Cisco Webex infrastructure, the DPO of the court, in collaboration with the court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access.

Ryanair facial recognition: Privacy advocacy group NOYB filed a complaint against Ryanair, alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. The airline outsources this process to an external company named GetID. This means that customers have to entrust, (by consenting to it), their biometric data to a company they have never heard of or had a contract with. Passengers can avoid it by showing up at the airport at least 2 hours before departure or submitting a form and picture of their passport or national ID card in advance. 

Big Tech

Alexa child accounts and geolocation: The US Federal Trade Commission will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act and deceived parents and users of the Alexa voice assistant service about its data practices. Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and improve Alexa’s speech recognition algorithm. 

Among many requirements, Amazon will have to implement a process to identify inactive Alexa child profiles. Following the identification of any inactive child profile, the company shall delete any personal information, (voice recordings and geolocation information), within 90 days, unless the parent requests that such information be retained. Misrepresenting the privacy policies related to geolocation and children’s voice information will also be prohibited.

Amazon Go shops: A recent class action against Amazon in New York over its cashier-less Amazon Go shops was voluntarily terminated for unspecified reasons. Previously, the complaint claimed that Amazon acquired biometric data from customers in violation of a New York City Biometric Identifier Information Statute. According to the complainant, Amazon scanned customers’ hands and illegally uses technologies such as computer vision, deep learning algorithms, and sensor fusion to measure customers’ bodies to identify and monitor where they walked in the shop and what they purchased. The lawsuit demanded 500 dollars for each infraction of the legislation.

Worldcoin biometric verifications: Members of the public in selected locations worldwide are being encouraged to have their eyes scanned as part of a cryptocurrency initiative that tries to identify humans from AI systems via biometric verification. The Worldcoin protocol operates by providing biometrically verified individuals with a digital identity in the form of a Worldcoin token, which promises to be the first crypto token to be issued globally and freely to people simply for being genuine individuals. Users will also receive access to the app, which will allow them to make global payments, purchases, and transfers utilizing digital and traditional currencies. The UK Information Commissioner’s Office commented on the situation: 

• The organisation must conduct a data protection impact assessment before starting any processing that is likely to result in high risks, such as processing special category biometric data. 
• Where they identify high risks that they cannot mitigate, they must consult the regulator.
• The organisation also needs to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.

The post Data protection digest 17 – 30 July 2023: guide on website analytics, health care data sharing, and COPPA 2.0 appeared first on TechGDPR.