Technical permissions in mobile app are very useful for privacy, explains the French regulator CNIL. They allow users to block access to certain data technically. However, these permissions are not designed to validate users’ consent, within the meaning of the GDPR.  Even when consent is required, a simple request for permission does not always allow for free, specific, informed and unambiguous consent. There may also be exemptions from consent, such as for the functioning of a navigation mobile app, when the data is required for the service. However, the OS supplier requires authorization to access this information. An ideal permissions system in conjunction with a consent management system should allow one to choose without any confusion:

• the degree of processing of the data provided according to the purpose pursued (eg, more or less precise location);
• the material scope of the authorisation, (eg, access to the selected photos rather than the overall media gallery);
• The duration of the authorization is given, (eg, one-time activation of the permission or for a predetermined period). 

Stay up to date! Sign on to receive our fortnightly digest via email.

Non-material damages for US data transfers

The CJEU orders the European Commission to pay damages to a visitor to its ‘Conference on the Future of Europe’ website due to the transfer of personal data to the US without appropriate safeguards. In 2021 and 2022, a German citizen complained that the Commission violated his right to personal data protection when he used the Commission’s EU Login authentication service and chose to sign in with his Facebook account.

His data, including his IP address and information about his browser and terminal, were transferred to recipients in the US, (Meta, Amazon Web Services and CloudFront). According to the JD Supra law blog, while the sum is small, it is the first time an EU court has acknowledged that people can be awarded damages for illicit data transfers without demonstrating significant loss, paving the way for future claims, including class actions. 

More legal updates

“Maximum two complaints per month”: The NOYB privacy advocacy group explains another case, where the CJEU slammed the Austrian data protection authority for discontinuing proceedings against companies. In one example, the authority set the number of complaints that data subjects can file at a maximum of two per month. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the regulator. NOYB also looked at the EU-wide problem with data protection authorities’ inactivity – statistically many cases wait well up to several years for a decision, (instead of the established 6 months). 

Canada updates: According to an IAPP analysis, the proposed federal privacy law reforms and AI regulation contained in Bill C-27 are in serious jeopardy. Prime Minister Justin Trudeau’s recent resignation has paralysed Parliamentary business. As the country awaits a national election, C-27’s approval in the Senate is delayed. The proposals include enacting the Digital Charter Implementation Act, the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act. 

India updates: The government has released a draft of the Digital Personal Data Protection Rules, (legal text available in English), under the Digital Personal Data Protection Act, (2023), and is currently seeking public feedback and comments, cms-lawnow.com law blog reports. Key rules include: consent obligations, including for children’s data, security safeguards, data breach notification, retention periods, information obligation, data transfers abroad, impact assessments and audits, and the exercise of data subject rights. 

Electronic patient records

On January 15 the “electronic patient record”, (ePA), will start with a pilot phase in Hamburg, Franconia and North Rhine-Westphalia parts of Germany. After the successful completion of the introductory phase, the nationwide rollout is planned for February 15 at the earliest. The use of ePA, was already possible voluntarily. However, from January 15, the Digital Act, (DigiG), stipulates that health insurance companies will create an ePA for all patients who have not explicitly objected to this.

Insured persons should therefore now check whether they want to use it or whether they object to its use completely or partially with an opt-out. The objection can be made at any time, and the health insurance companies must subsequently delete files that have already been created. The ePA brings with it advantages – it facilitates the exchange of medical documents, avoids duplicate examinations and makes it easier for patients to control which data they release to whom. However, there is currently also criticism, particularly regarding data security, (IT experts uncovered security flaws in the ePA at the Chaos Communication Congress at the end of 2024). 

Work agreements and data processing

DLA Piper’s legal blog looks at a CJEU case, where an employer, (in Germany), had initially concluded a temporary agreement with the works council on the use of the software ‘Workday’. It provided, inter alia, that specifically identified employee data could be transferred to a server of the parent company in the US. An employee brought a legal action for access to this information, for the deletion of data concerning him, and for compensation. On this occasion, the CJEU ruled that if employers and works councils agree on more specific rules in a work agreement regarding the processing of employees’ data, these must take into account general data protection principles, including the lawfulness of processing. Furthermore, such a work arrangement is open to judicial scrutiny. Thus, businesses should investigate if other legal bases are applicable.

More official guidance

UK online safety: On 16 December, Ofcom brought into effect new UK online safety regulations. Now digital platforms, especially bigger and riskier ones, (social media firms, search engines, messaging, gaming, dating apps, and file-sharing sites), have three months to complete illegal harm risk assessments and apply necessary safety measures, (from the list of more than 40 safeguards). Among many things, this will include, reporting and complaints duties, better moderation, easier reporting, built-in safety tests, and protecting children. The Act also enables Ofcom to make a provider use, (or in some cases develop), a specific technology to tackle child abuse or illicit content on their sites and apps. 

AI and consumer harm: America’s FTC gathered the latest casework on what companies need to consider when developing, maintaining, using, and deploying an AI-based product. This includes:

• taking necessary steps before and after deploying a product, (by testing, assessing, documenting, and inquiring); 
• preventative measures to detect, deter, and halt impersonation, fraud, abuse and non-consensual imagery;
• avoiding deceptive claims about AI tools that result in people losing money or put users at risk of harm; and, 
• ensuring privacy and security by default, (eg, abiding by legal obligations and not misleading users of a product about the usage of their data for algorithm improvement).  

Video surveillance on a large scale

Depending on the scope and purpose, video surveillance can be divided into three scales: narrow, medium, and wide-scale video surveillance, explains the Latvian regulator. Large-scale video surveillance means that the processing is carried out over a significant area and presents high risks for the processing of personal data at regional, national or transnational levels. The larger the area monitored and the more people visiting it, the higher the risk of data misuse.

If an organisation conducts video surveillance of several separate areas, their total area should be taken into account to determine whether video surveillance is taking place on a large scale. When conducting video surveillance in publicly accessible, but less populated or visited areas, the thresholds for the size of the area and the duration of data retention may be higher to qualify as large-scale. However, if video surveillance involves the processing of biometric data for the unique identification of a person, then it is considered to be the processing of special categories of data.  

Privacy of the art market

An analysis in The Art Newspaper notices that access to historic sales records is becoming more restricted due to increased confidentiality periods at auction houses.

In the EU and the UK, privacy rights are protected through contract, common law and data protection regulations. Thus, the identity of buyers and sellers is protected in several ways, which the auction houses are now restricted from disclosing without the client’s consent. Moreover, the degree to which such data privacy measures can be used to restrict access is still unclear, as the GDPR does not prescribe how long confidentiality clauses can last. 

More enforcement decisions

Genetic and health data breach: The Estonian data protection inspectorate imposed an 85,000 euro fine in connection with an incident that occurred at the end of 2023, in which the Asper Biogene OÜ system was attacked and approximately 100,000 files with people’s data, including genetic and health data, were obtained. However, the decision can still be appealed by the company. Asper Biogene OÜ is primarily engaged in testing for hereditary diseases, developing genetic tests and providing healthcare services, thereby processing health data extensively. 

Frontex case: The EDPS issued a warning to Frontex for a breach of data protection rules. The breach involved Frontex systematically sharing the personal data of suspects in transnational criminal cases with Europol without assessing whether the sharing was necessary. Such sharing can have serious consequences for individuals, who could be wrongly linked to criminal activities in Europe. Frontex stopped the transfer of personal data to Europol shortly after the inquiry and now assesses all information individually before sharing it with the agency. 

Facial recognition: The FTC meanwhile finalised an order against IntelliVision Technologies due to false claims that its AI-powered facial recognition software was free of gender or racial bias. The FTC alleged that IntelliVision lacked evidence that its software had one of the highest accuracy rates on the market and performed with zero gender or racial bias.

The complaint also alleged that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, nor did it have adequate support for its claims that its anti-spoofing technology ensures the system can’t be fooled by a photo or video image.

Data security

DORA is enforceable now: The Digital Operational Resilience Act, (DORA), is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA brings harmonisation of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers. It covers areas of compliance such as:

• ICT risk management, 
• ICT third-party risk management, 
• Digital operational resilience testing, 
• ICT-related incidents, 
• Information sharing on cyber threats, and 
• Oversight of critical third-party providers.

For resources on implementing and delegated acts, policies and guides click here.

Security updates: Privacy International meanwhile reminds us that the CrowdStrike incident, (malformed update), earlier this year had major implications for governments and businesses across the world. Among many things, it emphasises the importance of security updates, including auto-updates, which are incredibly important to keep our devices running properly and safely. What is needed is for auto-updates to be properly tested before being implemented. Moreover, too often we see companies bundling together security and feature updates, meaning that users cannot install one without the other. That’s a problem, especially if a weaker system for testing feature updates pollutes the process for security updates, or if users are prevented from having the latest security updates installed because they don’t want the features or their device does not support the feature updates.  

Big Tech

US vulnerabilities: The outgoing President Joe Biden has just signed an executive order to address US vulnerabilities following cyber attacks, (by China, Russia, Iran and ransomware criminals), that cost the country billions, the Guardian reports. Among its most notable elements is a mandate for government agencies to install end-to-end encryption for email and video communications, as well as new standards for AI-powered cyber defence systems and quantum computing protections.

The order also requires federal agencies to only purchase internet-connected devices with a “cyber trust mark” from 2027, essentially leveraging government procurement authority to encourage manufacturers to tighten security standards for items like as baby monitors and home security systems.

The post Data protection digest 1-15 Jan 2025: mobile app permissions should work in conjunction with consent requirements – CNIL appeared first on TechGDPR.

With the introduction of the GDPR in 2018, data protection has become a popular topic both from a legal and technical perspective. The importance of efforts around privacy and data protection is personal data and its protection. Under the EU GDPR, there are key elements in the definition of personal data. 

Personal data is any information relating to an –

Article 4 of the EU GDPR mentions some examples of personal data in its definition (Art.4.1). It states that personal data could be ‘ […] an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Based on the definition of personal data and the examples stated in the EU GDPR, it may easily be inferred that technical information relating to hardware constitutes personal data, something that the new e-Privacy Regulation is expected to further clarify.

Hardware identifiers

Technical information attributed to hardware could take the form of numeric, alphanumeric or alphabetic codes used to uniquely identify a device or a batch of devices alone or within a network; for instance, the serial number of a device, the IMEI number, model number, MAC address, etc. Serial numbers are unique and assigned by a manufacturer to a device. This device could be a mobile phone, a television, a tablet, audio/video equipment, etc. According to guidance from Samsung, Serial numbers help manufacturers organise and keep track of their products. The IMEI (International Mobile Equipment Identity) number is a number that uniquely identifies a mobile communication device and no two mobile devices have the same IMEI. The IMEI number can be described as the digital fingerprint of your device. The model number is used to identify what type of device you have and applies to a number of devices that share something in common such as the manufacture or release year. While the model number is a hardware identifier, it is not unique to a device as multiple devices can have the same model number.

How can hardware identifiers be personal data?

Since these various numbers are merely hardware identifiers, how could they also be personal data? Of particular interest is the IMEI number which is often seen as the digital fingerprint of your device. Taking the definition of personal data and the IMEI number into account, the IMEI number becomes personal data as soon as it is associated with a person. Consequently, the IMEI number of a smartphone would not be regarded as personal data until it is purchased. However, when a person purchases the smartphone and activates it – which often leads to providing personal details such as name, email address, password or biometrics, i.e. opting for face ID unlock, the IMEI number becomes personal data as it is now linked to other information from the owner/user of the smartphone. 

At this point, the individual elements of the definition of personal data become important. Since personal data refers to information relating to an identified or identifiable person from direct or indirect inference, when various data points are capable of identifying a person, any data being combined with personal data, in turn, becomes personal data.  

Practical examples

Section 171 and 172 of the European Data Protection Board (EDPB) Guidelines on processing personal data in the context of connected vehicles and mobility related applications, states that when a person’s smartphone is paired with the dashboard of a rental car while using Bluetooth or USB connections, a variety of data is processed by the rental car. These might include phone identifiers, voice and data communications, contact lists, web browsing data, personal contacts, schedules, choice of music, radio and other streamed audio or video content, which all reveal personal information. As such, they help draw a precise profile of the data subject. Since IMEIs are being used to lock devices to carriers, blacklist lost or stolen phones, track the location of a smartphone, it is obvious why the IMEI number of a device should be considered as personal data after its purchase and subsequent activation. In addition, Law enforcement agencies routinely use IMEI numbers to track down criminals as well as for other forensic purposes. The use of IMEI numbers to track individuals makes a good case for why the IMEI number is personal data as soon as it becomes associated with a person by purchase, activation or however else. 

This conclusion also applies to all other hardware identifiers which are unique to the device and through which the device or its user may be traced. 

What can I do if I process IMEI numbers in the course of my business operations?

When considering whether your business processes personal data in the form of hardware identifiers, a number of factors are to be taken into account such as whether these identifiers become linked to a person through the purchase of a device, its activation or use. If you are unsure whether such identifiers constitute personal data, request a more detailed assessment from TechGDPR and its experienced consultants who will take your unique business operations into consideration and tailoring your compliance solutions.

The post Hardware identifiers: Is an IMEI number personal data? appeared first on TechGDPR.