The regulator’s name, (VDAI), was indicated by 29% of respondents. 15% of respondents believe that they have encountered unlawful or improper processing of their data in the past year. Almost half of them say they have acted to protect their rights. People who are better informed about various laws and regulations are more confident that organisations ensure their right to personal data protection. 65% of respondents say their employers comply with the requirements. However, generally, trust in companies and institutions has been decreasing. Finally, people with higher incomes and higher positions perceive personal data protection conditions as more favourable, (72% of the top and middle-level managers), as opposed to the unemployed and small entrepreneurs.

The research methodology on citizens’ privacy awareness can be seen here.

Stay up to date! Sign on to receive our fortnightly digest via email.

AI development and deployment

To bridge into the 2025 technological year, the top EU data protection regulator the EDPB adopted an opinion on using personal data to develop and deploy AI models. It looks at a) when and how AI models can be considered anonymous, b) whether and how legitimate interest can be used as a legal basis for developing or using AI models, and c) what happens if an AI model is developed using personal data that was processed unlawfully. It also considers the use of first and third-party data. To that end, the EDPB is currently developing guidelines covering more specific questions, such as web scraping for AI training.

More legal updates

Norway tightens the requirements for consent for the use of cookies and similar technologies from 1 January 2025. The requirements are aligned with the EU GDPR. For consent to be valid under the new Norwegian law, it must be: 

• voluntary
• specifically
• informed
• unambiguous
• given through an active action
• documentable
• possible to withdraw as easily as it was given

The user must also be given accessible and understandable information that allows them to easily understand the consequences of any consent. Until now, for example, it has been sufficient for default browser settings to allow cookies. The requirement for consent does not apply to the technical storage of or access to information, (to transmit communications, or which is strictly necessary to provide a service).

As of 2025, 19 US states have comprehensive consumer privacy laws, (effective between 2024 and 2026). Most of this new legislation protects the personal data of consumers within their states—residents of that state, excluding individuals acting in employment or commercial contexts, explains JDSupra publication. Only the California Consumer Privacy Act, (CCPA), as amended by the California Privacy Rights Act, (CPRA), applies equally to consumers, employees, and business-to-business commercial contacts. In parallel, the California Privacy Protection Agency announces increases for CCPA fines and penalties as of 1 January 2025.

Processors certification

The French CNIL is working on a draft reference framework adapted to data (sub) processors to create a new certification. A public consultation is open until 28 February. A data controller is required to use trusted processors, who provide sufficient guarantees under the GDPR, in the context of a service provided.

They often include: IT service providers, (hosting, maintenance, etc.), software integrators, IT security companies, digital service companies, marketing or communication agencies, etc. To obtain certification for them, it will be necessary to provide proof of compliance with each of the criteria of the standard. The draft evaluation framework is made up of 90 control points which are organised chronologically:

• Contractualisation;
• Preparation of the processing environment, including the security measures;
• Implementation of the processing;
• The end of the treatment.

Website reconstruction

Organisational errors during website reconstruction may result in data being made available, states the Polish data protection regulator UODO. In the related case, a company, (Panek SA), did not implement appropriate security measures, based on the risk analysis.

It did not test the solutions it introduced, nor did it assess their effectiveness. Due to the lack of appropriate communication between the administrator and the processor, an employee of a subcontractor mistakenly placed files with data from the old service on a new page. These files were indexed by Google and thus became available to everyone, (data on 21,453 customers and employees of the company): name, email address, home address, and encrypted passwords. The company that built the website claimed that it had not received information about the functionalities, (not mentioned in the data processing agreement). The company itself emphasized that the incident would not have occurred if not for a server configuration error, for which the company’s IT services are responsible.

More from supervisory authorities

Video surveillance: One of the most common ways for entrepreneurs to protect their property is to install video surveillance cameras. If a company uses cameras to record in a place where people, (customers, employees, passersby) may be present, then it can be considered that the company is processing data and it must take into account the data protection requirements, states the Latvian regulator. The most commonly applied legal basis is the pursuit of legitimate interests. 

This implies the application of the balancing test, whether video surveillance will not significantly infringe on the interests of the observed people. The organisation also must apply appropriate security measures, and inform data subjects, using the information sign, followed by the name of the data controller, contact information, and the purpose of the processing, as well as an indication of where further information can be found.

How to erase data: The Information Commissioner’s analysis states that 14 million UK people, (29%), don’t know how to erase their data from an old device or tech product. Over a quarter of UK adults plan to treat themselves to a new device this Christmas. However, the latest poll found that the average Brit has three unused devices sitting at home. Effective data erasure means that your data can’t be accessed by anybody else, either by mistake or for malicious purposes such as fraud. For example, a factory reset via the settings can adequately erase your personal information from most mobile phones.

Sports industry

The Irish DPC in its latest survey engaged with over 100 clubs across four major sports in terms of participation at a national level.

Notably, 56% of sports clubs do not have a personal data retention schedule. 41% of clubs reported they do not have any data protection policies, including for subject access requests or other data subject rights under the GDPR such as erasure or rectification. Finally, when a club introduces new types of technology, it is recommended to carry out a Data Protection Impact Assessment, (DPIA), to assess and mitigate the risks. But only 9% of the clubs carried it out.

Cookie banners

The Liechtenstein regulator warned website operators on the obligation to obtain consent when using cookies that are not technically necessary or when passing on data to third parties. One of the most frequently observed errors is that many consent management tools do not technically ensure that no further (tracking) scripts are executed and that technically unnecessary cookies are stored in the browser when cookie banners are displayed. For example, when a website is simply accessed, the personal data of the website visitor, (including the IP address), is often already transmitted to third parties.

Customers’ loan applications

Finland’s Data Protection Commissioner fined Sambla Group, a provider of loan comparison services, 950,000 euros because, due to poor data security, information about customers’ loan applications had been accessible to third parties through personal links intended for customers. The links provided access to the loan applicant’s contact information, as well as information on income, housing expenses, marital status and children. The information had been directly accessible to anyone who knew the customer’s web address and had the technical expertise to exploit the security flaws.

More enforcement decision

Data subject request in a foreign language: Data Guidance published an exceptional case concluded by the Spanish AEPD. It decided to punish OK MOBILITY GROUP with a fine of 100,000 euros, (which was lowered to 60,000 euros following voluntary payment and acknowledgement of non-compliance),

for failing to reply to an access request from a data subject, to provide a defined retention period for personal data, and for supplying an incorrect fiscal identification number. A request in German was not viable grounds for non-compliance, because the firm offers its services in Germany and the contract was concluded in German, concluded the AEPD.

Netflix fine: Between 2018 and 2020, Netflix did not provide customers with enough information about their data. Additionally, the information that Netflix did provide was unclear in some areas. The Dutch data protection authority therefore imposed a 4.75 million euro fine on the streaming service. Netflix collects various types of personal data from customers. From email addresses, phone numbers and payment details to data about what & when customers watch. In addition, customers were given too little information when they asked Netflix what data the company collects about them. 

KASPR data scraping fine: The French CNIL issued a 240,000 euro fine on KASPR for collecting the contact details of users on LinkedIn who had chosen to limit its visibility. KASPR markets a paid extension for the Chrome browser that allows its customers to obtain the professional contact details of people whose profiles they visit on LinkedIn. Around 160 million contacts are included in the database set up by the company. The CNIL noted that the fact that people had chosen to make their contact details visible to their 1st and 2nd-level contacts did not amount to authorising KASPR to access and collect their contact details.

Data security

Incident reporting obligation: The Belgian NIS 2 cybersecurity authority issued guidelines for organisations on incident reporting obligations, (available in English, Dutch and French).  An incident under the NIS2 law is defined as “an event compromising the availability, authenticity, integrity or confidentiality of data stored, transmitted or being processed, or of services that networks and information systems offer or make accessible”. 

Also, notification of an event is mandatory when it constitutes a “significant” incident. It could be a) a suspected malicious event, b) an event compromising the availability of data, or c) an event causing or likely to cause material, physical or moral damage affecting other natural or legal persons. Recurring incidents that are linked through the same apparent root cause also belong to this list.

Security risks: As companies depend on accumulating more consumer data to develop products such as artificial intelligence, targeted advertising, or surveillance pricing tools, they may create valuable pools of information that bad actors can target for illicit gain, states the Federal Trade Commission. Its latest analysis looks at systemic causes of risk in several areas through the lens of data management, software development, and product design for humans. In addition, addressing security threats is nontrivial. Security practices that are employed upstream and directed at systemic vulnerabilities of technology, such as implementing data policies and access control, can minimize risk for consumers.

Companies must not only take reasonable measures to secure consumer data but also avoid misrepresenting their security practices.

Big Tech

AI Task Force: The US House Task Force on AI released a comprehensive 253-page report on the rapidly advancing technology. Gen AI systems can generate text, image, video, and audio/voice content. These systems are trained on a large set of existing written, visual, or audio data.

They identify statistical patterns in this training data and then create novel content. The report evaluates AI policy proposals in public administration, education & workforce, agriculture, healthcare and financial services, and small businesses.

A Cambridge University study, meanwhile, warns that AI is about to get into your head like never before. After decades of the ‘attention economy’ dominating, whereby websites sought to hook users for as long as possible to serve them adverts, an ‘intention economy’ is likely to replace it, with AI tools deployed to understand, forecast and manipulate human intentions to sell that data to companies. The report asserts that this emerging new marketplace for ‘digital signals of intent’ could have a huge effect on human aspirations, behaviour, and psychology beyond selling products, and could interfere with free and fair elections, a free press, and fair market competition. 

The post Data protection digest 16-31 Dec 2024: citizens’ privacy awareness is on the rise, yet attitude relies on income and obligations appeared first on TechGDPR.

From 2025, people covered by health insurance will be able to use the electronic patient records, (ePA in German), voluntarily and free of charge. This record can digitally gather information about the person’s medical history in a single place. Patients will decide how long someone is granted access to their records. The information includes test results and diagnoses, as well as medical treatment reports or information about recommended treatments. 

Reportedly, the ePA will be subject to test criteria developed by the German Federal Office for Information Security, (BSI). Encrypted data processing will take place in a technically secure and trustworthy environment. No other authority should get access to it. Additionally, the ePA data will be transferred automatically and securely in the case of a change of health insurer. All existing objections and substitutions will be transferred. Patients can also add their information, such as a pain diary or old results that they already have in paper format. 

Stay up to date! Sign on to receive our fortnightly digest via email.

More legal updates

Data scraping on Facebook: In Germany, the Federal Court of Justice ruled on a case from 2021, when data from around 533 million Facebook users from 106 countries was publicly distributed on the Internet. The platform did not take sufficient security measures and enabled the user’s profile to be found using their telephone number, depending on the user’s searchability settings.

Unknown third parties entered randomized sequences of numbers on a large scale via the contact import function and accessed the public data available. The court decided that the plaintiff’s claim for compensation for non-material damage could not be denied. According to the privacy advocacy group NOYB, this decision aligned with the clear provisions in the GDPR, (Art. 82 – Liability and right to compensation), and several CJEU rulings. German courts previously had regularly refused damages in data protection cases. 

NIS2 guidance: ENISA has made available the draft implementing guidance of  cybersecurity risk-management measures complying with the NIS2 Directive. It can be useful not only for regulated service providers but for other public or private actors to maintain compliance, and streamline audits. A mapping table correlates each requirement with European and international standards or frameworks, (ISO/IEC 27001:2022, ISO/IEC 27002:2024, NIST Cybersecurity Framework 2.0, ETSI EN 319 401 V2.2.1 (2018-04), CEN/TS 18026:2024), and with national frameworks. 

In parallel, the Cyber Resilience Act was published in the Official Journal of the EU, setting uniform cybersecurity standards for the development, production and distribution of hardware and software products and remote data processing solutions, placed on the EU market. It also overlaps with other pieces of the EU legislation including the NIS2 Directive, AI Act and DORA, according to a DLA Piper analysis. The Act provides for a transition period of three years ending in December 2027. 

Short-term vehicle rental

The data protection authorities of the Baltic States conducted a joint preventive inspection to assess the compliance of the short-term vehicle rental industry. The main problem was the lack of transparency – companies were unable to provide data subjects with clear and understandable information. Some companies chose an inappropriate legal basis or were unable to sufficiently justify its adequacy.

In some cases, the same legal basis was used for all data processing activities. In some cases, customer data was not deleted according to the established criteria. Finally, in some cases, facial images were processed for customer identification based on the data subjects’ consent, without an alternative option.  

More official guidance

Data protection by design:  Once again the Latvian data protection agency DVI has issued a reminder that when processing personal data, organisations must ensure that their processing complies with the principles of data protection by design and by default. This principle means that the technologies are designed in such a way that the user’s data is processed only to the minimum extent and only for as long as necessary, without requiring the user to take special steps to protect their privacy. 

In a broader sense, such measures include any method or means that an organisation may apply in the process of data processing: data pseudonymisation, user-friendly interface and possibilities for users to control their data processing, implementation of malware detection systems, employee training on the basics of cyber hygiene, establishing privacy and information security management systems, and determination of contractual obligations for processors. 

Data access response: When a data subject access request is made, an organisation must take reasonable steps to comply. This includes identifying all relevant filing systems and databases, as well as using appropriate search parameters that are considered reasonably likely to find information relating to the person. Organisations must be able to demonstrate why they consider the search parameters used to be reasonable and must also be able to explain why any filing systems or electronic databases have not been searched. Otherwise, data subjects will be unable to understand the full extent of the data being used, states the Guernsey data protection authority, based on a recent enforcement case. 

MS Copilot

The Norwegian regulator looked at which assessments the Norwegian University of Science and Technology should make before Microsoft’s AI assistant is put into use. M365 Copilot sits on top of Microsoft’s M365 cloud solution. It is a prerequisite that the organisation carries out all necessary security and privacy assessments relating to the M365 platform itself. Responsibility for the data used in the Copilot rests with the businesses that use the tool. 

In the next step, purposes, tasks and legal bases associated with the personal data processing must be identified. Additionally, there is a requirement to run a multiple impact assessment when using generative AI that processes personal data and logs all interactions. It is therefore important to assess whether other AI solutions, (eg, locally installed), with a lower privacy risk can meet the specific needs. Finally, structured monitoring must also be made for follow-ups and the quality of what the solution produces over time.

Identity card as a loyalty card

The Belgian DPA has imposed a series of corrective measures on Freedelity, a company specialising in the collection and pooling of consumer identity and contact data in partnership with various retailers. Freedelity keeps the electronic identity card number, the municipality of issue and the date of validity of the card, but this data is of no relevance to Freedelity and to the customer’s relationship with the brands. This data is mainly collected through terminals made available to retailers by Freedelity. These vendors store, share and use the customers’ data for marketing and customer relationship management purposes. 

One of the brands requires the acceptance of Freedelity’s terms and conditions to benefit from commercial advantages. Another brand considers that the insertion by a customer of his identity card in a Freedelity terminal amounts to a default consent of the customer to the processing of their data for three distinct purposes. Some brands do not mention, for example, the processing of “data sharing” when asking the consumer for consent. Additionally, the mechanisms put in place by Freedelity and its partners to withdraw consent are not sufficiently accessible or intuitive. 

More enforcement decisions

AI-powered cameras: Cameras equipped with AI offer new methods of analysis to assist professional drivers, notes the French regulator. In most cases, the employer’s legitimate interest appears likely to be concentrated on ensuring the safety of goods and people. The measures implemented should not lead to continuous monitoring of employees during their working hours. Only the data necessary to generate an alert in real-time can be processed.

Neither the images nor the technical data, (timestamp, geolocation, alert type), generated as part of the alert should be retained.

 X’s Grok: The Norwegian authority looks at X’s AI model training on users’ posts, including the generative chatbot Grok. Last summer it became clear that X had trained its AI models with users’ posts without informing them. The function was pre-ticked in the user settings. X paused the processing of EU/EEA citizens’ posts after 1 August for purposes related to AI training. Now, however, X has resumed processing. According to X, they use the separate company xAI as a service provider to process X posts as well as Grok interactions, inputs and results to train and fine-tune their AI.

Platform workers: The Italian Garante has ordered Foodinho, a company of the Glovo group, to pay 5 mln euros for having unlawfully processed the personal data of over 35.000 delivery riders through their digital platform. The authority has prohibited the further processing of biometric data, (facial recognition), of riders used for identity verification.

Also, through direct access to the systems, the company carries out different automated processing of riders’ data, for example, through the so-called excellence system, (a score that allows priority booking of a work shift), and the order assignment system within the shift, or to deactivate or block the account. 

Meta will give users more options

Users of Facebook and Instagram will in future be able to use the services for free and at the same time receive ads based on less personal data than before, (including age, location and gender). The prices for monthly subscriptions also will be reduced. In a low-data environment, Meta plans to introduce ad breaks to allow advertisers to connect with a wider audience. This means that some of the ads will be unskippable for a few seconds. Such practice is already offered by many of Meta’s competitors. The new option will apply in the EU, EEA and Switzerland. 

From chatbots to adbots

Privacy International investigates how AI giants want to monetise their tools to pay for their high costs, and advertising appears to be a component of many of these schemes. Microsoft, for example, is experimenting with formats of advertising through its ads for chat API. Amazon’s latest Rufus shopping chatbot aims to enable the chatbot to proactively recommend products based on what they know of user habits and interests.

As a result, the sponsored chatbot outputs can be far more invasive because they can be based on far more intimate information collected over time about the user and how they behave and react. 

The post Data protection digest 16-30 Nov 2024: Electronic patient records as a holistic picture of your health? appeared first on TechGDPR.

Updated privacy guidance for not-for-profit has been released by the Office of the Australian Information Commissioner. It includes a discussion on what to consider when engaging third-party providers, such as for fundraising, or software vendors. For instance, when entering into arrangements with third parties, your non-for-profit should take reasonable steps to ensure that the third party’s privacy practices meet the expectations of both your non-for-profit and the wider community, (donors, volunteers, and people who engage with the sector as clients and staff). It is important to read the terms of your agreement carefully, conduct periodic reviews, and ensure the third party deletes any personal information at the end of the contract term. 

Stay up to date! Sign on to receive our fortnightly digest via email.

Consent management in Germany

On 17 October the Bundestag approved the regulation that introduces recognised consent management services to manage decisions made by end users regarding consent or non-consent to a digital service provider, thus relieving them of some of the burden, (of individual decisions that have to be made with cookie consent banners). The integration of recognised consent management services by providers of digital services is voluntary. It now has to be approved by the government and officially published to come into effect. The original regulation, (in German), can be read here.

Clinical research organisations (CROs)

The French CNIL has approved a Code of Conduct intended for clinical research organisations and other service providers ,(CROs), who act as processors on behalf of sponsors. It brings an operational dimension to the requirements of the GDPR. It is supported by the non-for-profit European Clinical Research Federation (EUCROF) and is mandatory for those who adhere to it. 

Among the services offered by CROs that may be covered by the code are the design of the protocol, the selection and contracting with the investigator centers, the collection and hosting of data, their analysis and the production of reports, or archiving or technical support services.

Other legal updates

NIS2 directive takes effect: New regulations to improve the cybersecurity of the EU’s vital networks and entities, (“NIS2”), should have been incorporated into national legislation by the October 17 deadline. According to a DLA Piper analysis, although some Member States such as Croatia, Hungary and Belgium have transposed the directive into national legislation, the majority of EU countries do not yet have the relevant implementing legislation and necessary guidelines for organisations in place. 

Sanction lists: The Swedish IMY has drawn up new regulations that make it permissible for certain companies to handle personal data about violations of the law without seeking permission from the regulator when, among other things, checking their customers against various sanction lists. In particular, companies that operate in the financial sector as well as in the security and defence market may need to check their customers, suppliers and employees, to comply with international export restrictions, and against money laundering and the financing of terrorism.  

Lawful collection of criminal records: The Danish data protection authority investigated Parken Services A/S’ procedures for obtaining information in the recruitment process. In particular, it obtains copies of passports and criminal records from applicants. The regulator found this processing lawful taking into account the special circumstances that apply to Parken Services A/S as an employer, including the very large number of people employed by the company, and the very special risk profile associated with a company servicing large sporting and entertainment events, especially concerning terrorism and crime. 

Worker transfers data to private account without permission

An Ius Laboris law blog post analyses the recent case in the Netherlands where an employee was dismissed because he sent 791 documents from his employer’s server to his personal Dropbox account, shortly after he was told that his fixed-term employment contract would not be extended. The employer had an IT policy that stated that employees could not make copies of the employer’s data or store information from the employer in personal locations.

Additionally, the employer had recently sent an email to all employees reminding them that they were not allowed to take any documents or property from the employer with them at the end of their contract. Read more discoveries of the case in the original publication. 

Commercially available AI

The Office of the Australian Information Commissioner has also issued new AI guidance. AI products should not be used simply because they are available, it says. Robust privacy governance and safeguards are essential for businesses to gain any advantage from AI and build trust and confidence in the community. Similarly, during AI model training, it must be carefully considered whether this will involve the collection, storage, use or disclosure of personal information, either by design or through an overly broad collection of data for training. Do this early in the process to help mitigate any privacy risks. Personal information is a broad category, and the risk of data re-identification needs to be considered. 

More official guidance

Mobile apps design: Apps often ask for permissions that they don’t need to function properly, (geolocation, contacts, camera or mic). It is recommended to accept only those strictly necessary for the function of the service. Apps also collect data about your behaviour, such as which web pages you visit, how long you spend in an app, or which features you use most often. This information may be used for ad personalisation, but you can limit or disable it in the privacy settings of your account. It is also recommended to use temporary accounts or alternate email addresses that are not linked to sensitive data. 

Learning environments: The Estonian regulator emphasized the obligation of educational institutions and their learning environments to maintain the appropriate technical and organisational measures. This includes reviewing the documents and personal data entered into online environments and their retention periods, creating a system for monitoring data retention periods and deleting data at the end of a period, and ensuring that employees are informed of data protection conditions. 

It is also important that the data can be partially deleted so that it does not prevent the further processing of other data, (eg, making the data non-personal and storing it for archiving, scientific and historical research or statistical purposes). 

Work emails backup: The Italian Garante fined a company 80,000 euros for carrying out backups during the employment relationship. The complaint was filed by a commercial agent who realised that the company, during their collaboration, used software to back up emails, preserving both their contents and access logs to the emails and the company management system. The information collected was then used by the company in litigation. This also allowed the company to reconstruct the collaborator’s activity, thus incurring a form of control prohibited by the workers’ statute.

More enforcement decisions

LinkedIn fine: The Irish Data Protection Commission fined LinkedIn Ireland 310 million euros. The inquiry examined LinkedIn’s processing of personal data for behavioural analysis and targeted advertising of users who have created LinkedIn profiles. LinkedIn did not validly rely on consent to process third-party data of its members for behavioural analysis and targeted advertising. Similar validity issues applied to the legitimate interest and contractual processing of first-party personal data. 

Health data breach: The New York Attorney General secured 2.25 million dollars from a health care provider AENT for failing to protect the medical data of 200,000 New York patients. AENT failed to adequately monitor the third-party vendors responsible for their cybersecurity functions. As a result, those vendors did not install critical security software updates promptly, adequately log and monitor network activity, properly encrypt consumers’ private information before and after any attacks, utilise multi-factor authentication for all remote access, or otherwise maintain a reasonable information security program. Finally, AENT’s data storage devices continued to host unprotected private information months after two ransomware incidents occurred. Read more insights on massive health data breaches in the US here.

Pinterest: Privacy advocacy group NOYB filed a complaint against the social media platform Pinterest, including its visual mood board used for finding ideas and inspiration. Advertisers, on the other hand, use the platform to push their products to consumers. Pinterest’s business model is also based on personalised advertising and the associated user tracking. The platform allegedly uses people’s data without asking for their consent.

Pinterest claims to have a legitimate interest and enables tracking by default. 

Data security

Ransomware: In 2023, there were more ransomware attacks in the Netherlands than previously. The AP counted at least 178 successful attacks. The number of affected organisations runs into hundreds. Millions of people’s data were affected, from emails and phone numbers to copies of passports, bank account numbers, and passwords. The AP notes that while cybercriminals sometimes target one specific company in a certain sector, they also regularly attack IT suppliers that manage data on behalf of a range of companies from all sectors. 

Google Analytics: The Saxony Data Protection Commissioner discovered the illegal use of Google Analytics on 2,300 out of the 30,000 websites it examined, (compliance improved significantly throughout the inspections). Data was collected without the visitors having previously consented to the setting of analytics cookies and/or the establishment of server connections to Google Analytics. A significant number of consent banners often did not do what the settings promised users. Services were executed and cookies were set even though the settings indicated “off”. Many of the website administrators were unaware of this. 

Mobile surveillance: The Krebs-on-Security law blog reports on a recent ad data surveillance case. The Delaware-based Atlas Data Privacy Corp. invoked a lawsuit against Babel Street, a technology company that allows customers to use a real-time finder at and around nearly any location on a map of the world, and view a time-lapse history of all mobile devices seen coming in and out of the specified area.

Babel Street consumes location data and other identifying information, (built into all Google Android and Apple mobile devices), that is collected by many websites and makes this available to dozens and sometimes hundreds of ad networks that may wish to bid on showing their ad to a particular user, the analysis states. 

The post Data protection digest 17 – 31 Oct 2024: clinical research service providers, non-for-profit, commercially available AI appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

Legitimate interest criteria

A CJEU advocate general clarifies the obligation of the data controller when relying on the legitimate interest legal ground. The mere reference to ‘legitimate interest’, without any indication of precisely what that legitimate interest is, cannot satisfy the GDPR requirements. Such legitimate interest could exist, for example, where there is a relevant relationship between the data subject and the controller,  (eg, the data subject is a client of the controller). 

The legitimate interest criteria need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. Preventing fraud or even direct marketing purposes also can constitute a legitimate interest. However, it should be for the controller to demonstrate that a compelling interest overrides the interests or the fundamental rights and freedoms of the data subject.

AI Act entered into force on 1 August

The EU data protection regulators started to investigate the surveillance authority vested in them by the new law. Large parts of the high-risk AI systems fall within its scope. This covers not just the organisations that use these systems but the whole value chain, including the software, cloud, and security firms that provide AI systems, either by selling them or integrating them into already-existing systems. The data protection authorities are faced with yet another challenge in light of the real-world laboratories that the AI Act establishes to foster innovation. AI developers and users have now until February 2025 to inventory the AI systems they use or sell, as well as the risk category they fall into. Organisations that create or utilise AI that is prohibited must prepare for substantial fines starting in August 2025. 

Weak Children’s Privacy

The UK Information Commissioner’s Office has launched a major review of social media platforms, (SMPs), and video-sharing platforms, (VSPs), as part of the Children’s Code Strategy. It reviewed 34 SMPs and VSPs such as BeReal, Twitch, Threads, WeChat, YouTube Kids, X(Twitter) etc, focusing on the processes young people go through to sign up for accounts with emphasis on information transparency, age assurance, default privacy settings, geolocation and exposure to algorithmic systems. The audited platforms’ full list and non-compliance issues can be seen here. 

More legal processes

Surveillance pricing: The US Federal Trade Commission (FTC) launched a new investigation as reportedly a growing number of grocery stores and retailers may be using algorithms to establish individualised prices. Advancements in machine learning make it cheaper for these systems to collect and process large volumes of personal data, which can open the door for price changes based on your precise location, shopping habits, or web browsing history.  

Hashing and anonymisation: The FTC has also reiterated its long-held view that hashing or pseudonymising identifiers does not render data anonymous: hashes can still be used to identify or target users, and their misuse can lead to harm. While hashing might obscure how a user identifier appears, it still creates a unique signature, (eg, unique advertising ID), that can track a person or device over time and across apps without individual informed consent. 

NIS2: The Hogan Lovells analysis looks at the speed of national implementations of the NIS2 Directive, as the 17 October deadline approaches. So far, not all EU Member States seem to be on track to implement a common level of cybersecurity. Germany only adopted the draft document on 24 July, (the so-called “IT Security Act 3.0”). The legislation largely demands from critical sectors: implemented security risk management systems following the highest standards, (eg, ISO27001), incident reporting, corporate monitoring, training and auditing obligations. For more on the enforcement, personal liability of directors, and geographical scope read the original publication. 

Addictive patterns

The Spanish privacy regulator warns against the use of addictive patterns in its latest study. Often online services implement deceptive and addictive design patterns to prolong the time users stay on their services or to increase the level of engagement and the amount of personal data collected and perform profiling. The adverse impact of addictive strategies is considerably greater when they are used to process the personal data of vulnerable people, such as children. 

However, the enacted Digital Services Act establishes that online services will not design, organise or manage their interfaces in such a way as to deceive or manipulate users, or in such a way as to distort or hinder their ability to make free and informed decisions. So far the European Commission has opened two sanctioning procedures for possible non-compliance with the above requirements against TikTok and Meta. 

More official guidance

Errors in data processing: The Latvian data protection authority explains the most common mistakes by data controllers and how to avoid them. These include: a legal basis is not chosen or is inadequate regarding the purpose of the processing; data subjects are not properly informed, privacy by default is not represented as part of information system management,  ignoring technical and organisational security measures, incidents are not processed and recorded, improper exercise of the data subject requests, lack of core documentation and impact assessments, and poor due diligence of data processors. 

Generative AI: The European AI Office has opened a call for expression of interest to participate in the drawing-up of the first general-purpose AI Code of Practice. The Code of Practice will detail the AI Act rules for providers of general-purpose AI models and general-purpose AI models with systemic risks. These rules will apply 12 months after the entry into force of the AI Act by August 2025. The Code will be prepared in an iterative drafting process by April 2025. 

According to the latest guidance from America’s NIST, one of the primary risks in Gen AI is that such systems may leak or generate sensitive information about individuals, (included in the training data). Also, the integration of nontransparent or third-party components and data may lead to diminished accountability and the possibility of potential errors across the AI value chain. Finally, the GenAI training raises risks to widely accepted privacy principles, including transparency, individual participation, (consent), and purpose specification.

Facial recognition at school

In the UK, an Essex school was reprimanded after using facial recognition technology for canteen payments. The school, which has around 1,200 pupils aged 11-18, failed to carry out a prior assessment of the risks to the children. The school had not properly obtained clear permission to process the students’ biometric information and the students were not allowed to decide whether they did or didn’t want it used in this way.

It also failed to seek opinions from its data protection officer or consult with parents and students before implementing the technology. Instead, a letter was sent to parents with a slip for them to return if they did not want their child to participate in the FRT. Affirmative ‘opt-in’ consent wasn’t sought, meaning the school was wrongly relying on assumed consent.

Emergency calls disabled

In light of the recent global IT outage, BBC articles pay attention to a major incident in Britain from a year ago. BT, (formerly British Telecom), has just been fined 17.5 million pounds for a failure of its emergency call handling service which led to thousands of 999 calls not being connected. The network failure lasted for more than 10 hours. The emergency call handling outage was caused by an error in a file on a BT server, which meant systems restarted as soon as call handlers received a call.

It led to staff being left logged out and calls being disconnected or being dropped as they were transferred to the emergency services. The tech company was not prepared to respond to the problem: instructions on how to solve such an issue were “poorly documented” and staff were unfamiliar with the process.

More enforcement decisions 

French Guiana fine: Finally, the French CNIL decided to impose a penalty on the municipality of Kourou, in the overseas department of French Guiana, (also known as the main spaceport of France and the European Space Agency). The municipality will have to pay 6,900 euros for still not having complied with its obligation to appoint a data protection officer despite the CNIL’s injunction of December 2023. This penalty payment does not close the procedure as the injunction with its penalty payment still runs as long as the municipality has not appointed a data protection officer. A new penalty payment may therefore be ordered.

Human error in an educational ministry: The education minister in Northern Ireland has apologised after the personal details of more than 400 people who had offered to contribute to a review of special education needs were breached, the Guardian reports. According to the education department, 407 persons indicated their interest in attending the end-to-end review of special education needs, (SEN), events around Northern Ireland, and a spreadsheet attachment including their names, email addresses, and titles was accidentally emailed to 174 people. Several people’s remarks were included in the spreadsheet. 174 persons who unintentionally obtained the personal information were requested to remove it and attest to having done so.

Olympics, performance, privacy and AI

The International Olympic Committee determined over 180 potential use cases for AI in the Olympics, with some of them already in use at the Paris venue, according to a fortune.com article. The primary purposes include “enhancing the fairness and accuracy of judging and refereeing through the provision of precise metrics”. In another case, Google was announced as “the official search AI partner of Team USA”.

Finally, event organisers and the French government are also leaning on AI to monitor potential threats, (prompting the French government to temporarily change the law to allow this use of experimental surveillance technology for the Olympics).

Data security

Data breaches and exploitation of APIs: In the US, the Federal Communications Commission settled with TracFone Wireless, (a telecommunications carrier), to resolve data security investigations. The underlying data breaches involved the exploitation of application programming interfaces, (APIs).  They allow different computer programs or components to communicate with one another. Numerous APIs can be leveraged to access customer information from websites, and thus are a common attack vector for threat actors.  The settlement includes a mandated information security program, consistent with standards, identified by the NIST and OWASP; subscriber Identity module, (SIM), changes and port-out protections; annual security assessments by independent third parties, and privacy and security awareness training for employees and certain third parties. 

Big Data

Third-party cookies: Google has officially changed its plans and no longer intends to deprecate third-party cookies from the Chrome Browser, as this transition requires “significant work by many participants and will have an impact on everyone involved in online advertising”. Implementation of the Privacy Sandbox project started in 2019. Now the tech giant is proposing an updated approach that elevates user choice. Google reportedly is discussing this new path with regulators and will engage with the industry soon.

Meta record settlement: Meta has also reached a 1.4 billion-dollar settlement to resolve claims brought by the Texas Attorney General. It aims at stopping the company’s practice of capturing and using the personal biometric data of millions of Texans without authorisation. This settlement is the largest ever obtained from an action brought by a single State. In 2011, Meta rolled out a new feature that it claimed would improve the user experience by making it easier for users to “tag” photographs with the names of people in the photo.

For more than a decade Meta ran facial recognition software on virtually every face contained in the photographs uploaded to Facebook. 

Data centre’s electricity hunger: According to official estimates cited by The Guardian, Ireland’s data centres consumed more power last year than all of the country’s urban households put together. Specifically, Google, which has its European headquarters located in Ireland, stated that its data centres might potentially delay its environmentally conscious goals following a 48% surge in its total emissions last year. This is the outcome of increased demand for cloud services and data processing, which includes advances in artificial intelligence.

The post Data protection digest 20 Jul – 2 Aug 2024: ‘legitimate interest’ criteria, surveillance pricing, Olympics and AI appeared first on TechGDPR.

Legal processes: UK data protection reform

Last week in the Queen’s Speech it was announced that the UK’s data protection regime will be reformed through the introduction of the Data Reform Bill, dataprotectionlawhub.com reports. The Bill’s purpose is to “create a trusted UK data protection framework that reduces burdens on businesses and boosts the economy.” Reportedly, the main elements of the Bill include:

• a more flexible, outcomes-focused approach to data protection focused on privacy outcomes that will replace the “box tick exercises” required under current data protection law; 
• public bodies will be able to share data to improve the delivery of services, with data protection, ensuring that the personal data of UK citizens is protected to a ‘gold standard’. 

Additionally, the introduction of the Brexit Freedoms Bill in the future will end the supremacy of European law. This would enable the Government to change the position of retained EU data protection law which is currently enshrined under UK data protection law. Taken all together this could undermine the EU’s adequacy decision for data flows with the UK. Read the full governmental proposal here. 

Official guidance: UK AI toolkit, China cross-border processing, CNIL and EDPB’s annual wrap-ups

The UK’s ICO has presented its AI toolkit designed to provide further practical support to organisations to reduce the risks to individuals’ rights and freedoms caused by their own AI systems. It contains advice on a) how to interpret relevant law as it applies to AI, b) recommendations on good practice for organisations, c) technical measures to mitigate the risks to individuals that AI may cause or exacerbate, d)  an AI glossary. This guidance is not a statutory code. There is no penalty if you fail to adopt good practice recommendations, as long as you find another way to comply with the law, the ICO says. 

The guidance covers both the AI and data-protection-specific risks, and the implications of those risks for governance and accountability. Regardless of whether you are using AI, you should have accountability measures in place. However, adopting AI applications may require you to re-assess your existing governance and risk management practices. AI applications can exacerbate existing risks, introduce new ones, or generally make risks more difficult to assess or manage.

Meanwhile, China issued new specifications for cross-border processing of personal Information for multinational corporations, as stipulated in the Personal Information Protection Law (PIPL). In particular, such companies must meet one of the following criteria in order to transfer personal information over a certain scale overseas: 

• Undergo a security review organized by the Cyberspace Administration of China, except where exempted by relevant laws and regulations. 
• Undergo personal information protection certification by a professional institution in accordance with the regulations of the CAC. 
• Sign a contract with a foreign party stipulating the rights and obligations of each party in accordance with standards set by the CAC, etc.

Personal information can include any data points or information that can be used to identify an individual, such as names, phone numbers, and IP addresses. Separately, the PIPL also defines “sensitive” personal information, which is subject to stricter protection requirements:

• Biometric data, (fingerprints, iris recognition, facial recognition, and DNA);
• Data pertaining to religious beliefs or specific identities;
• Medical history;
• Financial accounts;
• Location and whereabouts;
• Any personal information of minors under the age of 14. 

However, it does not include data that has been anonymised or abstract data that doesn’t contain any specific personal information on individuals, such as aggregated information. Read the full analysis in the original publication. 

The French regulator CNIL published its 2021 activity report, (in French). One of its objectives was to provide legal certainty to all professionals with regard to the GDPR. To support them, it has thus published new sector guides and resources on its website in 2021, in particular for the voluntary associations’ sector, insurance, health and adtech. In 2021 the CNIL received 14,143 complaints and closed 12,522. It carried out 384 checks and the shortcomings noted during some of the investigations led to issuing 135 formal notices and 18 penalties, entailing fines exceeding 214 million euros. 89 of the 135 formal notices concerned cookies, one of the priority themes set by the CNIL for this year. 

The CNIL also carried out 30 new control missions with medical analysis laboratories, hospitals, service providers and data brokers in health, in particular on treatments related to the COVID-19 epidemic. Some of these procedures are still under review. Finally, it paid particular attention to the cybersecurity of the French web by controlling 22 organisations, 15 of which are public. During its investigations, the CNIL noted obsolete cryptographic suites making websites vulnerable to attacks, shortcomings concerning passwords and, more generally, insufficient resources with regard to current security issues.

At the same time the EDPB presented its annual report 2021 with a detailed overview of its work over the last year. In 2021, the EDPB adopted its final version of the recommendations on:

• Supplementary measures following the Schrems II ruling by the Court of Justice of the EU, taking on board the input received from stakeholders during public consultation. 
• Opinions on the UK draft adequacy decisions, under both the GDPR and the Law Enforcement Directive, as well as its opinion on the draft adequacy decision for the Republic of Korea. 
• Guidance documents on other international transfer tools, such as Codes of Conduct, and adopted joint opinions, together with the EDPS, on the new sets of Standard Contractual Clauses, issued by the European Commission for the transfer of personal data to controllers and processors established outside the EEA. 
• Guidelines and recommendations on topics such as personal data breach notifications, connected vehicles and virtual voice assistants, and much more.

In the US, the Network Advertising Initiative, (NAI is the leading self-regulatory association comprised exclusively of third-party digital advertising companies – ed.), issued Best Practices for User Choice and Transparency. The term “dark pattern” was coined in 2010 to refer to “tricks used in websites and apps that make you do things you didn’t mean to do, like buying or signing up for something.” They are also sometimes referred to as “deceptive patterns” or “manipulative designs.” These practices can be dynamic and multifaceted, including a series of tactics and specific design choices in apps and on websites. The guide is intended to help member companies better understand the practice of dark patterns and to implement the highlighted best practices to avoid them, namely:

• to examine the current legal environment at the state and federal levels, (FTC ACT, CCPA and CPRA, Colorado privacy Act, and the GDPR); and 
• to identify best practices and guide companies in maximizing effective and efficient notice and choice mechanisms with respect to collecting consumer data, (Notice and Choice, Exercising Consumer Requests, User Interface considerations).

Pursuant to the GDPR, the NAI quotes the French CNIL that  asserts “the fact of using and abusing a strategy to divert attention or dark patterns can lead to invalidating consent.” Furthermore, in March 2022, the EDPB released a series of its own guidelines on the use of dark patterns in social media platforms, open for public comment. 

Investigations and enforcement actions: IAB Europe case, IKEA Canada internal threat, whistleblowing, community owners

The IAB Europe, (the European-level association for the digital marketing and advertising ecosystem – ed.), withdrew its request for suspension of the execution of the decision issued by the Belgian Data Protection Authority, (APD), on the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with confirmation that the APD will not take a decision on validation of the action plan submitted by IAB Europe to rectify alleged EU GDPR violations connected with TCF before Sept. 1, the date by which the Market Court is expected to have issued a ruling on the appeal.

IKEA Canada reportedly confirmed a data breach involving the personal information of approximately 95,000 customers. The furniture retailer notified Canada’s privacy regulator saying that some of its customers’ personal information appeared in the results of a “generic search” made by an employee at IKEA Canada between March 1 and March 3 using IKEA’s customer database, but no financial or banking information was involved in the breach. In a letter sent to impacted customers, IKEA Canada said that the data that may have been compromised included customer names, email addresses, phone numbers and postal codes.The IKEA Family loyalty program number belonging to customers may have also been visible. The company already made changes to reinforce its internal policies and no action was needed by customers. 

The Italian privacy regulator ‘Garante’ fined ISWEB and Perugia Hospital 40,000 euros each for GDPR violations in relation to the whistleblowing system, following an ex officio investigation, Data Guidance reports. ISWEB is an IT company that provides and manages the whistleblowing application used by numerous clients, including Perugia Hospital. The ‘Garante’ found that ISWEB had failed to regulate the relationship with the hosting service provider, noting that ISWEB had engaged the hosting service provider both to carry out processing in its capacity as data controller, and for the processing carried out in its capacity as a data processor on behalf of its clients, including the Hospital. The ‘Garante’ noted that the aggravating factors for the administrative fine were: a) the nature, subject, and purpose of the processing; b) the high degree of confidentiality required by sector regulations in relation to the identity of the data subjects in cases of whistleblowing; c) the fact that no whistleblowing reports were available in the system at the time of the investigation; d) ISWEB had not regulated in any way the relationship with the hosting service provider.

At the same time, the Spanish data protection authority imposed a fine of 500 euros on community owners. In particular, the decision states that the Presidency of the Community of Owners had placed a list of debtors on three community bulletin boards, including the claimant. Moreover, the decision noted that the location of the respective bulletin boards is inside the portals and that all the boards are locked, but exposed to viewing by third parties outside of the community. 

Data security: cybersecurity for regulated industries

EU countries and lawmakers agreed last week to tougher cybersecurity rules for regulated industries such as energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players under the scope of NIS 2 Directive, proposed by the Commission in December 2020.  Medium and large companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines of up to 2% of global turnover for non-compliance. EU countries and the EU cybersecurity agency ENISA can also assess the risks of critical supply chains under the rules. 

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the two co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law. Member States will have 21 months to transpose the Directive into national law.

Big Tech: Twitter’s ‘Data Dash’ game, Clearview AI settlement and future fine, EU biometrics, Zoom’s user emotion detection 

Twitter has rolled out a new web video game to make it easier for users to understand its privacy policy, TechCrunch reports.  The goal of the game, which is called Data Dash, is to educate people on the information that Twitter collects, how the information is used and what controls users have over it: “Once you start the game, you’ll be asked to pick the language in which you would like to play. After that, you’ll have the option to select a character. The game is played by helping a dog, named Data, safely navigate “PrivaCity” by dodging ads, steering clear of spammy DMs and avoiding Twitter trolls.”

According to Reuters, France’s data privacy regulator is about to trigger the process of fining US-based Clearview AI, a facial recognition company the regulator had ordered to stop amassing data from people based in the country. The start of a formal penalty process would indicate that CNIL suspected Clearview of failing to comply with its order within the two-month deadline it had set. 

Meanwhile, under a settlement filed in an Illinois state court in Chicago, Clearview AI will stop granting paid or free access to its database to most local private businesses and individuals, as well as police. However, Clearview AI, based in New York, can still work with federal government agencies, including immigration authorities, as well as state government agencies outside Illinois. The case was brought by the American Civil Liberties Union in 2020. Clearview AI repeatedly violated the Illinois Biometric Information Privacy Act by scraping photos taken from the internet, including from social media platforms, Reuters reports.

The European Digital Rights group and 52 other organisations called for banning remote biometric identification systems in public locations, Biometric Update and IAPP News report. They called the technology, like facial recognition, one of the greatest threats to fundamental rights and democracy that destroys the possibility of anonymity in public. They have called for amendments to Article 5(1)(d) of the AI Act to extend the scope of the prohibition to cover all private as well as public actors. 

And nearly 30 civil society groups wrote a letter to Zoom’s CEO calling on the company to cease use of software that detects users’ emotions, The Hill and IAPP News reports. The letter came in response to reports of Zoom beginning to roll out post-meeting sentiment analysis for hosts: “Facial expressions are incredibly variable from culture to culture and nation to nation, making creating an algorithm that can judge them equally difficult.” The groups also launched an online petition demanding Zoom to drop the technology.

The post Weekly digest May 9 – 15, 2022: UK data protection reform, and dark patterns invalidating consent appeared first on TechGDPR.