Legal processes: future US data privacy law, Canada’s Bill C-27

Last week the “American Data Privacy and Protection Act” was officially introduced to the US House of Representatives. The document, be it enforced by Congress, promises to provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement. The future US data privacy law consists of two key provisions: federal preemption over many state privacy laws and a private right of action. According to dataprotectionreport.com, it is the only bill currently under Congressional consideration that contains both of these components. The bill’s four titles draw upon many of the EU GDPR key principles.

• Duty of loyalty (data minimization, privacy by design, loyalty to individuals with respect to pricing).
• Consumer data rights (consumer awareness, transparency, individual data ownership and control, right to consent and object, data protections for children and minors, third-party collecting entities, civil rights and algorithms, data security and protection of covered data, small business protections, and unified opt-out mechanisms).
• Corporate accountability (executive responsibility, service providers and third parties, technical compliance programs, approved compliance guidelines, digital content forgeries).
• Enforcement, applicability, and miscellaneous (Enforcement by the Federal Trade Commission, by State Attorneys General, by individuals, relationship to Federal and State laws, COPPA, etc.).

Meanwhile in Canada, a new draft Digital Charter Implementation Act (Bill C-27) was introduced by the ministers of Industry and Justice. It would strengthen Canada’s existing legal framework for personal information protection in the private sector and introduce new rules related to artificial intelligence: 

• the Consumer Privacy Protection Act, (CPPA), would repeal and replace the Personal Information Protection and Electronic Documents Act with a more robust framework in line with the General Data Protection Regulation;
• the Personal Information and Data Protection Tribunal Act would establish an administrative tribunal for organizations and individuals to seek a review of Privacy Commissioner decisions, as well as impose administrative monetary penalties for certain violations of the CPPA; and
• the Artificial Intelligence and Data Act would regulate the development and deployment of high-impact AI systems, establish an AI and Data Commissioner and outline criminal prohibitions and penalties for certain uses of AI.

Official guidance: proxy servers for US data transfers, advertising and address trading, health sector professionals

The French regulator CNIL has recently published a guide, (in French), on how to bring your audience measurement tool into compliance with the GDPR with reference to the case of Google Analytics. In February 2022 the CNIL, after a process of cooperation with its European counterparts, issued formal notice to several organizations using Google Analytics because of their illegal data transfers to the US. Only modifying the configuration of the conditions of treatment of an IP address is not enough, in particular because the latter continues to be transferred to the US, says the CNIL. Another defence often put forward is that of using “encryption” of the identifier generated by Google Analytics, or replacing it with an identifier generated by the site operator. However, in practice, this provides little or no additional safeguard against possible re-identification of data subjects, mainly due to the continued processing of the IP address by Google. 

However, the use of a correctly configured proxy can constitute an operational solution to limit the risks for people’s privacy, as it breaks the contact between the user’s terminal equipment and the server. Beyond the case of Google Analytics, this type of solution can also make it possible to reconcile the use of other measurement tools with the rules of the GDPR on the transfer of data. The proxy server must also be hosted under conditions guaranteeing that the data it will have to process will not be transferred outside the EU/EEA to a country that does have an adequacy decision. It will be up to the data controllers to carry out an analysis on how to put in place the necessary measures in the event that they wish to use this type of solution, as well as to verify that these measures are maintained over time, as products evolve.

The Berlin data protection authority published guidance on advertising and address trading, (in German). Advertising is relevant to data protection law whenever your personal data is used for advertising purposes. Examples are personally addressed advertising mail or e-mail advertising that is directed to e-mail addresses with personal references or addresses those affected by name. On the other hand, for example, direct mail in the mailbox that is not addressed personally or advertising inserts are not covered by data protection law. 

The address traders may collect personal data from business directories, commercial registers, telephone directories and other publications. As a precautionary measure, the regulator therefore generally recommends that consumers use their own data sparingly. When ordering online, also consider whether they  are interested in advertising from the company and, if not, object to advertising when placing the order. It also offers some sample letters for excercising data subject rights for: information about the data stored about the person, deletion of stored personal data, objection to the use of personal data stored for advertising purposes, objection to the use of personal data stored by Deutsche Post. 

And for those who can read Spanish, the AEPD has published a guide aimed at professionals in the health sector. The document addresses frequent issues such as the legitimacy to process health data, (beyond informed consent of the patient – ed.), who can access the clinical history and in what cases, the responsibility and obligations derived from these treatments, as well as the management of the rights of patients or situations that may involve communication of data to third parties. To that end, the guide attempts to respond to the various situations that arise when health professionals develop their services in hospitals or clinics, indicating the criteria that allow to identify, in each case, who is responsible for the treatment of patients’ data and of the corresponding clinical histories.

Investigations and enforcement actions: sound recording, cookies, ban on GA in Italy, unauthorised disclosure and data storage

The Polish data protection regulator UODO fined the Warsaw Center for Intoxicated Persons some 2000 euros, related to the monitoring system it used. The center was accused of recording sound in the facility without legal basis. The administrator has confirmed that the system records both video and sound, and the purpose of the processing is, inter alia, exercising constant supervision over persons brought in to sober up to ensure their safety. The monitoring record covering all rooms, including audio and video signals, is kept for 30 to 60 days, except when the recording is secured as evidence in any pending proceedings. As the legal basis, the center indicated that the data processing is necessary to fulfill the legal obligation incumbent on the controller. In addition, the administrator referred to the regulations contained in the Act on Upbringing in Sobriety and Counteracting Alcoholism. 

In the opinion of the supervisory body, the legal provisions did not authorize the controller to process sound data as well as video. In this case, sound recording is a redundant activity, which is not justified by the provisions of both the GDPR and the Act on Upbringing in Sobriety and Counteracting Alcoholism. Finally, the fact that audio was recorded for such a long time means that the infringement may potentially affect a very large number of people. In the opinion of the UODO, recording the voices of people who are often intoxicated, making it impossible for them to consciously formulate their statements or control the sounds produced, is an excessive, pointless activity.

The Belgian data protection authority GBA imposed a fine of 50,000 euros on the Rossel press group for its management of cookies on the websites lesoir.be, sudinfo.be and sudpressedigital.be. The fine mainly relates to violations related to the required consent for the placement of non-essential cookies. This is the second decision taken by the GBA as part of its thematic research into the management of cookies on the most popular Belgian press sites. During its investigation in this area, the GBA identified several violations on the above sites:

• several cookies were placed on the visitor’s device by these websites before the visitor’s consent,
• analytical and social network cookies placement was based on legtitmate interest, and not user’s consent,
• the cookie policy was incomplete and difficult to access,
• further browsing was considered as a sign of the user’s consent, while consent can only be considered valid if it is the result of a clear and sufficiently specific, active action to confirm the acceptance of cookies,
• the consent boxes for the placement of cookies by third parties were already pre-ticked. 

Moreover, when a user withdrew their consent, the procedure was ineffective.   

The Italian data protection supervisor Garante ruled that a website using Google Analytics without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the US, which does not have adequate levels of data protection. The regulator came to this conclusion after a complex fact-finding exercise it started in close coordination with other EU data protection authorities, after receiving complaints.

In the related case, the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the US. Based on the above findings, the regulator adopted a decision, to be followed by additional ones, reprimanding Caffeina Media – a website operator – and ordering it to bring the processing into compliance with the GDPR within 90 days. If this is found not to be the case, suspension of the GA-related data flows to the US will be ordered. The Italian authority calls upon all controllers to verify the use of cookies and other tracking tools on their websites. 

The Garante also recently imposed a fine of 2,500 euros to Isabella Gonzaga High School, for violations of Articles 5, 6, and 9 of the GDPR  for unathorised disclosure of a special category of data, Data Guidance reports. According to the complaint, the high school had published, in a special section dedicated to teachers in the electronic register, a document relating to the final timetable for the school year 2020-2021, containing a reference, next to the plaintiff’s name, to the benefits received by the same due to their disability. The regulator found that: 

• the document in question contained detailed information about personal and family events or information linked to the specific employment relationship of other teachers, (eg, maternity leave due to serious pregnancy complications), 
• the restricted document had been published due to a human error to a very wide range of unauthorised persons, namely all of the plaintiff’s colleagues among the teaching staff.

The Danish data protection agency hit Gyldendal A/S with a fine of approx. 135,000 euros for storing information about 685,000 book club members for longer than necessary. Gyldendal kept the information in a so-called “passive database”. Information on some 395,000 of the former members had been intentionally retained for more than 10 years after they had resigned from the book clubs. Gyldendal had no procedures or guidelines for deleting information in the passive database. After the inspection visit, Gyldendal deleted all the information in the passive database and informed the regulator that, according to the company’s assessment, it would be necessary to store information about announced members for up to six years. Also, according to Gyldendal, only two employees had access to the passive database.

Big Tech: pregnancy-related data, coffee-shop location data, new ways to verify age, ‘watched from home’ employee monitoring

The US Tech sector is bracing for the possibility of having to hand over pregnancy-related data to law enforcement, after the Supreme Court overturned women’s constitutional right to an abortion, Reuters reports. As state laws could limit abortion after the ruling, technology trade representatives reportedly fear police will obtain warrants for customers’ search history, geolocation and other information indicating plans to terminate a pregnancy. Prosecutors could access the same via a subpoena, too. In one example, Mississippi prosecutors charged a mother with second-degree murder of her new-born baby after her smartphone showed she had searched for abortion medication in her third trimester. 

Canada’s provincial and federal regulators recently investigated privacy and data management practices of a well-known ‎coffee shop and restaurant chain, DLA Piper reports.  The received complaint alleged that the mobile app unlawfully collected a ‎significant amount of personal information and location data at a ‎very high frequency, even when it was not being used. This data was then processed by a third-party ‎supplier based in the US. The data collected by the app, (either on its own or combined with other data), could be used to deduce a wealth of information about the individual, including some highly sensitive information such as home address, workplace, and travel habits. The business did not:

• conduct a privacy impact assessment before launching its application,
• adequately inform users of how the data would be collected before obtaining their consent,
• obtain clear and detailed consent for such uses of data, 
• clarify contractual obligations with the third party on the use of the data collected for its own purposes.

Privacy International investigated Office 365 and found features that can enable employers to access all communications and activities on Microsoft services. One of these features, the “Microsoft Office 365 Admin Center” can inform administrators about productivity and efficiency of employees within their company. Another source of far more granular employee information is the “Microsoft Teams Admin Center”, followed by “Audit” and “Content Search” features.  From there an administrator can select specific users and read individual metrics from each, including how long they spent on calls, how many messages they exchanged, how many group and 1-1 meetings they attended and more. These features can be operated without the employees’ knowledge and there seems to be a lack of transparency for users in terms of what data is collected and for what purpose, PI says: “This includes not only a list of pretty much most of the actions they take, but also the possibility to plainly access all the content being exchanged within the organisation and external communications through e-mail”. 

Finally, Instagram is to introduce new ways to verify age. In addition to providing an ID, people will now be able to ask others to vouch for their age or use technology that can confirm their age based on a video selfie. For that Meta is partnering with Yoti, a company that specializes in privacy-preserving ways to verify age. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age (social vouching)”, says a company statement. Finally, in addition to testing the new menu of options to verify people’s ages, Meta also claims to be using AI to understand if someone is a teen or an adult. Read more in the original statement by the company. 

The post Weekly digest 20 – 26 June 2022: future US data privacy law, new ban on GA, ‘watched from home’ employees appeared first on TechGDPR.

Legal processes: UK IDTA, EU Clinical Trials Regulation, digital Surveillance & International law

The implementation of the UK (post-Brexit) international data transfer agreement, (IDTA), stepped into its final stage after being laid before Parliament. If no objections are raised, the IDTA, the Addendum to the EU Commission’s Standard Contractual Clauses and transitional provisions come into force on 21 March. All documents will be immediately of use to organisations to comply with Art. 46 of the GDPR when making restricted transfers outside of the UK to countries not covered by adequacy decisions. The IDTA and Addendum replace the current standard contractual clauses for international transfers. They also take into account the binding judgement of the CJEU, in the case commonly referred to as “Schrems II”, which invalidates the EU-US data transfer framework. Read more on the UK restricted transfers including a checklist with various examples and exemptions for the organisations here.

The EU Clinical Trials Regulation, enacted back in 2014, took effect on 31 January. It repealed the Clinical Trials Directive and national implementing legislation in the EU Member States. Under the Regulation, clinical trial sponsors can use the Clinical Trials Information System (CTIS) from 31 January, but are not obliged to use it immediately, in line with a three-year transition period. The CTIS provides a single-entry point for clinical trial application submission, authorisation and supervision in the EU/EEA while ensuring the highest levels of protection and safeguarding the integrity of the data generated from the trials. Recently the European Federation of Pharmaceutical Industries and Associations also confirmed that its GDPR Code of Conduct on Clinical Trials and Pharmacovigilance had progressed to the final phase of review by Data Protection Authorities prior to formal submission to the EDPB for approval.

Privacy International published updated analysis into International Law and digital Surveillance due to a rapid development in the technological capacities of governments and corporate entities to intercept, extract, filter, store, analyse, and disseminate the communications of whole populations. A 282-page document includes legal updates on UN resolutions, independent expert reports and European and international human rights bodies’ jurisprudence. The right to privacy is analyzed through the lens of legality, necessity, proportionality and adequate safeguards. In particular, it offers a deep dive into: a) extraterritorial application of surveillance capabilities, (intelligence data sharing, adequacy mechanisms, EU-US data transfer dilemma), b) distinctions in safeguards between metadata and content, c) right to privacy and roles and responsibilities of companies, d) encryption, e) biometric data processing, and much more.

Official guidance: GDPR-CARPA, health industry PETs, commercial management data, US Health Breach Notification

The EDPB adopted its opinion, (the first of its kind), on the GDPR-CARPA nationwide certification scheme submitted by the Luxembourg Supervisory Authority CNPD. It is a general scheme, which does not focus on a specific sector or type of processing, but helps data controllers and processors demonstrate compliance with the GDPR. The EDPB believes that organisations adhering to it will gain greater credibility, as individuals will be able to quickly assess the level of protection of their processing activities. After approval by the CNPD, the certification mechanism will be added to the register of certification mechanisms and data protection seals in accordance with Art. 42 of the GDPR. However, the EDPB stresses that GDPR-CARPA is not a certification according to Art. 46 of the GDPR and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations. Read the full report here.

The UK Information Commissioner’s Office, (ICO), invites organisations in the health sector to participate in workshops on privacy-enhancing technologies (PETs). The aim is to facilitate safe, legal and valuable data sharing in the health sector and understand what’s needed to help organisations use these technologies. According to the Director of Technology and Innovation at the ICO, PETs help organisations build trust and unlock the potential of data by putting data protection by design into practice, but their implementation appears to be incredibly slow. The information gathered from the workshops will help the ICO develop updated guidance and advice. It welcomes people from both the private and public sectors, namely: 

• health organisations and health technology start-ups that aren’t using PETs yet;
• health or care organisations already using PETs;
• academic experts and researchers in this field;
• suppliers of PETs; and
• legal and data protection experts. (Interested organisations can sign up through this link until 14 February.)

The French regulator CNIL has published two new standards  – on commercial management and management of outstanding payments. Both tools provide legal certainty to the organizations and allow them to bring their processing of personal data into compliance. These guidelines are not mandatory: organizations can deviate from their recommendations provided they can justify their choices. The framework applies to management of orders, delivery, performance of the service or supply of goods, management of invoices and payments, unpaid debts, loyalty programs, monitoring customer relations for carrying out satisfaction surveys, managing complaints and after-sales service, or carrying out commercial prospecting actions. Some processing activities are excluded from the standards, such as fraud detection and prevention or processing implemented by debt management and collection organizations. It also does not include scoring outstanding debts, sharing data with or from a third party, etc. Both documents can be read here and here.

The US Federal Trade Commission, (FTC), has updated Guidance on the Health Breach Notification Rule, JD Supra reports. For most hospitals, doctors’ offices and insurance companies, the Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of health records stored online. Health Breach Notification Rule requires certain organizations not covered by HIPAA to notify their customers, the FTC and, in some cases, media, if there is a breach of unsecured, individually identifiable health information. Makers of health apps, connected devices, and similar products must comply with the rule (vendor of personal health records, (PHRs), PHR related entity, third party service provider for a vendor of PHRs or a PHR related entity). Read more on the definition of the above terms, as well what to do if a breach occurs, who and when notify, and what information to include, in the original publication.

Data breaches, investigations and enforcement actions: lack of specific consent, SIM Card fraud, failed anonymisation, IAB Europe/TCF

The EDPB published an analysis, at the request of the Spanish data protection regulator AEPD, of the recent Caixabank (Payments & Consumer) 3 mln euro fine. The case relates to lack of specific and informed consent regarding profiling and decision-making for commercial purposes. The financial establishment and payment institution’s business activities include marketing credit or debit cards, credit accounts with or without a card, and loans through three channels: direct, through an agent, or through prescribers, (points of sale with whom you collaborate — for example, IKEA). In the framework of its commercial activities, Caixabank makes profiles for the following purposes:

• Analyzing the risk of default upon application for a product.
• Analyzing the risk of default during the application for a product.
• Selecting target audience.

Consent is requested in the various channels of prescribers and agents for study and profiling purposes. In this case, the interested party was provided only with generic information on the different profiling and was not able to know exactly what the treatment was they were consenting to. Nor was there any provision for the person concerned to express his or her choice on all purposes for which the data are processed. The controller also has to bring processing operations into compliance with the provisions of the GDPR within six months of the decision.

The AEPD has also fined Vodafone 3,9 mln euros for accountability and security failings, (Art. 5 of the GDPR), Data Guidance reports. Several customers lodged complaints with the AEPD as victims of fraud due to the deceitful use of their SIM cards. Reportedly the criminals obtained a replica of the data subjects’ SIM cards through Vodafone, and consequently carried out various bank transfers from online banking services and concluded contracts at the expense of those affected. The investigation found that Vodafone:

• had not properly checked the identity of the fraudsters before issuing the SIM cards;
• was unable to prove that they had verified the identity of the requester of the replication, the invoices issued, or the effectiveness of the measures implemented;
• any person who had the basic personal data of a data subject could avoid Vodafone’s security policy, and obtain a replica of the data subject’s SIM card;
• the duplication of SIM cards occurred as a result of human error, indicating a deeper problem within the organisation, which demonstrated a lack of foresight of the risks;
• data subjects lost their power to organise and control their personal data, as a SIM card allows the access to apps and services that require authentication or password retrieval via SMS. You can read the full decision (in Spanish) here.

The Greek data protection authority imposed a total 9,2 mln euro fine on telecommunications companies for personal data breaches and illegal data processing. The regulator investigated the circumstances under which the breaches took place and the legality of record-keeping, as well as the security measures applied. A leaked file contained subscribers’ traffic data and was retained in order to handle any problems and malfunctions. for a period of 90 days from the date of making the calls. At the same time, the file was also “anonymised”, (in fact pseudonymised), and kept for 12 months to reach statistical conclusions about the optimal design of the mobile telephony network, once it has been enriched with additional simple personal data. As a result, the companies were found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, insufficiently informing subscribers, and failure to allocate the GDPR-governed roles of collaborating companies (COSMOTE/OTE).

The Belgian data protection authority has found that the Transparency and Consent Framework (TCF), developed by Interactive Advertising Bureau (IAB) Europe, fails to comply with a number of provisions of the GDPR. The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and which plays a pivotal role in so-called Real Time Bidding. When users access a website or application with advertising space, technology companies representing thousands of advertisers can instantly bid behind the scenes for that advertising space through an automated algorithmic auction system, in order to display targeted ads. The draft decision was examined within the cooperation mechanism of the GDPR, (the one-stop shop mechanism), and was approved by all concerned authorities representing most of the thirty countries in the EEA. IAB Europe now has two months to present an action plan to bring its activities into compliance.

Individual rights: blocking user tracking methods

The French regulator CNIL published a user-oriented guide, (in French), on New online tracking methods and solutions to protect yourself. Cookies are not the only means used to track your online activity. Web players are increasingly using alternatives such as: 

• unique digital fingerprinting uses all the technical information provided by your computer, phone or tablet (language preference, screen size, browser type and version, hardware components, etc.) sometimes combined with the collection of the IP address;
• tracked link (one of the most common is the insertion of web beacons in emails to find out if a message has been opened by its recipient);
• unique identifiers (most often, this data is the e-mail address. When you give your email address, for example to register for a site or a newsletter or to place an order online, it is hashed in order to generate a unique identifier).

The main solutions include either blocking the technical solution or blocking solution provider (eg, blocking domains using these techniques, link cleaning, web beacon blocking, browser extensions, one-time emails, etc.)

Big Tech: supermarket age verification system, mental health helpline

Technology used in checkout-free supermarkets is being trialled to identify underage drinkers in several UK supermarket chains, BBC Tech reports. Designed to cut waiting times in queues, the automated age verification system, which requires the customer’s consent, uses an algorithm to guess how old they are. This is based on a sample of 125,000 faces aged six to sixty. If it decides they are under 25, ID is required at the till. The maker, Yoti, claims that on average the system is accurate to within 1.5 years for 16 to 20 year-olds. This is not facial recognition, Yoti stresses, which tries to match individual faces to those on a database, and the system will not retain the images it takes.

US-based mental health helpline Crisis Text Line, (CTL), is ending data sharing with AI customer support Loris.ai, reports Politico and BBC Tech. Nonprofit CTL, a giant in its field, says it has “the largest mental health dataset in the world”. However it spun Loris.ai off as very much a for-profit venture, and Loris uses the data to create and market customer service software. One CTL board member now says they were “wrong” to share the data with Loris, even anonymised, and transfers have been stopped. CTL insisted that any initial responses to calls for help included a consent feature, and that it was ‘transparent’ about data sharing. Criticisms however questioned the validity of the consent in many cases, considering the state of mind of crisis callers.

The post Weekly digest Jan 31 – Feb 6, 2022: UK international data transfer agreement imminent appeared first on TechGDPR.

Legal processes and redress

The EU Parliament Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA). The document sets not-to-do rules for companies with “gatekeeper” status and significant market capitalization in the EU, (online intermediation services, social networks, search engines, operating systems, online advertising services, cloud computing, and video-sharing services). It says, among other measures, that a gatekeeper shall, “for its own commercial purposes, and the placement of third-party advertising in its own services, refrain from combining personal data for the purpose of delivering targeted or micro-targeted advertising”, (eg, A/B testing), except if there is a clear, explicit, renewed, informed consent, in line with the GDPR. In particular, personal data of minors shall not be processed for commercial purposes, marketing, profiling and behaviourally targeted advertising. If a gatekeeper does not comply with the rules, the Commission can impose fines of not less than 4% and not exceeding 20% of its total worldwide turnover in the preceding financial year”.

The EU Commission presented a proposal on transparency and targeting of political advertising and electoral rights. The proposed rules would require any political advert, such as on the Facebook platform, to be clearly labelled and distinguished from organic contents, and include information such as who paid for it and how much. Political targeting and amplification techniques would need to be explained publicly in unprecedented detail and would be banned when using sensitive personal data without explicit consent of the individual. The rules on political adverts must be approved by both the EU Parliament and Council, and are likely to enter into force by 2024.

The CJEU ruled on “inbox advertising” for the purposes of direct marketing. The display in the electronic inbox of advertising messages in a form similar to that of a real email gives “a likelihood of confusion that could lead a user who clicks on the link corresponding to the advertising message to be redirected, against his or her will, to an internet site displaying that advertisement”. In the related case two competing electricity suppliers distributed advertisements, via an advertising company, consisting of displaying banners in the email inboxes of users of a free email service. Those messages were not visually distinguishable in the list from other emails in the user’s account except for the fact that the date was replaced by the word “advertising”.

The Court reiterated that the  “ePrivacy” Directive protects subscribers against intrusion into their privacy by unsolicited communications, automated calling machines, telefaxes, emails, or SMS. However such communication would be compatible with recipients’ prior consent. An email service is offered to users in the form of two categories, namely, a free email service funded by advertising and, second, a paid-for email service, without advertising. Thus, it is important to determine whether the user concerned, having opted for the free email service, was duly informed of the precise means of distribution of such advertising and in fact consented to receiving advertising messages.

Official guidance

Stiffening anti-Covid measures by governments across the EU lead to employers being authorised to collect employees’ vaccination status data. In Germany,  recent legislation obliges employers to monitor compliance with the so-called 3G/2G rules on a daily basis by means of verification checks, and they must also document them on a regular basis. Employees are required to provide proof of their vaccination, recovery, or testing status upon request. The law explicitly states that employers may process employees personal data for the above purposes. The federal data protection regulator, the BfDI, supports the introduction of a legal basis for such queries in the workplace. Nevertheless, the law, in its opinion, does not provide enough protective measures for the data of the employees concerned. There are no pseudonymisation measures and no obligation of the inspecting person to maintain confidentiality. In the opinion of the BfDI, it would be sufficient to check employees’ data for access control and then delete it after or at the end of the respective day. Finally, the law does not specify the purpose of storing these, soon to be very large, amounts of data.

“Turn off the microphone, (on your smartphone), turn on privacy”, says the Italian regulator Garante, which offers suggestions to avoid “prying listeners”. Smartphone sensors – and microphones in particular – can remain active even when we are not using our device. In this way they could be used to collect information, which can also be used for different purposes by third parties: for example for marketing activities. Apps which, among the access permissions requested at the time of installation, also include the use of the microphone, are a widespread phenomenon. “Too often, as users, we grant these permissions without thinking too much and without informing ourselves sufficiently about the use that will be made of our data.” The regulator has now launched an investigation on the other most downloaded apps.

For several years, several digital stakeholders have been developing alternatives to third-party cookies for targeted advertising. The French regulator CNIL’s guide explains the basics behind “necessary” first-party cookies, “behavioural” third-party cookies, and alternative techniques used to bypass the growing restrictions against tracking made by browsers, such as “fingerprinting”, “single sign-on”, “unique identifiers” or  “cohort based targeting”. The CNIL reminds developers that these technologies must always be compliant with the data protection legal framework, the GDPR and ePrivacy Directive, regarding consent and the rights of data subjects to protect their communications and terminal equipment. In particular, the operations necessary for the constitution of an individual or group profile and the provision of targeted advertising, require the prior consent of the user, whether or not personal data are processed, insofar as they are not directly part of the service requested by the user. In order to ensure that the use of these technologies respects users’ privacy the CNIL asks for a minimum set of rules:  

• enabling users to keep control over their personal data;
• exercisability all data subjects’ rights, through user-friendly interfaces;
• non-processing of sensitive data;
• determining responsible(s) (data controller/processor) for the implementation of these techniques within the ad tech supply chain.

Data breaches, investigations and enforcement actions

SmarterSelect, a US-based company that provides software for managing the application process for scholarships, exposed the personal data of thousands of applicants because of a misconfigured Google Cloud Storage bucket, TechCrunch reports. The data spill, discovered by a cybersecurity company, contained 1.5 terabytes of data collected by a number of programs that offer financial support to students. The data included documents such as academic transcripts, resumes and invoices for approximately 1.2 million applications to funding programs. These files contained name, email address, phone number, student photos, Social Security numbers, parents’ education and income, the students’ performance at school, and personal experiences like living in a foster home or abusive situations, descriptions of poverty etc. The company acknowledged the warning before revoking public access to the bucket in October. It’s not known whether SmarterSelect has notified those affected, nor whether it has alerted the relevant state attorney general.

The Spanish data protection authority the AEPD fined Vodafone España 50,000 euros for violation of national legislation on Information Society Services and Electronic Commerce. The complainant issued claims with the AEPD against continuous receipt of promotional communications from Vodafone to the complainant’s phone number. The sending of promotion communications had continued a year after the complainant exercised their right to cancellation of services and deletion of their data, which Vodafone did not adequately respond to.The aggravating factors to the violation were:

• the intentional nature of the infringement;
• the duration of the offence;
• the repetitive nature of the infringement; and
• the nature and amount of damage caused to the complainant, as he/she had to proceed with the claim to the AEPD twice. 

The Spanish regulator has also fined Unión Financiera Asturiana 9,000 euros for violation of Art. 6 of the GDPR, following the unlawful processing of a complainant’s personal data in the course of business activities. Unión Financiera had wrongfully processed the claimant’s personal data instead of blocking it, as they had requested, thus processing the personal data of the complainant without a legal basis. The company did not verify the data processing had been cancelled, simply indicating to the claimant that the data was blocked without detailing the actions taken, and later claimed that there had been no intention by the claimant to request the deletion of their personal data. This prompted the claimant to raise a complaint with the AEPD, DataGuidance reports.

Certification scheme for cloud services

The EDPB adopted a letter to The European Union Agency for Cybersecurity, ENISA, concerning the European Cybersecurity Certification Scheme for Cloud Services’ (EUCS) compatibility with the Schrems II decision. In the letter, the regulator reiterates that the final certification scheme should be consistent with the obligations, including specific criteria for encryption and key management, to ensure protection against threats represented by access from authorities not subject to EU legislation and not offering an adequate level of personal data protection. As an illustration, the EDPB included in the letter its latest Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

Big Tech

Italy’s antitrust regulator the AGCM has fined Alphabet’s Google and iPhone maker Apple 10 mln euros each for “aggressive practices” linked to the commercial use of user data. The authority stated the two tech groups did not provide “clear and immediate information” on how they collect and use the data of those who access their services. Both Google and Apple said they disagreed with the antitrust decision and that they would appeal against it. The watchdog added that when users set up their account with Google, the system was designed in such a way that the terms and conditions on data usage were set up to be accepted. In the case of Apple, users do not have a choice on the issue, the antitrust regulator added. The fine is the maximum amount the watchdog can apply in these cases, the regulator said.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. Following an investigation the Irish data protection commissioner issued a 225 mln euro fine – the second-largest in history involving the GDPR – and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. Previously WhatsApp users complained about an update to the company’s terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. The new privacy policy contains substantially more information about what exactly is done with users’ information, and how WhatsApp works with Meta.

With Tesla’s latest Full Self-Driving release, it’s asking drivers to consent to allowing it to collect video taken by a car’s exterior and interior cameras in case of an accident or “serious safety risk”. Tesla has gathered video footage as part of FSD before, but it was only used to train and improve its AI self-driving systems. According to the new agreement, however, Tesla will now be able to associate video to specific vehicles. “By enabling FSD Beta, I consent to Tesla’s collection of VIN-associated image data from the vehicle’s external cameras and Cabin Camera in the occurrence of a serious safety risk or a safety event like a collision,” the agreement reads. The new policy and footage data likely covers the automaker’s liability in case someone tries to blame a crash or incident on the system, when driver error may be to blame. Despite the name, FSD is not an autonomous system. Tesla’s instructions tell drivers to remain alert and prepared to retake control of critical functions at any given time.

Google has pledged more restrictions on use of data from its Chrome browser. Britain’s competition regulator the CMA has been investigating Google’s plan to cut support for some third-party cookies – an initiative called the “Privacy Sandbox” – because it is worried it will impede competition in digital advertising. Google has said its users want more privacy when they are browsing the web, including not being tracked across sites. Other players in the $250 billion global digital ad sector, however, have said the loss of cookies in the world’s most popular browser will limit their ability to collect information for personalising ads and make them more reliant on Google’s user databases. Google agreed earlier this year to not implement the plan without the CMA’s sign-off, and said the changes agreed with the British regulator will apply globally.

Chinese regulators have pressed ride hailing giant Didi Global Inc to devise a plan to delist from the New York Stock Exchange due to concerns about data security. China’s Cyberspace Administration, (CAC), has asked the management to take the company off the U.S. bourse due to worries about leakage of sensitive data. In July the CAC ordered app stores to remove 25 mobile apps operated by Didi – just days after the company listed in New York. It also told Didi to stop registering new users, citing national security and the public interest. Didi, which has about 377 million annual active users in China, provides 25 million rides a day to users in the country who sign into its app with a phone number and password. Its apps also offer other products such as delivery and financial services. Reportedly Didi is preparing to relaunch its ride-hailing and other apps in China by the end of the year in anticipation of the end Beijing’s cybersecurity investigation into the company.

The post Weekly digest November 22 – 28, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.

Legal processes and redress

The EU commission warned Belgium about failing to ensure full independence of its data protection authority. The Commission considers that Belgium violates Art. 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation. However, some members of the Belgian data protection authority currently cannot be regarded as free from external influence because they either report to a management committee depending on the Belgian government, or they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee. Belgium now has two months to take relevant action, failing which the Commission may decide to refer the case to the Court of Justice of the European Union.

The Dutch regulator, the AP, asks legislators to vote down the proposal for the Data Processing by Partnerships Act, (WGS). In its current version it gives government organizations and private parties very broad powers to share personal data with each other, for example, in cases of suspicion of fraud or organized crime. According to the AP, this can have major consequences for people who end up ‘”on the wrong list” or create a risk of “mass surveillance”. The purpose of the partnerships to share, store and analyze personal data on a large scale is not defined  clearly enough in the bill, the AP states. According to the government, every partnership concerns ‘”weighty general interests”, such as ”monitoring the proper functioning of the market”. The WGS concerns broad categories of data – social security numbers, living situation, residence status, financial data, police data and even data about sexual behaviour. Moreover, it is not only about people’s personal data, but also their family and friends, the AP notes. Read the regulator’s opinion, (in Dutch), here.

A three billion pound class action against Google over tracking millions of iPhone users has been blocked by the UK’s top court. Legal experts said the decision meant the “floodgates” remained closed to US-style representative actions on data breaches and cyber incidents in England and Wales. The Supreme Court has upheld Google’s appeal in Lloyd v Google, limiting the ability for individuals to recover damages for simple loss of control of their personal data. Richard Lloyd, a consumer rights activist, claimed Google illegally misused the data of 4 million iPhone users by tracking and collating their internet usage on their handsets’ Safari browser in 2011 and 2012, even when users were assured they would be opted out of such tracking by default. The Supreme Court found that a claim for damages under the Data Protection Act 1998, (which precedes the UK GDPR), required proof of damage in the form of either material damage, such as financial loss, or mental distress. That could be the time period, the quantity and nature of data captured, how that data was used and what commercial benefit there was to Google in processing it. In the absence of any evidence, an individual is not entitled to compensation. Read the full decision here. 

Official guidance

A new White Paper on digital payments and data privacy was published by the French regulator, the CNIL (in French). Payment data can make it possible to trace personal activities or to identify the behavior of individuals, creating a complex area of compliance for DP specialists. The Paper distinguishes between terms “payment data”, “purchase data”, “contextual” (behavioral) data, “silent party” data, “highly personal nature” (biometric) data. The CNIL considers that only authentication, and not identification, is necessary for merchants and other payment recipients. Qualifying the actors also could be the key: “Criteria such as direct contact with the data subject to subsequent re-use of data for their own account can be used in determining whether an actor should be considered a data controller or data processor.”

Some other criteria include – data minimisation, careful selection of third party recipients, location of payment data storage and international data transfers, determining a specific purpose for each data processing activity from legitimate interest, (eg, for security or fraud prevention), or consent of the user to legal obligations, (eg, for compliance with anti-money laundering laws). For the latter, the CNIL stresses that data protection is only part of the regulatory framework applicable to payment data in the EU, which also includes the Payment Services Directive, the Anti-Money Laundering Directive, and the Network Information Security Directive. Finally, for security reasons, the CNIL promotes  “tokenization,” – the method of substituting payment data with randomly generated, single-use tokens, on which the regulator will soon publish additional recommendations.

The CNIL also developed an awareness guide, (in French), to the GDPR to support associations in their compliance. Its objectives: to reiterate the main principles, (benchmarks), to respect, and to propose an adapted action plan. France has a particularly rich network of associations, listing more than 1.3 million bodies with various profiles, both in terms of size and sectors of activity, (charitable, political, sporting, social). Most of them collect a lot of information, sometimes sensitive, which concerns various audiences – their members, partners, employees, volunteers or even donors. The guidance includes a variety of steps to be taken: keeping records of processing activities, transparent privacy notices, consent mechanisms and licit cookie banners on the websites, direct advertising, (including charitable prospecting), compliance, prohibition on tracking criminal history of workers and volunteers, running DPIA, data breach notification, establishing a checklist of basic technical and organisational measures, and much more.

Enforcement actions

The Dutch regulator the AP has imposed a 400,000 euro fine on Transavia airline for failing to protect personal data. Poor security allowed a hacker to penetrate Transavia’s systems in 2019, granting access to the data of 25 million people. It has been established that the hacker downloaded personal data of about 83,000 people- name, date of birth, gender, e-mail address, telephone number and flight and booking details, as well as some medical data. Security was not in order on three points:

• The password was easy to guess and was enough to get into the system. 
• There was no so-called multi-factor authentication. 
• Once the hacker took control of these two accounts, they also had access to many of Transavia’s systems. The access was not limited to only the necessary systems.

The hacker penetrated the system in September 2019. Two months later Transavia closed the leak. The airline reported the data breach in a timely manner and informed those involved.

In Italy, the Court of Cassation upheld data protection regulator Garante’s decision to fine C.S. Group 60,000 euros. The C.S. Group, a car-sharing company, lodged a complaint against the fines for failure to notify the processing of the rented vehicles’ geolocation data and of their profiling of customers. The C.S. Group denied that the use of an algorithm to calculate tailored discounts based on additional information provided by customers could be framed as profiling, and requested the redetermination of the sanctions. The court rejected the complaint and confirmed the fines, highlighting that “processing personal data by means of an algorithm is in itself profiling, even when personal data is not stored indefinitely and is not associated with an individual customer, since it constitutes a screening of the data provided, in order to evaluate personal aspects and possibly to predict future behaviour”.

Luxembourg’s CNPD imposed corrective measures on a company for DPO-related violations (Art.37-39 of the GDPR). The company violated its obligations to communicate the data protection officer’s contact details to the supervisory authority, and also failed to ensure that other tasks – current or past – carried out by the DPO did not result in a conflict of interests with their role as a DPO. The investigation showed that the DPO was also Head of Compliance and Money Laundering Reporting Officer, and in such a role could determine the purposes and means of processing of personal data, which contradicts the independent role of the DPO. The court also states that there were no immediate measures to mitigate the risk such as parallel appointment of a deputy DPO, (outside the AML department) who would be in charge of such cases. No administrative fine in this case was imposed.

The Irish data protection authority brought in some changes to its breach notification form. Here are some of the updates for controllers and processors:

• confirming whether the breach is likely to result in a risk to the rights and freedoms of natural persons, (eg, whether the breach reaches the risk threshold), and whether the breach falls under the Law Enforcement Directive. 
• determining whether the breach relates to cross-border processing and related questions including details of the controller’s establishments, location of affected data subjects and whether they are “substantially affected”. 
• classifying the controller’s industry sub-sector according to Eurostat NACE criteria. 
• choosing the approximate numbers of data subjects from bands (1-10, 11-100).
• detailing existing TOMs and other measures to mitigate the risk.
• uploading supporting documents.
• declaring, (controllers), the understanding that any information provided in the breach notification may be utilised at a future date in relation to an inquiry.

Individual rights

UK based Privacy International continues to investigate data related issues in the digital health sector. PI and its partners question whether adopting a given digital solution leads to more effective delivery of quality care. One of the negative outcomes is in places where digital infrastructure is still developing, (eg. India), where the time lag between data collection and digitisation can take up to 72 days, which negatively impacts patients: “Such delays not only call into question the effectiveness of the system, but also raise serious questions as to the safety of the data awaiting to be digitised, ranging from storage to access – as well as participating staff know-how and awareness of data protection obligations.”  

However, similar failures may occur even in digitally progressive countries,(eg, non-functional Track and Trace QR code alert systems in the UK, or the NHS England Covid app outage). At the same time, data protection authorities have limited expertise and resources to effectively advise on the deployment of such systems in the health sector. PI also worries about the absence of proper impact assessment of the security of personal health data in centralised digital systems used by government agencies, or private-public partnerships in the UK, (eg, between NHS and Amazon), and worldwide. Read the full analysis by PI here. 

Data security

Europol has published its Internet Organised Crime Threat Assessment 2021. The report states the rise of ransomware crews deploying multi-extortion methods by exfiltrating victims’ data and threatening to publish it. Such modi operandi could include, for example, cold calling victims’ clients, business partners and employees with the purpose to commit investment fraud. In addition, many of the ransomware affiliate programs deploy DDoS attacks against their victims to pressure them into complying with the ransom demand. “Personal information and credentials are in high demand as they are instrumental in improving the success rate of all types of social engineering attacks. Unfortunately, the market in personal information flourishes as ransomware and mobile information stealers produce an abundance of marketable material as a by-product of the primary attack.”

Criminals have also realised how much potential there is to compromise digital supply chains – organisations need to grant network access to update distributors, which makes these third-party service providers an ideal target. According to Europol, one of the solutions would be to intensify public-private partnerships, (eg, expertise and information sharing with financial institutions can help to obtain data on cybercriminals and may help rapidly freeze their criminal proceeds.).

Opinion

Constant monitoring of workers and setting performance targets through algorithms is damaging employees’ mental health and needs to be controlled by new legislation, according to a group of UK MPs. Under the act workers, like delivery drivers, (who have to log most of their activity on shifts, sometimes while driving on the road), would be given the right to be involved in the design and use of algorithm-driven systems, where computers make and execute decisions about fundamental aspects of someone’s work – including in some cases allocation of shifts and pay. The parliamentary group report also recommended that corporations and public sector employers fill out algorithmic impact assessments, and expand the new umbrella body for digital regulation. Read more analysis of the proposal by the Guardian.

Big Tech

WhatsApp Ireland, owned by Meta, has secured permission from the High Court to challenge the Data Protection Commission ( DPC)’s decision to fine it 225 million euros. Last August the DPC held that the messaging service had failed to comply with its obligations under the GDPR in several respects: WA’s processing of data of users and non-users of the service, and the sharing of personal data between WA and Meta companies. WA also seeks declarations from the court including that certain provisions of the 2018 Data Protection Act are invalid, and are incompatible with the State’s obligations under the European Convention on Human Rights. Namely, the 2018 Act allows the DPC to engage in a form of administration of justice that is not permissible and is contrary to the Irish Constitution. Finally, the  size of the fine constitutes an interference with WhatsApp’s constitutional property rights, WA claims.

Meta plans to remove detailed ad-targeting options that refer to “sensitive” topics, such as ads based on interactions with content around race, health, religious practices, political beliefs or sexual orientation. In its blog post, the company gave examples of targeting categories that would no longer be allowed on its platforms, such as “Lung cancer awareness,” “World Diabetes Day”, “LGBT culture”, “Jewish holidays” or political beliefs and social issues. It said the change would take place starting January 19, 2022. However, advertisers, (small businesses, non-profits, and advocacy groups), on Facebook and other platforms, can still target audiences by location, use their own customer lists, reach custom audiences who have engaged with their content and send ads to people with similar characteristics to those users.

Beginning in 2022, Apple and Google will impose new privacy requirements on mobile apps in the Apple App Store and Google Play Store, a publication by the National Law Review reminds consumers. Apple’s new account deletion requirement will apply to all mobile app submissions to the Apple App Store beginning January 31, 2022. Similarly, Google’s new Data Safety section will launch in February 2022, and app developers will be required to submit to the Google Play Store Data Safety forms and Privacy Policies by April 2022. These announcements have encouraged mobile app developers to review any laws that may require them to maintain certain types of data, and to make sure that their apps clearly explain what data the app collects, how the app collects data, all uses of the data, and the app’s data retention and deletion policies.

The post Weekly digest November 8 – 14, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.

Legal processes

China’s Personal Information Protection Law, PIPL, came into effect on November 1. It largely blends the EU (GDPR) and California (CCPA) privacy rules for the handling of personal and sensitive information, including different legal bases, as well as general principles for data processors, including the conducting of regular audits, training and data management programs, as well as the appointment of personal data protection officers, and places restrictions on the cross-border transfer of personal information. The PIPL contains penalties for breach of its provisions, including fines of up to 6.7 mln euros or up to 5% of the preceding year’s business income, whichever is higher. Finally, foreign companies, (even with no presence in China), engaging in the processing of personal information of individuals in the country  are required to establish a dedicated entity or appoint an agent or designated representative in China to be responsible for dealing in related matters. The name and contact details of such local agents or representatives will need to be provided to the relevant authority. Read more analysis by WhiteCastle.

The UK government steps into the active phase of consultations on reform of the national data protection regime, with the deadline for organisations to respond expiring on November 19. The proposed reforms aim to establish a “pro-growth and innovation friendly” data protection regime, shifting away from a “one size fits all” approach to compliance with data regulations. The consultation concentrates on 6 key areas:

• Reducing barriers to responsible innovation by relaxing the rules around organisations’ reliance on the legitimate interests, or automated decision making under Art. 22 of the GDPR. 
• Reducing burdens on businesses by amending privacy management programmes, DPIAs, appointing DPOs and maintaining detailed records of processing which align with Article 30 of the GDPR, increasing the threshold for reportable data breaches, etc.
• Reworking rules in relation to cookies and direct marketing by allowing the use of analytics cookies and similar technologies without user’s consent, or collecting information from a user’s device without their consent for other limited purposes.
• Boosting trade and reducing barriers to data flows including the use of alternative transfer mechanisms and a “risk-based” approach to granting adequacy decisions to other jurisdictions.
• Allowing the processing of personal data for public health and emergency situations.
• Reforming the Information Commissioner’s Office by refocusing its statutory commitments away from handling a high volume of low-level complaints. 

In Germany, The Federal Ministry of the Interior, Building and Community, the BMI, has evaluated the new Federal Data Protection Act, the BDSG, which came into force in 2018. Both public and private users, including the data protection supervisory authorities as well as leading business associations and other institutions, were interviewed. The new BDSG, a German equivalent of the GDPR,  has proven to be appropriate, practical and with clear standards, despite various criticisms. In addition, the Federal Statistical Office carried out a cost re-measurement as part of the evaluation and found that the compliance effort of the BDSG for the economy has been reduced by about one million euros. The complete evaluation in German can be accessed here. 

The latest insight from EURACTIV, an independent pan-European media network specialized in EU affairs, oversees the upcoming EU Data Act. The aim is to make more data in the EU usable to support sustainable growth and innovation across all sectors (B2B and B2G). However, the independent quality-checks so far have led to rejection of the proposal for reportedly not providing sufficient information on the conditions for public bodies to access data,  compensation for businesses and integration with other legislative measures.  A data-sharing arrangement would be ‘encouraged’ via smart contracts and application programming interfaces. However, the text also refers to the introduction of ‘essential’ technical measures for interoperability, raising the question of whether these measures would be mandatory or not. Transparency obligations would force service providers to specify in the agreement what type of data is likely to be generated and how it can be accessed by customers, with SMEs exempted. Machine-generated data may be also excluded from the scope, making this type of data more accessible. The adoption of the Data Act is expected by the first quarter of 2022.

Official guidance

The US National Institute of Standards and Technology, NIST, explains the role of privacy-enhancing cryptography, PEC, and Differential Privacy techniques. In large, the PEC and the Differential Privacy paradigms can be composed to enable better privacy protection, namely in scenarios where sensitive data should remain confidential for each individual original source. Differential privacy adjusts the query result into a noisy approximation of the accurate answer, which PEC can compute without exfiltrating additional information to any party.  For more practical guidance, such as secure multiparty computation, private set intersection, private information retrieval, zero-knowledge proofs, and fully-homomorphic encryption, followed by a case study related to private medical data research, see the full article.

The Luxembourg data protection authority, the CNPD, published a comprehensive update of the guidelines, (in French), on cookies and similar technologies, such as  “fingerprinting”, “web beacons ”, “flash cookies”, used for excessive tracking, profiling and targeting users and customers. The guidance clearly distinguishes essential and non-essential cookies, draws a line where there is an obligation on data controllers to obtain consent, explains the danger of using consent management platforms set up by third parties, and provides plenty of visual examples on what a “cookie banner” should and should not look like.

The Italian Data Protection Authority, Garante, provided clarification on direct marketing through social media platforms. A data subject complained of receiving a marketing communication sent by the company through LinkedIn. The communication offered real estate services for a specific property owned by the claimant. The company justified this practice on the following grounds: the claimant’s LinkedIn profile was set to allow them to receive communication from any other LinkedIn user. Garante did not accept the company’s arguments.  LinkedIn specifically is a platform whose purpose is to connect users who share the same professional interests or who are seeking job opportunities, and not for sale of products and services. Garante also found the personal data acquired via the public real estate register was in breach of Art. 5 of the GDPR. The real estate register may be accessed only to verify ownership of a certain property, but not for direct marketing purposes. Garante did not sanction the company as it is a micro-enterprise whose business has been strongly impacted by the pandemic, but imposed a 5000 euro fine for failing to respond to its requests during the investigation.

The Polish data protection authority, UODO, continued a series of blog posts, (in Polish), on creating a successful Code of Conduct. This time it pays attention to effective mechanisms for monitoring compliance with the provisions of the code for private entities (Art.41 of the GDPR). First of all, the code of conduct must designate the entity that monitors compliance with this document by the organizations that accede to it. The monitor, in order to be accredited,  must demonstrate its independence in relation to the code’s creator and have appropriate financial, human, organizational and technical resources. From this point, the monitoring entity would be responsible for all preliminary audits and regular checks, as well as for ad hoc audits in case of data breach complaints. Further steps include issuing comments, post-inspection recommendations and their  implementation, imposing sanctions, suspension and exclusion, handling appeals, cooperating with the supervisory authority and authors of the code, participation in the code review mechanism, education and promotion of data protection principles, ongoing cooperation with members of the code, (e.g. in the event of a data breach notification), clarifying doubts and assistance in ensuring an adequate level of personal data protection.

The Dutch data protection authority, the AP, has mapped out the trends and risks for the protection of personal data in education. “Due to the autonomous position of teachers and the ‘proliferation’ of apps and software in education this makes it difficult for educational institutions to keep control over the data processing”, the AP states. The regulator identifies three key trends and risks: excessive monitoring of pupils and students and their learning performance; dependence on major suppliers and the growing exchange of data in partnerships. The recommendations of the AP focus on setting up the basics of privacy and management programs, such as keeping up-to-date records of processing activities and running self risk assessments and employee training. The AP has also called on ministers to table a package of measures to help institutions with the task.

Enforcement actions

The Romanian supervisory authority, the ANSPDCP, found IKEA Romania in violation of Art. 32 of the GDPR. The company organized a drawing contest in which the children of IKEA Family members participated. The participants uploaded to the online platform dedicated to the members their own drawings, together with participation forms which contained their personal data but also that of their parents/legal guardians. In order to vote for the best drawing, the children’s drawings were mistakenly published on the online platform, together with the personal data contained in the participation forms. The disclosed data included name, surname and age of minors, name, surname, city, country, e-mail, IKEA Family membership number and  handwritten signatures. The exposure lasted for about 40 hours, affecting 114 individuals, so a minor fine of 1000 euros was issued.

A British firm – Huq – which sells people’s location data has admitted that some of its information was gained without seeking permission from users. Huq uses location data from apps on people’s phones, and sells it on to clients, which include dozens of English and Scottish city councils. The apps in question  measured wi-fi strength and scanned barcodes. So a council could use the data they provided to estimate how many people visited a High Street within a given timeframe, for example. Huq claimed it was aware of two “technical breaches”, and had asked for code revisions and for the apps to be republished. Firms that collect location data from apps and then sell it on are under increased scrutiny in the EU. The Danish data protection authority is currently looking into whether there is “a legal basis” for the way Huq has processed personal data. Meanwhile, the UK’s Information Commissioner’s Office has issued a reprimand to another UK-based location data collection firm, Tamoco, for failing to provide sufficient user privacy information.

The Danish data protection agency also received a data breach notification from a company, (Coop Danmark A/S), concerning personal information that was located on the company’s shared drive without adequate access control. The information concerned a total of 477 employees and external consultants. Coop discovered the breach while testing a new scanning tool. The regulator found that Coop had not complied with the requirement for necessary security measures. The company should have previously been aware that employees could have incorrectly placed personal data on the company’s shared drive. The company should have checked and cleaned up the company’s common drive and introduced relevant security measures at an earlier stage. However, Coop reported the security breach to the authority in a timely manner, as the notification took place within the time limit of 72 hours, so no fine was issued. 

The French regulator, the CNIL, sanctioned the RATP – Paris’s public transportation company,  with a fine of 400,000 euros after noting that several bus centers had counted the number of days of strikes by workers in evaluation files which were used to prepare promotion offers. It also noted an excessive data retention period and data security breaches. The RATP had failed in its obligations, particularly because only data strictly necessary for the assessment agents should have been in the promotion files. The indication of the number of days of absence was sufficient here, without it being necessary to specify the reason for the absence linked to the exercise of the right to strike. The CNIL thus imposed a fine and decided to make its decision public.

Opinion

Challenges with anonymising genetic data are analysed in Herbert Smith Freehills blog series.

“As soon as one dataset is merged with another relating to the same set of data subjects, it becomes more likely that the information could be used to re-identify a data subject. For example, it was reported last year that the British National Health Service had sold medical records to pharmaceutical companies that could be used to re-identify “anonymised” genetic information collected for diagnostic purposes.”

Advances in AI are also making it harder to anonymise data, because it is increasingly easy to match up various pieces of data and link them to one individual. And sometimes anonymisation just isn’t desirable – the more identifiable information that is collated, the more valuable the dataset for research. As a result, an attempt to anonymise genetic data might even end up falling short, resulting in pseudonymisation only.  Unlike anonymised data, pseudonymised data does fall within the GDPR, states the analysis.

Data security

Brian Krebs’s cybersecurity blog shows how the holiday shopping season is a perfect attack vector for phishers. Krebs analyses a fairly elaborate SMS-based phishing scam that spoofs Fedex delivery in a bid to extract personal and financial information from unwary recipients. A phishing link usually implies that the recipient could reschedule delivery. Clicking “Schedule new delivery” brings up a page that requests your name, address, phone number and date of birth. Those who click “Next Step” are asked to add a payment card to cover the “redelivery fee.” After clicking “Pay Now,” the visitor is prompted to verify their identity by providing their Social Security number, driver’s license number, email address and email password. So the main rule is to Avoid clicking on links or attachments that arrive unbidden in emails, text messages and other mediums, or visit the site or service in question manually. Also most phishing scams invoke a temporal element that warns of negative consequences should you fail to respond or act quickly.

Big Tech

The Federal Trade Commission has found that Internet Service Providers accounting for 98% of the US mobile market collect and share more data than their customers might be aware of, and those same customers are ill-informed or even misdirected when trying to exercise choice about how their data is used. Sensitive data like race or sexual orientation was sometimes grouped , and  real-time location was shared with third parties. The Staff Report notes the scope of such data collection is expanding, in line with similar trends in other industries, and so strengthens the argument for restricting data collection and use.

Meta  informed us last week it is ending its use of facial recognition on its platforms, shutting down a feature that has sparked privacy concerns and multiple lawsuits in the US. Facebook platform will delete face scans of over a billion people, and will no longer automatically recognize people’s faces, meaning users who opted in to the service won’t receive alerts when a photo or video of them may have been added to the social network. Tough if you are a blind user as the Automatic Alt-Text tool allowing the tagging of friends will be disabled. In AI VP Jerome Pesenti’s words “the company would consider facial recognition technology for instances where people need to verify their identity or to prevent fraud and impersonation.”

China’s regulatory crackdown continues with 38 apps from a number of companies told to stop excessively gathering personal data immediately or face penalties. The companies include a news app and music streaming service owned by social media behemoth Tencent Corp. The order arrived days after China’s Personal Information Protection Law, PIPL, went into full effect. Meanwhile, internet company Yahoo has announced its withdrawal from the Chinese market in the latest retreat by foreign technology firms responding to Beijing’s tightening control over the industry.  However, analysts say Yahoo’s withdrawal from China is largely symbolic as at least some of Yahoo’s services, including its web portal, have already been blocked. China has also blocked other US internet services, such as Facebook, LinkedIn and Google. Mainland users who wish to access these websites use a virtual private network, VPN, to circumvent the block, the Guardian reports.

The post Weekly digest November 1 – 7, 2021 “Privacy, DP, and Compliance news in focus” appeared first on TechGDPR.