Stay tuned! Sign up to receive our fortnightly digest via email.

EU-US redress mechanism

The EDPB has completed its much-anticipated Information Note and a Complaint Form for EU/EEA individuals about alleged violations of US law concerning personal data collected by US national security authorities. It applies regardless of the transfer tool used to transfer the complainants’ data to the US, (Data Privacy Framework, standard or ad hoc contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, derogations). However, this redress mechanism only applies to data transmitted after 10 July 2023. 

In short, after receiving and verifying the complaint, the data protection authority, (DPA), will transmit it, in an encrypted format, to the EDPB Secretariat. The latter will then transmit it to the US authorities for a binding decision, taken by the Office of the Director of National Intelligence’s Civil Liberties Protection Officer, (CLPO). Complainants can appeal the CLPO’s decision before the Data Protection Review Court within 60 days after receiving the notification by the DPA. There is also a possibility to complain about commercially related violations to EU DPAs. 

In July 2023, the European Commission decided that the US ensures an adequate level of protection for personal data transferred from the EU to organisations in America that are included in the ‘Data Privacy Framework List’, without the need to rely on Art. 46 GDPR transfer tools, (standard data protection clauses, binding corporate rules). The US Government in the meantime aims to introduce safeguards against bulk and targeted collection of intelligence signals, (eg, FISA Section 702), that apply to all data transferred to the US, regardless of the transfer tool used by the EU exporters.

More legal updates

FISA Section 702 reauthorised: In parallel, a new US bill just signed into law extends a key US surveillance program for another two years. Legislators claim the surveillance tool first authorised in 2008 is crucial in disrupting terrorist attacks, cyber intrusions, and foreign espionage. It permits the government to collect without a warrant the communications of non-Americans outside the country. Amendments to protect Americans’ communications when they are in contact with those targeted foreigners, by getting a prior warrant from a judge, failed the final passage. 

UK adequacy threatened: The Parliament Justice Committee, (LIBE), has criticised the overall direction of the data policies of the UK Government. Its current governmental actions are eliminating constraints arising from European or international law and limiting the impact of European court jurisdiction and interpretations on UK law. Concerns exist about UK intelligence agencies, especially their bulk collection of communication data, which is not in line with the EU Charter of Fundamental Rights. Thus, the UK could become a transit country for data that cannot be sent from the EU/EEA to “inadequate” third countries.

UK data protection reform moves on: The new Data Protection and Digital Information Bill went through the final examination of the committee stage. After the final reading, followed by the consideration of amendments stage in Parliament, (which can be a lengthy process), it will be presented for Royal Assent to become law. The new law promises to solve the complexity of the current regulatory regime, reduce compliance costs, and remove barriers to responsible innovation so that firms, public sector organisations and consumers can take “full advantage of the benefits” of data. 

Data Scraping

Data scraping by private actors is almost always illegal, explains the Dutch data protection authority AP. Scraping is the automatic collection and storage of information from the Internet. In several cases, it is already not allowed anyway, including: a) scraping the internet to create profiles of people and resell them; b) scraping information from protected social media accounts or private forums; c) scraping data from public social media profiles for insurance matters, etc. 

A widespread misunderstanding is that scraping is allowed because everything on the internet is already available to everyone. This does not imply consent by the individual. Scraping for the legitimate interest of private businesses or individuals should not be used if the sole purpose is making money. However, scraping can be justified when a company gets information from media outlets on its activities.

More official guidance

Targeted advertising: A CJEU Advocate General’s opinion in the Schrems/Meta case, (C-446/21), similarly states that processing data for personalised advertising purposes cannot be justified just by meeting “the manifestly made public” condition for special category data. It rather elevates the particular protection granted to the special categories of data under Art. 9 of the GDPR, which means that it still must be evaluated as “ordinary” personal data, treated lawfully, clearly, and proportionately, and respecting the purpose limitation principle.

BCRs maturity test: The French data protection authority CNIL published a self-assessment tool to test the level of maturity of organisations’ Binding Corporate Rules for restricted data transfers. The companies concerned are private businesses of multinational types, established in several countries of the EU and abroad.  The set of resources covers all stages of a project, from its preparation to the approval procedure. The test is to be completed by the data protection officer or any other person in charge of the BCR project.

Health Breach Notification: The US Federal Trade Commission finalised changes to the Health Breach Notification Rule. It underscores its application to health apps and similar technologies not covered by HIPAA, and obliges them to notify individuals, the Commission, and, in some cases, the media of a breach of unsecured personally identifiable health data. It also requires third-party service providers to those vendors of related entities to notify them following the discovery of a breach.

Safe biometric technology use

The Dutch data protection authority AP answers some frequently asked legal questions about facial recognition. The document is intended for privacy professionals and organisations that want to use facial recognition. Facial recognition is in principle prohibited. One of the exceptions is when facial recognition is necessary for authentication or security purposes (eg, the security of a nuclear power plant, or military production needs). However, this applies only once the data protection impact assessment ,(DPIA), has been carried out, demonstrating that it is necessary and that there is an important public interest. 

The AP also defines under which conditions there can be ‘personal or household use’ when applying facial recognition. For example, unlocking a phone with facial recognition, if the biometric data is stored on the phone itself, and the user decides what happens to that data. It must be up to the user to decide – whether to unlock the phone using a PIN code or face recognition. 

European Health Data Space

MEPs approved the creation of the European Health Data Space, improving citizens’ access to their health data and boosting secure sharing in the public interest. Universal Electronic health records, (EHR), will include patient summaries, electronic prescriptions, medical imagery and laboratory results. They will be available for health professionals across the EU, (with the patient’s consent), and for trusted entities such as clinical researchers, statisticians and policy-makers, (in an anonymised or pseudonymised format). Once officially published after the Council’s approval, it will be applied two years later, with some temporary exceptions for specific categories of data. 

Sim cards illicit activation fine

A company in Italy that manages two phone shops will have to pay 150 thousand euros for having illicitly activated SIMs, subscriptions and charges for the purchase of cell phones and GPS trackers using the personal data of hundreds of users without their knowledge. The company had activated 1300 telephone cards using data and identity documents extrapolated from the systems of the telephone operator whose products it sold to unduly saved in-store. For instance, a complainant was charged on her credit card relating to the activation of a new contract in the name of her deceased husband.

The company had also activated unsolicited services by inducing customers to sign, via a tablet, without clarifying the consequences of such consents, along with selling mobile phones which had not been requested by customers nor delivered to them. The company had evaded the controls of the telephone operator and the related provisions regarding the processing of user data, thus acting as an independent data controller.

More enforcement decisions

Cookie collection without notice: The Croatian data protection regulator issued administrative fines of 15,000 and 20,000 euros on managers of gambling and betting activities due to the illegal processing of personal data through cookies, and without allowing the users to give or withdraw their informed and voluntary consent. In particular, the processing managers did not separate the cookie banner or enable respondents to consent to different purposes, (marketing, analytics/statistics). 

The processor also did not adequately inform the users about the legal basis, groups/types of cookies, the function/purpose of each cookie, and the cookie storage period. In addition, the data controller was fined for processing the respondents’ data at the very moment of loading the website, (since the respondents were not informed about the processing). 

Prohibited employment practices: The French CNIL notified a company to minimise candidates’ data collection. The company required applicants to provide their place of birth, nationality, marital status, (spouse’s name and surname, date and place of birth, their profession, the number of children and their age), as well as all salaries received in previous companies. This information was not necessary for assessing the candidate’s ability to perform the job. An aggregate level of detail reflecting the candidate’s nationality, (French, EU and non-EU categories), would suffice. The candidate could, however, on their initiative, provide any useful information, including to justify their salary claims.

Ring case

In the US, following a settlement with Ring, the Federal Trade Commission is returning more than 5.6 million dollars to customers. The company allowed employees and contractors to access consumers’ private videos and failed to implement security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos. Ring also deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent. 

Data security

Ransom attack: The EDPB provided a summary of a recent Greek regulator fine where a company, (Hellenic Post Services ELTA SA), failed to implement technical and organisational measures resulting in unauthorised access by third parties. The first incident involved a breach of data which was encrypted to demand a ransom, the result of a malicious attack by third parties while the second incident involved the leakage of personal data, which was subsequently published on the Dark Web. 

Cybersecurity tool: The UK National Cybersecurity Centre issued the latest version of the Cyber Assessment Framework reflecting the increased threat to critical national infrastructure. The guide is for all organisations responsible for securing any critical network and information systems, covering remote access, privileged operations, user access levels and multi-factor authentication, (B2a and B2c principles). Other organisations may find this tool useful too.  

Strong password rule: In the UK makers of phones, TVs, and other internet-connected smart devices are now legally required to meet minimum security standards, states the Department for Science, Innovation and Technology. Manufacturers are banned from having weak default passwords like ‘admin’ or ‘12345’ and if there is a common password the user will be prompted to change it on start-up. 

Big Tech 

Data brokerage: A new data broker restriction was signed into law on 24 April in the US, JDSupra law blog reports. ‘Protecting Americans’ Data from Foreign Adversaries Act of 2024’ prohibits data brokers from sharing sensitive personal information with a broad range of entities that may have ties to Russia, China, Iran, and North Korea. This includes data on finances, genetics, health, biometrics, communication contents, exact geolocation, and data about minors. Any organisation that provides data to another organisation that isn’t serving as a service provider in exchange for a significant fee is known as a “data broker.” 

US TikTok/China row: ByteDance prefers TikTok be shut down rather than sold if the Chinese owner exhausts its legal options in fighting legislation to ban the platform from US app stores, according to Reuters. The US recently passed legislation allowing for the suspension of the popular service due to widespread concerns that China may access Americans’ data or use the app for spying. TikTok’s major assets include its algorithms, source codes, user data, and product operations and management. However, Chinese rules preserve TikTok’s intellectual property, making it difficult for US buyers to obtain source codes and similar data acquisition.

“Cookie pledge” fails: As Google delays the demise of third-party cookies, a European Commission campaign to get Big Tech companies to voluntarily commit to a “cookie pledge” has reportedly failed. The draft pledging principles ensure that users receive concrete information on how their data is processed, and the consequences of accepting different types of cookies; consent should not be asked again for a year once it has been refused. Some companies lost interest in the proposal since they depend on data harvesting for income, while others were worried that it would not comply with existing laws. 

The post Data protection digest 18 Apr – 02 May 2024: EU-US redress mechanism and European Health Data Space taking shape appeared first on TechGDPR.

Meta subscription model vs GDPR

Meta platform’s latest announcement of ads-free paid services in Europe is now challenged by the EDPB’s urgent binding decision. At the request of the Norwegian privacy regulator, Meta will soon be banned from using the legal basis of the contract and legitimate interest for tracking and profiling users for ad targeting across the entire EEA. The EDPB takes note of Meta’s new proposal to rely on a consent-based subscription model as a legal basis instead. The lead Irish Data Protection Commission is currently evaluating this together with the concerned supervisory authorities, (who have already expresses serious doubts).

Meta has just announced that it will offer people in the EU, EEA and Switzerland the choice to pay a monthly subscription to use Facebook and Instagram without any ads. Meanwhile, advertisers will be able to continue running personalised advertising campaigns in Europe to reach those who choose to continue to receive a free, ad-supported online service. Meta believes the above subscription model – “pay or agree” is a valid form of consent for an ads-funded service, anticipating the requirements of the European privacy regulators and the recent CJEU ruling. 

Legal processes

America’s AI Action: President Biden issued a comprehensive Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. The most sweeping actions compel the most powerful AI system developers to disclose their safety test findings and other key information to the US government. It promotes advancing the responsible use of AI in education as well as healthcare and the development of affordable and life-saving drugs. The document also promotes best practices to mitigate harms and maximize benefits of AI for workers and customers. Finally, it emphasizes the responsible government deployment of AI and modernization of the federal AI infrastructure. 

Biden’s Administration will continue to collaborate with Congress to pursue bipartisan legislation for responsible innovation. The US Department of Commerce, along with the National Institute of Standards and Technology and other federal players will be responsible for carrying out the EO’s objectives. 

Draft EU AI Act: Meanwhile, the EDPS issued its opinion on the Artificial Intelligence Act, as discussions between the EU’s co-legislators reach the final stages. It includes the banning of high-risk AI systems with decision-making patterns, such as for automatic recognition of human characteristics and other behavioural signals in public spaces, as well as profiling based on biometric traits. The EDPS is prepared to serve as the EU’s AI Supervisor and welcomes the formation of the European Artificial Intelligence Office. It believes that persons harmed by the usage of AI systems should have the right to file a complaint with competent national data protection authorities. 

Legal redress

Clearview AI escapes punishment: Last year the UK Information Commissioner fined Clearview more than 7.5 million pounds for illegally keeping millions of face pictures. Now the First-tier Tribunal has quashed the enforcement as the company services were only utilised by law enforcement agencies outside the UK. Although Clearview did engage in data processing connected to monitoring people’s behaviour in the UK, the ICO “did not have jurisdiction” to initiate enforcement action or levy a fine. France, Italy and Australia had taken similar action against the firm. Clearview previously had commercial customers, but following a 2020 settlement with the US, the company now only takes clients that carry out criminal law enforcement or national security duties. 

Official guidance

Shoplifting: According to the UK Information Commissioner, more retailers are turning to technology to protect their businesses. Data protection law enables retailers to share criminal offence data as long as it’s necessary and proportionate. Sharing information with a manager of another store in your shopping centre is likely to be appropriate, while wider public disclosures, such as posting it on an online retail-related social media platform, are less likely to be justifiable. 

Consent criteria: Quebec has published guidelines on valid consent criteria, (in French). Consent must be obtained before carrying out any processing activity. It is also essential that the organisation document. Consent must be: evident, free, informed, specific, granular, understandable, temporary, and presented separately from any other information. Subject to exceptions, organisations must obtain consent to reuse data or to disclose it to a third party. Equally, consent can be withdrawn at any time by the data subject. If any above are not respected, the validity of such consent is to be null.

DP Toolkit: Jersey’s data protection authority created a dedicated resource zone. It features a variety of toolkits for small, medium and large organisations as well as financial services, non-executive directors, and non-profit organisations: a blend of infographics, step-by-step guidance, how-to-guides, templates, checklists and videos.

AI Q&A: The French privacy regulator published the first set of guidelines for the use of AI that respects the GDPR. The CNIL confirms the compatibility of AI research and development with the data protection principles. The principle of data minimisation does not prevent the training of algorithms on very large datasets. On the other hand, the data used must, in principle, have been selected to optimise the training while avoiding the use of unnecessary information. In any case, certain precautions to ensure data security are essential. 

Enforcement decisions

BBVA: Following a complaint by an individual, the Spanish data protection regulator issued a fine of one million euros on Banco Bilbao Vizcaya Argentaria, (BBVA).The complainant, a BBVA client, had lost their purse containing their bank card. Following that, they claimed to have demanded that BBVA block all of their banking products. Third parties reportedly used identity theft to access the complainant’s financial products, take out loans, and transfer money from the complainant’s bank accounts after BBVA allegedly refused to act on the complainant’s request.

Canal+: The French data protection authority CNIL fined CANAL+ group 600,000 euros for poor data practices. In particular its standard forms for the collection of prospect data did not contain any information on the identity of the recipients to whom the data was transmitted. It also failed to inform individuals when creating a MyCanal account and during cold calling calls. The company also did not respond to some access requests. Apart from that, the CNIL found that a subcontracting contract did not include all the information required, and the storage of the company’s employees’ passwords was not sufficiently secure.

Data breaches

Gap Personnel: A UK recruitment company did not have appropriate security measures in place, which resulted in an unauthorised threat actor accessing and exfiltrating individuals’ data, (13,720 UK data subjects), twice within 12 months. Gap was unable to determine the specific cause of the incident but believes it is likely that the threat actor leveraged an insecure script, (PHP file), and performed an SQL injection attack. At the time of the incident, there were four specific vulnerabilities: a) an unsupported version of MySQL, b) an unsupported PHP version, c) poorly written PHP code and d) insufficient logging. 

Optionis: In another similar reprimand, a data controller, (Optionis Group), suffered a ransomware attack, which resulted in the exfiltration of personal data. A reprimand was issued in respect of specific infringements of the UK GDPR, which include lack of multi-factor authentication, an inadequate account lockout policy, and no clear Bring Your Own Device policy.  Aggravating factors were that Optionis took 11 months to notify all individuals of the breach. The company explained that the analysis of the impacted personal data took a considerable amount of time to complete, in particular, due to the size of the dataset. You can read the full decision here. 

Data security

Telehealth: The US Office for Civil Rights released a HIPAA dedicated resource to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications. The HIPAA Rules do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information. Some examples of risks include viruses and other malware, unauthorized access, and accidental disclosures. 

Code of Practice for app developers: The UK government published the latest version of its code, which should be used from now on by app store operators and app developers. The UK government has investigated the app ecosystem and found a range of threats relating to malicious and poorly developed apps. In particular, app store operators and developers shall comply with the broader requirements of data protection law, therefore new sections have been added to highlight requirements of particular relevance to the Code of Practice. 

Non-banking financial services: The US Federal Trade Commission has approved an amendment that would require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lending institutions, to report data security breaches. The amendment will require the FTC to be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without authorization. The notice to the FTC must also include the number of consumers affected or potentially affected.

Big Tech

SolarWinds breach aftershock: The US Securities and Exchange Commission charges SolarWinds and its Chief Information Security Officer with fraud and internal control failures. In 2020, hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. The complaint alleges the software company misled investors about its cybersecurity practices and known risks, in particular, that SolarWinds’ remote access set-up was not very secure and that someone exploiting the vulnerability “could basically do whatever without detecting it”.

In-vehicle monitoring: California enacted legislation that requires vehicle manufacturers to disclose the presence of in-vehicle cameras and prohibits any images or video recordings collected from being used for any advertising purpose, sold, or shared with any third party. The act requires consent to retain at any location other than the vehicle itself or download, retrieve a recording from the operation of an in-vehicle camera by a person or entity other than the user unless for diagnostics, service, repair, or improvement of equipment and systems. The act also provides consumers the right to revoke consent.

London Ulez fines: The Guardian reports that thousands of fines for breaches of London’s ultra-low emissions zone, (Ulez), rules may have been sent unlawfully to EU drivers, according to the Belgian authorities. Since Brexit, UK authorities do not have access to personal data of EU citizens for non-criminal enforcement. However, drivers in several EU countries have received fines, many totalling thousands of pounds, for failing to pay their Ulez charge before driving into London. Some have been penalised mistakenly, and one driver was fined nearly 11,000 pounds after a three-day visit in a hire car. Read the full story here. 

The post Data protection digest 18 – 31 Oct 2023: “Pay or Okay” – Will Meta new subscription model survive the GDPR test? appeared first on TechGDPR.

Legal processes and redress: cross-border enforcement, Grindr fine, EU Data Governance Act, UK-US data transfers

Cross-border cases: The EDPB and the EDPS welcomed a proposal by the European Commission to complement the GDPR by specifying procedural rules in cross-border cases. The recommendations set by the regulators include harmonisation of complaints admissibility, as well as the consensus-finding process during the preliminary and final stages of an investigation, to minimise the need for agency procedures such as a dispute resolution process. Regarding the amicable settlements of complaints, regulators call on the co-legislators to enable its efficient implementation, particularly in Member States that do not have such procedural laws. 

Grindr fine confirmed: In Norway, the Privacy Appeals Board has decided on the Grindr case. The board upholds the data protection authority’s decision on an administrative fine of approx. 5,7 million euros. Grindr is a location-based dating app for the LGBTQ+ community. In 2020, the Norwegian Consumer Council complained about the app. The reason was that Grindr shared information about GPS location, IP address, mobile phone advertising ID, age and gender – in addition to an individual being a Grindr user – to several third parties for marketing purposes. The data protection authority concluded that Grindr disclosed personal data about users to third parties for behavioural advertising without a legal basis. 

The case concerns Grindr’s practices in the period from when the GDPR became applicable until 2020 when Grindr changed its consent mechanism. The data protection authority has not assessed the legality of the current practices of Grindr. The board points out, among other things, that the user was not given a free choice to consent to the disclosure of their data during registration in the app, and that the relevant information about data sharing was only included in the privacy policy. Moreover, information revealing that someone is a Grindr user may constitute a special category of personal data.

UK-US adequacy decision: Regulations leading to a UK-US Data adequacy decision were introduced to the UK parliament. The ‘Data Bridge’ will take effect on 12 October. Thus organisations in the UK will be able to transfer personal data to US businesses certified to the “UK Extension to the EU-US Data Privacy Framework” without additional safeguards, such as international data transfer agreements, (the UK version of the EU’s standard contractual clauses or binding corporate rules). Both UK and US organisations will also have to update their privacy policies. In parallel, the US Department of Justice will add the UK as a qualified jurisdiction, whose citizens can seek legal redress under the data privacy framework. 

Data Governance Act applicable since September: It sets up common European data spaces, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, and public administration. Both personal and non-personal data are concerned. The act also defines a set of rules for providers of data intermediation services to ensure that they will function as trustworthy organisers of data sharing or pooling. One example might be Deutsche Telekom’s data marketplace in which companies can securely manage, provide and monetise good quality information, to optimise processes or entire value chains.

Official guidance: biometrics, AI transparency, gossip at work

Biometrics and employment: The use of biometric data can be considered excessive on the part of the employer and not by the requirements of regulatory acts, states the Latvian data protection regulator. A desired goal, for example, recording working hours or entering the office – can be achieved with less interference in the employee’s privacy. The biggest “stumbling block” for employers when implementing a biometric data processing system is not security issues only, but how to process data legally. 

Biometric data is a special category of data, the processing of which is permitted for employers only in certain cases, (GDPR Art. 9 exceptions in conjunction with Art. 6 legal bases). For example, if companies plan to use their employees’ fingerprints or face scans to enter the workplace, the processing of biometric data must be based on the employees’ consent, It must be freely given, specific and informed. There should not be a situation where the employee suffers negative consequences because they did not give their consent. 

AI Transparency: The proposed EU AI Act, whose material scope is AI systems, establishes a concept of transparency that differs from the same term established in the GDPR, whose material scope is the processing of personal data. Transparency within the framework of both regulations involves different actors, and is intended for different recipients, explains the Spanish data protection authority. Transparency in terms of the proposed AI is the information on AI systems and their providers and entities that deploy these systems. When AI systems are included in or are a means of processing personal information. data controllers must also comply with the GDPR. 

Typically, personal data processing is implemented through various types of systems, such as cloud systems, communication systems, mobile systems, and encryption systems, and some of them could be AI systems. AI system designers, developers, suppliers and entities deploying it can be data controllers and/or processors in various scenarios. At the same time, the natural persons who could be affected by these systems are not always data subjects as defined in the GDPR. For example, in the case that natural persons are recipients of multimedia content created by an AI ​​system.

Gossip and personal data: There are ongoing examples of employees having unauthorised access to personal data. The Danish data protection authority states that most often it is only discovered when an individual becomes aware that someone is using information about them. It can be really difficult for the data controller to find out when employees use their system access in a way that is not related to work. Abuse of access rights cannot be completely prevented but may depend on systematic rights management, good control procedures and effective enforcement on the part of the data controller. If despite these measures employees snoop on other people’s information, they can be punished with a fine or even reported to the police. 

Enforcement decisions: electronic monitoring, recruitment, data deletion

Electronic surveillance: A privacy fine of approx. 10,000 euros was issued against the University of Iceland due to electronic monitoring. Complaints were made about surveillance cameras inside and outside the university buildings with no visible markings that would indicate that electronic surveillance was in place, (a total of 97 security cameras, 75 indoors and 22 outdoors). There was also a complaint that there had been no presentation of the purpose, nature, scope, location or other aspects of the monitoring, which had been operational for several years.. The institution hosts around 15,000 students and 4,900 employees per year, and hosts hundreds of annual events. 

Certain points were evaluated as in the university’s interest, but in light of the scope of the surveillance camera system, the number of those recorded and the duration of the violation, the decision to impose a fine was reached.  The university claimed that due to repeated break-ins, a decision had been made to increase the use of access cards and number of security cameras. Nothing else was defined about the nature, extent, or other things related to electronic monitoring by the institution. On top of the fine, the regulator also ordered the updating and installation of electronic monitoring signs in buildings and outdoor areas of the university complying with the law.

Excessive recruitment data: Meanwhile the French regulator CNIL fined SAF Logistics 200,000 euros for excessive employee data collection and lack of cooperation. SAF Logistics is an air cargo service whose parent company is located in China. As part of internal recruitment for a position within the parent company, it requested information about the family members of employees such as their identity, contact details, function, employer and marital status, along with sensitive data such as blood type, ethnicity and political affiliations. It also stored extracts from criminal records. When the CNIL requested the company translate the employee questionnaire, which was written in Chinese, the incomplete translation missed ethnicity or political affiliation fields.

Data (non)deletion: The hotel chain Arp-Hansen has been fined approx. 134,000 euros by a court in Denmark, regarding violation of the storage of personal data. The hotel chain did not comply with the erasure deadlines it had set itself, (of 1 year). The Danish data protection authority estimated at the time that approx. 500,000 customer profiles should have been deleted at the time of the inspection visit. The case highlighted which financial statements should be used as a starting point when calculating a fine. The amount was determined after the court considered the hotel chain’s revised and published annual accounts for 2018, which reflected the company’s financial situation during the period of the offence. 

Data security: US healthcare and mergers data

Healthcare data: The US FTC-HHS outlined privacy and security laws and rules that impact consumer health data. Collecting, using, or sharing consumer health information in the US focuses on four primary sources: the Health Insurance Portability and Accountability Act (HIPAA), HIPAA Privacy, Security, and Breach Notification Rules, the FTC Act, and the Health Breach Notification Rule. The publication addresses some of the basic questions. What entities are covered? What do you have to do to maintain the privacy and security of consumers’ health information? and so on. You can also check out the FTC-HHS Mobile Health App Interactive Tool as you design, market, and distribute your mobile health app. 

M&A and data protection: US researchers from the Electronic Privacy Information Center are urging the Department of Justice to include data protection and consumer privacy as factors in the newest Merger Guidelines. In a data-driven economy, businesses’ mass accumulation of personal data can have anticompetitive effects that further undermine consumer privacy and data security. Mergers frequently involve the consolidation of data sets, which can extend a firm’s market dominant position, impact entry for smaller firms, and exacerbate the effects of harmful consumer data practices. As a result of such mergers, there is no meaningful opportunity for firms to compete with better privacy practices.

Big Data: Meta behavioural ads, TikTok minor’s privacy enforcement

Norway case goes to the European level: The Norwegian data protection authority has requested a binding decision from the EDPB in the Meta case. It asked that Norway’s temporary ban on behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA. The Norwegian regulator is only authorised to make a temporary decision in this case. The decision expires on 3 November. Earlier this year, the authority found that Meta processes personal data for illegal behavioural advertising and intrusive monitoring of users in the context of the Facebook and Instagram services. For this reason, it imposed a temporary sanction on the company. The regulator also won against Meta in court. Nonetheless, the company continues its activities and has not yet complied with the decision. Meta has submitted several administrative complaints against the Norwegian data protection authority’s decision so far. 

TikTok minors data: The Irish data protection commission adopted its final decision regarding TikTok’s processing of minors’ data and age verification during the registration procedure imposing fines totalling 345 million euros, with an order to bring the processing into compliance. The investigation found: 

• children’s account settings were made public, 
• certain features were enabled, exposing users under the age of 13,
• privacy gaps in the “family pairing” function, 
• misleading “dark patterns” during account creation and video uploading, and
• failure to convey appropriate information to minors.

Interestingly, objections to the draft decision by the Irish regulator were raised by other concerned supervisory authorities, working as part of a cross-border investigation uncovering additional infringements including privacy-intrusive dark patterns. The case ended up at the EDPB for dispute resolution, which obliged the DPC to amend its draft decision to include new findings. 

The post Data protection digest 15 Sep – 1 Oct 2023: cross-border cases get the highest level of attention from regulators appeared first on TechGDPR.

Legal processes and redress: gatekeeper obligations, US adequacy decision, Google litigation, UK data protection reform, Quebec privacy laws

Gatekeeper in the EU: The European Commission has designated, for the first time, six gatekeepers – Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft – under the Digital Markets Act. They will now have six months to ensure full compliance with the DMA obligations for each of their designated core platform services. This includes a list of do’s and don’ts: 

• allowing third parties to inter-operate with the gatekeeper’s own services,
• enabling end users to unsubscribe from the gatekeeper’s main platform services as simply as they subscribe to them, 
• giving companies that advertise on a gatekeeper’s platform access to the gatekeeper’s performance measurement tools and information, allowing advertisers and publishers to undertake their independent verification of advertising hosted by the gatekeeper, and
• a ban on tracking end users outside of the gatekeepers’ core platform service for targeted advertising without effective consent having been granted. 

EU-US DPF application: The German Data Protection Conference publishes application instructions for the EU-US Data Privacy Framework. The document contains, on the one hand, information for data exporters, those data controllers and processors who transfer data to the US. On the other hand, individuals can find out what legal protection and complaint options they have. This includes links to numerous materials, for example from the EDPB. At this point, the adequacy decision applies to EU law. However, given the previous adequacy decisions for the US that were declared invalid, many want to know whether the new adequacy decision will suffer the same fate as Safe Harbor and the Privacy Shield. 

In addition to the planned evaluations by the EU Commission, which can result in adjustments or a repeal, there are options for a judicial review of the new adequacy decision. For instance, on 6 September, a French member of parliament, who is also a member of the data protection authority CNIL, requested that the framework be annulled due to the lack of guarantees of a right to an effective remedy for data subjects by US companies, as well as a violation of the GDPR’s minimisation and proportionality principles due to the access and use of EU personal data for the US security purposes. 

Google taken to court: Alphabet’s Google is facing a class action in the Netherlands brought by non-profit organisations, demanding Google stop its constant surveillance and profiling of consumers and the sharing of data in online ad auctions, and also pay damages to consumers. Allegedly, through its services and products, the tech giant:

• Collects users’ online behaviour and location data on an immense scale, without having provided adequate information about it and without users’ consent.
• Through the use of ‘invisible’ third-party cookies, Google continues to collect data through others’ websites and apps, even when someone is not using its products or services. 
• Continually collects users’ physical locations, even when they are not actively using their devices and think they are ‘offline’. 
• Shares users’ data, including highly sensitive data concerning health, ethnicity and political affiliation, with hundreds of parties through its online advertising platform, (a recent study shows that in Europe, the real-time bidding industry exposes people’s data 376 times a day.) 

In total, Alphabet’s Google faces approximately 25 billion euros in damages claims and regulatory administrative fines over its ad tech practices in Europe, Reuters sums up.

UK data protection amendments:  By the end of the year, the UK government will amend the UK’s data protection legislation by updating the ‘fundamental rights and freedoms’ definition, so it will refer to rights recognised under UK law, rather than retained EU law rights. There is no direct equivalent to the right to the protection of personal data in UK law. However, the protection of personal data falls within the right to respect for private and family life under Article 8 of the European Convention of Human Rights, which is enshrined in UK law by the Human Rights Act 1998. Data protection rights are also protected by UK GDPR, and the Data Protection Act 2018 and will continue to be protected by the Data Protection and Digital Information Bill in the UK’s domestic legislation, states the explanatory memorandum. 

Quebec privacy amendments: On 22 September, the latest set of amendments (Bill 64) to Quebec’s Privacy Act will come into force. Some of the major updates include strengthened privacy rights for individuals and several controller requirements, such as a new consent and cookies management framework, privacy policies, risk assessments, rules on automated decisions, cross-border transfers, and monetary penalties. Previously companies were also obliged to designate privacy officers, conduct mandatory breach reporting, and register their biometric information systems while receiving some exceptions to the consent requirement, (under commercial transactions and research and statistical purposes). 

Official guidance: ‘sharenting’, online exams, smart data sandbox, right to object

‘Sharenting’ children’s data: The Italian data protection authority has prepared tips for parents to limit the online dissemination of content concerning their children. The neologism, coined in the US, derives from the English words “share” and “parenting”. It has been a phenomenon that has been under the attention of the Guarantor for some time, especially due to the risks it entails on the digital identity of the minor and therefore on the correct formation of their personality. When something appears on a screen, not only can it be captured and reused without our knowledge by anyone for improper purposes or illicit activities, but it contains more information than we think, such as geolocation data. If you decide to publish images of your children, it is important to at least try to follow some precautions, such as:

• make the minor’s face unrecognizable, (by simply covering the faces with the emoticon “smiley”);
• limit the visibility settings of images on social networks only to people who know each other or who are trustworthy and who do not share without consent in the case of sending via an instant messaging program;
• avoid creating a social account dedicated to the minor;
• read and understand the privacy policies of the social networks on which we upload photographs, videos, etc.

Online proctoring: The use of digital distance learning by public and private higher education institutions is becoming more widespread. With the remote monitoring devices used in this context being intrusive by nature, the French data protection regulator CNIL reiterates the obligations under the GDPR: For instance, institutions organising examinations, as well as any subcontractors, (e.g. remote monitoring solution providers), should assure candidates that their data will not be used for any purpose other than taking and proctoring a remote examination. Also, examination modalities allowing remote validation of skills without the use of remote monitoring devices should be given priority where possible. 

In general, taking proctored exams remotely should be an opportunity for students, not an obligation. In this case, a face-to-face alternative should be offered to candidates, (except in specific cases, such as a health crisis or for institutions that have made distance learning the very essence of their organisation). Students should be informed as soon as possible of the conditions for implementing remote monitoring so that they can make their choice with full knowledge of the facts. Institutions and organisations should ensure that devices used for remote monitoring are compatible with the equipment available to students, that they do not pose security risks to students and that the necessary software can be easily installed and uninstalled. Read the full guidance, (in French), here. 

Smart Data: The UK Information Commissioner’s Office has published the Regulatory Sandbox Final Report for Smart Data Foundry. The sandbox specifically targets projects operating within challenging areas of data protection. Smart Data Foundry’s product is comprised of two parts. The first is the research facility, and the second is the innovation service which provides synthetic data for further research opportunities. There are broadly speaking two approaches to the creation of these synthetic datasets:  

• Using simulation – known as ‘agent-based modelling’ – where data is generated from approximations and predictions of behaviour using characteristics given to a computer-generated population to understand how they would interact. This processing does not use personal data beyond some aggregate information generated from real data to test and improve parameters. This is the synthetic data approach that Smart Data Foundry is already using. 
• Using ‘learning-based’ synthetic data generation to create synthetic doubles of existing datasets utilising differential privacy and modern learning-based approaches which aim to learn all the meaningful patterns in data, and use this learnt knowledge of patterns in the original data to generate new data that exhibit similar patterns, without recreating any input data. 

To understand key data protection considerations in such scenarios, read the full report. 

Right to object to data processing: The right to object gives a person the opportunity to request the termination of the processing of their data if it is processed for the following purposes: a) for legitimate interests of the data controller including marketing, as well as in the case of automated decision-making, b) in the public interest and c) for scientific or historical research and statistics. To exercise your right to object, you should:

• Identify the data controller, (It can be a natural person, company, organisation or state administrative body.)
• Contact the controller in writing, (recommended), and clearly state that you are exercising your right to object to the processing of your data. Please specify which processing operations you object to.
• State the reason. The reason and the characteristics of your special situation require the manager to evaluate the necessary changes in data processing and whether, by continuing data processing, you as a data subject will not have your rights infringed. 
• Wait for the answer. The administrator is obliged to respond to your request within a month. This must either stop the processing of your data to which you have objected or provide a valid reason for continuing the processing.

Enforcement decisions: fertility apps, Chinese academic database, Meta ban in Norway, waste collection and the GDPR

Fertility apps checks: The Information Commissioner’s Office is reviewing period and fertility apps available in the UK as new figures show more than half of women have concerns over data security. A poll commissioned by the regulator revealed women said transparency over how their data was used and how secure it was were bigger concerns than cost and ease of use when it came to choosing an app. The poll showed a third of women have used apps to track periods or fertility. The research also showed over half of people who use the apps believed they had noticed an increase in baby or fertility-related adverts since signing up. While some found the adverts positive, 17% described receiving these adverts as distressing. The ICO is now urging users to come forward to share their experiences through a survey in a call for evidence. 

Chinese academic database: The China Cyberspace Administration announced that the China National Knowledge Infrastructure, (CNKI),  has been fined approx. 6 million euros for illegally collecting and processing personal information. The operators collected users’ personal information without consent on the 14 CNKI-related apps that failed to publicly disclose or state collection and usage rules, did not provide an account cancellation function, and illegally kept their information after the users closed their accounts. CNKI is one of the biggest Chinese academic information gateway websites. It has over 1,600 institutional clients in 60 countries and regions, as well as 32,000 institutional customers from diverse sectors on the Chinese mainland. Top universities, research institutions, government think tanks, corporations, hospitals, and public libraries are among the primary consumers.

Waste disposal and the GDPR: A fine of 45,000 euros was imposed by the Italian privacy agency on a Sicilian municipality for having installed cameras to control the collection of waste. The municipality had appointed two companies, also sanctioned by the guarantor, to purchase, install and maintain fixed cameras, and to collect and analyse the videos relating to violations. The authority’s intervention follows reports from a citizen who complained about receiving some fines for having disposed of unsorted waste incorrectly. 

The monitoring was carried out without the citizens having been adequately informed of the presence of the cameras and the processing of the data. The municipality had placed a sign directly on the dumpster, which was not easily visible and lacked the necessary information. Furthermore, the municipality had not identified the data retention periods and had not appointed, before the start of the processing, the two aforementioned companies as data processors.  

Meta ban confirmed: The Norwegian data protection authority won against Meta in court. In July, the regulator made an emergency decision on a temporary ban on behaviour-based marketing on Facebook and Instagram, which involves very intrusive monitoring of users. The regulator therefore decided on a compulsory fine of approx. 90,000 euros per day if the ban was breached. The penalty was set to start on 14 August. However, Meta has petitioned the Oslo District Court for a temporary injunction. In the ruling, the court stated that the Norwegian data protection authority’s decision was valid and that there was no reason to stop it. In addition to this case, Meta has submitted several administrative complaints against the Norwegian Data Protection Authority’s decision. Those processes are ongoing. 

DNA data and transparency obligations: The US Federal Trade Commission finalised an order with 1Health.io, that settles charges that the genetic testing firm left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying consumers and obtaining their consent. The company failed to keep its promises to only share consumers’ sensitive data in limited circumstances, to destroy customers’ DNA samples shortly after they had been analyzed, to not store DNA results with a consumer’s name or other identifying information, and to remove such data from its servers upon consumers’ request. 

Data security: automotive industry

Automotive cybersecurity: The Federal Office for Information Security in Germany published a report on the status of cybersecurity in the automotive industry. The greatest damage in the automotive industry comes from cybercriminal “double extortion” – ransomware and data leaks. The report contains:

• Assessments of the cybersecurity of production systems and processes.
• Advice on exploiting security vulnerabilities for car theft and unauthorized opening of vehicles.
• Description of attacks on vulnerabilities in the communication protocol or other security mechanisms used to control charging processes between electric vehicles and their charging stations.
• Assessments of new legal regulations and standardization activities.
• Outlook on technological and regulatory developments that will be important in the coming years, (the industry is affected by the EU NIS 2 Directive as a critical sector).

According to the Associated Press’s recent publication, automakers are failing the privacy test, and owners have little or no control over the data collected. The nonprofit Mozilla Foundation’s newest “Privacy Not Included” study states that security requirements are a major worry considering manufacturers’ record of vulnerability to hacking. The minimal privacy criteria were not fulfilled by any of the 25 automobile companies whose privacy notices were assessed in Europe and North America. This outcome is significant for over a dozen other product categories, including fitness trackers, reproductive health applications, smart speakers, and other connected household products. 

Big Tech: ads-free Facebook and Instagram, the Privacy Sandbox

Paid Facebook and Instagram: Meta may allow Facebook and Instagram users in the EU to pay to avoid ads as a response to scrutiny from privacy regulators. Those who pay for the subscriptions would not see ads while Meta would also continue to offer free versions of the apps with ads in the EU. Previously users had effectively agreed to allow their data to be used in targeted advertising when they signed up to the services’ terms and conditions until the lead Irish regulator ruled it could not process personal information in that way. Therefore Meta also proposed offering EU users a new opt-in consent mechanism for receiving targeted ads. Reportedly, it would be updated to offer users a “yes or no” option for opt-ins across its platforms. 

Privacy Sandbox ‘availability’: Finally, the Privacy Sandbox for the Web reaches general availability on Chrome for relevance and measurement APIs. General availability means advertising providers and developers can now scale usage of these new technologies within their products and services, as these are now available for the majority of Chrome users. Google also rolled out new Ad privacy controls in Chrome that allow people to manage how the Privacy Sandbox technologies may be used to deliver the ads they see. These controls allow users to tailor their experience by customising what ad topics they’re interested in, what relevance and measurement APIs they want enabled, and more. Starting in Q4 of 2023, Google will enable the industry to bolster their testing efforts with the ability to simulate the deprecation of third-party cookies for a percentage of its users. Then, in Q1 of 2024, it will turn off third-party cookies for 1 per cent of all Chrome users for effectiveness testing.

The post Data protection digest 1 – 14 September 2023:  gatekeeper obligations, synthetic datasets, automotive cybersecurity appeared first on TechGDPR.

Official guidance

Website analytics: There are many website analytics and tracking tools on the market notes the Norwegian data protection regulator, but that doesn’t necessarily mean it’s legal to use them on your website. Be prepared to follow the GDPR, even if you do not know the name or identity of those visiting your site. The analysis tools collect a lot of information, which either alone or in combination can constitute personal data. If you currently have an analysis tool that collects information that you do not use for anything, you are breaking the law:

• You must have a legal basis for processing. 
• There are many requirements for user consent to be valid. The mere existence of the cookie banner is not enough.
• Choose tools that promise to only process personal data on your behalf and as you decide. 
• On some websites, the visitors’ behaviour can in itself reveal special categories of personal data, (eg, mental health care).
• Many service providers have offices or subcontractors in countries outside the EU/EEA. You must check this before using the tool. 
• Make sure you provide honest and easily understandable information to the visitors, and respect their data subject rights.

Health care data aggregation: The French data protection regulator published recommendations for actors in the digital health sector, (in French). The sandbox projects included federated learning between several health data warehouses, a diagnostic aid solution in oncology, anonymous statistical indicators of populations in medical research, and a therapeutic game. The GDPR states that data processing in the field of health must be implemented in the public interest, and can only be mobilised by public entities, or legal entities entrusted with a public service mission. 

Thus, commercial projects, (start-ups), should be based on their legitimate interests. People’s consent in many cases was also ruled out as the companies are not in a position to collect it, particularly for the reuse of data from healthcare establishments. Finally, whenever non-anonymous data is exported, an ad hoc risk analysis must be performed to determine the necessary security measures. Continuity of security measures outside of the workplace should be ensured as much as possible. 

Customer location data: More retailers and companies are transferring their loyalty programs to mobile applications. These often demand access to the customer’s location-related data to personalise offers for each customer, taking into account their habits and other information. Regardless of the legal basis applied by the merchant for the data processing, (both consent and legitimate interest are possible), the customer has all the rights specified in the GDPR. Completely ceasing the loyalty program if the customer withdraws consent only to the processing of geolocation data will not comply with regulatory requirements. Therefore, when developing an application, it is necessary to take into account different possible levels of the loyalty program, granular consent, and withdrawal.

EdTech development: The French regulator also published a summary of the main recommendations, (in French), based on the “sandbox” project in the EdTech sector. That included actors developing a portfolio of learning skills, a communication solution in the school context, creating a warehouse of learning traces with a view to their publication and analysis and providing a “ personal cloud ” for students connected to their digital workspace. During the “sandbox” support, among other things, the technical architecture of solutions was analysed with the data controllers and their subcontractors. It has to be noted that:

• State establishments, (eg, primary schools), do not have a legal personality; teachers and directors are acting as agents of the administration of national education. 
• When onboarding a technical solution, the Ministry of national education must be considered as the only data controller, (in joint controllership with the municipality). 
• The company offering technical solutions would become a subcontractor. 
• For processing operations that pursue “school” purposes the legal basis of the ” mission of public interest ” has been considered the most appropriate to establish.
• Other treatments may demand individual, (eg, parental) consent. 
• Only authorised subcontractors and recipients of pupils’ data are allowed. 
• Information notices must be adapted to different age groups, and more generally to the degree of maturity of the pupils concerned. 

Legal processes and redress

Non-material damage under the GDPR: The Dublin District Court awarded 2000 euros compensation to a plaintiff regarding the use of CCTV footage of him by his employer, which led to victimisation from colleagues, serious embarrassment, and loss of sleep. As part of a meeting involving quality control and other managers and supervisors, CCTV video was displayed to various personnel. The plaintiff was not present at the meeting and found out afterwards that the tape had been utilised. The company’s data protection policies regarding CCTV were not clear or transparent, and no legitimate interest assessment about the remote control of the workers was carried out. Read more details of the case in the original analysis by the Irish lawyers. 

US state privacy legislation: The most recent comprehensive state consumer data privacy law has been passed in Oregon. The law has some unique provisions despite being similar to consumer data privacy laws passed in different states. It applies to nonprofit organisations, has broad definitions of covered data, (including categories of sensitive and biometric data, as well as derived data), a smaller HIPAA, (protected health information), carveout, and grants Oregon residents the right to request a list of the third parties to whom controllers disclosed their data, opt-out options and more. Meanwhile, the Colorado Privacy Act has been enforceable since 1 July, making Colorado the third state after California and Virginia to pass a comprehensive privacy law to protect its residents.

COPPA 2.0: Amendments to the Children’s Online Privacy Protection Act, (and the Kids Online Safety Act), have been approved by a Senate Committee. It would close a loophole allowing companies to abuse minors’ data with little accountability, making it harder for the regulator to prove violations. It would be unlawful for a digital service or connected devices directed at children or teens, to collect, use, disclose to third parties, or compile their data for profiling and targeted marketing unless the operator has obtained consent from the relevant minor, (“verified parental consent”). The operators must also treat each user as a child or minor unless content is deemed to be directed to mixed audiences.

Enforcement decisions

Security measures: Open Bank was fined 2.5 million euros by Spain’s data protection regulator for failing to implement a framework to permit encrypted communication. In order to comply with anti-money laundering legislation, the complainant was asked to confirm the origin of funds received in their bank account. However, the only possibility was to provide the information by email, (rather than through a secure direct channel). The information requested by Open Bank is classified as ‘financial data,’ which requires the implementation of strengthened safeguards. The regulator decided that Open Bank did not implement a data protection strategy from the start, neither before nor during treatment.

In another recent example, the Polish regulator punished a firm to the tune of almost 9000 euros for losing employees and contractors’ personal data in a ransomware attack. The organisation failed to complete a risk assessment, notify the regulator of the breach within 72 hours of becoming aware of it, and notify the data subjects affected by the breach. The regulator also claimed that the company did not comply fully throughout its inquiry. In particular, the company’s communication was frequently inconsistent.

Non-registration with the regulator: Guernsey’s data protection authority is to pursue legal action for failure to register. It is a legal requirement for any organisation, (including sole traders) that handle people’s personal information during the course of their business activities – even if this is just names and addresses – to register with the Guernsey regulator.  If you are not sure if you need to register, there are three clear criteria:

• You, (whether a sole trader, organisation, business, charity, landlord, business association etc.), are established in the Bailiwick of Guernsey.
• You are working with personal data, (any information that may identify individual people, such as staff members, your clients, your business contacts, your service users, your tenants etc.), either as a ‘controller’ or a ‘processor’.
• The activity you are performing is not part of your personal/household affairs.

Non-cooperation with the regulator:  According to Data Guidance, the Polish data protection authority fined a company 8000 euros for failing to cooperate, (Art. 58 of the GDPR). The regulator received a complaint alleging that the firm had improperly shared personal information with a third party. The regulator sent the business several letters demanding further information, including the legal basis and purpose of processing. The organisation, however, did not react to any of the letters. 

Reimbursement app: A one million euro fine was imposed by the Italian privacy regulator on Autostrade per l’Italia (ASPI) for having illegally processed the data of around 100,000 registered users of the toll reimbursement app, called Free to X. The critical issues of the service – which allows the total or partial refund of the cost of the motorway ticket for delays due to construction sites – had been reported by a consumer association. The authority has ascertained that Autostrade plays the role of data controller and not of data processor, as erroneously indicated in the documentation that governs the relationship between Aspi and the company Free to X which created and manages the app.

Meta behavioural ads:  The Norwegian data protection authority has prohibited Meta from adapting advertising based on monitoring and profiling of users in Norway. The decision comes shortly after the CJEU stated that Meta’s data practices still do not take place legally. When Meta decides which ads you get to see, they also decide which content you don’t get to see. This affects freedom of expression and information in society. There is a danger that behaviour-based marketing reinforces existing stereotypes or that it can lead to unfair discrimination between different groups. Behaviour-based targeting of political advertisements is particularly problematic.

Medical data anonymisation for research: The Italian regulator fined a company for processing the health data of numerous patients collected from around 7000 general practitioners without adopting suitable anonymisation techniques. The GPs adhering to the international health research initiative had to add to their management system “Medico 2000” a function, (“data extractor” add-on), aimed at automatically anonymising patient data and transmitting them to the above company. But in fact, the tool only pseudonymised data assigned to the patients. There was also the erroneous attribution of the role of the data controller to GPs, and therefore the absence of a legal basis for data processing by the company. 

Data security

Videoconferencing tool: The EDPS has found that the use of Cisco Webex videoconferencing and related services by the CJEU meets the data protection standards under Regulation 2018/1725 applicable to EU institutions, bodies, offices and agencies. However, the decision is not a general endorsement nor certification of data protection compliance of the videoconferencing services provided by any Cisco Webex entity.  

With regard to technical safeguards, the court confirmed that support information is encrypted in transit, while case attachments are encrypted both in transit and at rest, in order to secure personal data from accidental loss and unauthorised access, use, alteration, and disclosure. The keys for encryption are managed by Cisco. 

The court also took organisational measures to limit or avoid transfers of personal data outside of the EU/EEA: in case Cisco needs to have remote access to the court’s Cisco Webex infrastructure, the DPO of the court, in collaboration with the court network engineers, shall analyse the possible risks for the data subjects and decide on the legitimacy of this access.

Ryanair facial recognition: Privacy advocacy group NOYB filed a complaint against Ryanair, alleging that the airline is violating customers’ data protection rights by using facial recognition to verify their identity when booking through online travel agents. The airline outsources this process to an external company named GetID. This means that customers have to entrust, (by consenting to it), their biometric data to a company they have never heard of or had a contract with. Passengers can avoid it by showing up at the airport at least 2 hours before departure or submitting a form and picture of their passport or national ID card in advance. 

Big Tech

Alexa child accounts and geolocation: The US Federal Trade Commission will require Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act and deceived parents and users of the Alexa voice assistant service about its data practices. Amazon claimed it retained children’s voice recordings in order to help it respond to voice commands, allow parents to review them, and improve Alexa’s speech recognition algorithm. 

Among many requirements, Amazon will have to implement a process to identify inactive Alexa child profiles. Following the identification of any inactive child profile, the company shall delete any personal information, (voice recordings and geolocation information), within 90 days, unless the parent requests that such information be retained. Misrepresenting the privacy policies related to geolocation and children’s voice information will also be prohibited.

Amazon Go shops: A recent class action against Amazon in New York over its cashier-less Amazon Go shops was voluntarily terminated for unspecified reasons. Previously, the complaint claimed that Amazon acquired biometric data from customers in violation of a New York City Biometric Identifier Information Statute. According to the complainant, Amazon scanned customers’ hands and illegally uses technologies such as computer vision, deep learning algorithms, and sensor fusion to measure customers’ bodies to identify and monitor where they walked in the shop and what they purchased. The lawsuit demanded 500 dollars for each infraction of the legislation.

Worldcoin biometric verifications: Members of the public in selected locations worldwide are being encouraged to have their eyes scanned as part of a cryptocurrency initiative that tries to identify humans from AI systems via biometric verification. The Worldcoin protocol operates by providing biometrically verified individuals with a digital identity in the form of a Worldcoin token, which promises to be the first crypto token to be issued globally and freely to people simply for being genuine individuals. Users will also receive access to the app, which will allow them to make global payments, purchases, and transfers utilizing digital and traditional currencies. The UK Information Commissioner’s Office commented on the situation: 

• The organisation must conduct a data protection impact assessment before starting any processing that is likely to result in high risks, such as processing special category biometric data. 
• Where they identify high risks that they cannot mitigate, they must consult the regulator.
• The organisation also needs to have a clear lawful basis to process personal data. Where they are relying on consent, this needs to be freely given and capable of being withdrawn without detriment.

The post Data protection digest 17 – 30 July 2023: guide on website analytics, health care data sharing, and COPPA 2.0 appeared first on TechGDPR.

EU-US Data Privacy Framework

Effective Immediately: On 10 July, the European Commission’s decision on the adequacy of the level of data protection in the US within the new data privacy framework entered into force. If an American-based business is on the approved list, you can transfer personal data to it as if it were a European (EEA) business. You still have to follow the other rules in the GDPR, for example having a legal basis for processing or a data processing agreement to share personal data with others.

Self-certification: The new data privacy framework enables US organisations to make self-certification submissions and, as applicable, the UK and/or the Swiss extensions and to enable participating organisations to make their annual re-certification submissions, (the self-certified organisations under the invalidated Privacy Shield framework must comply with the updated principles, but they do not need to make a separate submission).

Transfer Impact Assessment: Data transfer to the US by the use of EU standard contractual clauses or binding corporate rules are still possible, providing that a Transfer Impact Assessment is made. In this case, state security services’ ability to access and use transferred personal data is limited and recognised in the Commission’s adequacy decision.

Redress mechanism: The new framework gives European residents a legal remedy and allows them rectification of data collected in an illegal manner. In practice, reportedly, data subjects can file a data breach notification with their national data protection authority, which will be transmitted to the US. The national authority will ensure that the person concerned receives information related to the procedure and the final decision, (either that no breach of US law has been identified or that a breach has been identified and that it has been remedied.) Individuals also will be able to appeal a complaint if needed.

Criticism: Although the new data privacy framework marks a significant step forward, it was criticised by the EDPB and the Parliament as not sufficiently addressing the temporary bulk collection, retention, and dissemination of data by the US intelligence services, the scope of exemptions, the onward transfers, the exercisability of the data subject rights, and the practical functioning of the redress mechanism. Privacy advocacy group NOYB is also ready to newly challenge the framework in court by the end of 2023 or the beginning of 2024. 

Legal processes and redress

Procedural rules: The European Commission proposes a new law to streamline cooperation between data protection authorities when enforcing the GDPR in cross-border cases. For example, it will introduce an obligation for the lead Data Protection Authority to send a ‘summary of key issues’ to their counterparts concerned, identifying the main elements of the investigation and its views on the case. For individuals, the new rules will clarify what they need to submit when making a complaint and ensure that they are appropriately involved in the process. And for businesses, it will clarify their due process rights when a DPA investigates a potential breach of the GDPR. The new law also recognises the importance and the legality of amicable settlement of complaint-based cases. 

“Stop”, “revoke”, “end”, and “opt-out”: The US Federal Communications Commission proposed guidelines that would allow customers to cancel consent to calls and text messages sent using automated technology “in any reasonable way”, allaboutadvertisinglaw.com reports. This contains texts such as “stop,” “revoke,” “end,” and “opt-out.” Callers and texters would be unable to limit the ways in which customers might cancel consent. Consumers can revoke via text, voicemail, or email to any phone number or email address where they would expect to contact the sender. A request must be fulfilled within 24 hours of being received. The government is also investigating and soliciting feedback on the present exemptions.  

CCPA/CPRA:  Businesses that planned to comply with the amended California Consumer Privacy Act this month will now have until spring 2024. After the California Chamber of Commerce demanded businesses have one year from the adoption of final regulations before enforcement could begin, a state court judge made a last-minute decision to postpone enforcement. 

Minors safety online: On 28 June, the Louisiana Secure Online Child Interaction and Age Limitation Act was signed by the Governor. Notably the act will require social media companies to withhold certain functions from accounts held by Louisiana residents who are minors, including prohibiting direct messaging with unfamiliar accounts and not displaying advertising and suggested groups, products, posts, services or users to the minor. Further, accounts held by minors will not show up in search results of other accounts unless they were already linked through “friending”.

Official guidance

APIs: The French privacy regulator CNIL published technical recommendations on data sharing by Application Programming Interfaces, (in French). All types of sharing of personal data by API, whether open or restricted, and all types of organisations, public or private, are covered by these recommendations. Three categories of actors in API data sharing are defined: data holders, API managers and data reusers. Recommendations are given to each category to guide them towards measures to achieve the desired level of security, but also measures likely to facilitate compliance with data protection principles, (exercise of rights, information obligation). However, it is up to organisations to evaluate their level of risk and apply the appropriate measures.

Google Search: The Danish data protection authority has recently published an advisory on how to have a search result about you deleted from a search engine, (eg, Google or Bing). If you wish to have a search result removed, you must first contact the search engine. This is done most easily through the complaint form. You must specify exactly which search result is in question and why you want the search result in question removed. A number of grounds to the right to erasure are laid down in Art. 17 of the GDPR. If the search engine does not want to remove the search result in question, you still have the option of complaining to the data protection authority, which then assesses whether it is appropriate to investigate the matter.

Research projects: The Danish data protection authority also published new guidance on GDPR-goverened role allocation in research projects, (in Danish). It mainly consists of numerous examples of data controllers, data processors and joint data controllers that can arise in practice. In many cases, legal and professional obligations as well as professional standards could mean that the actor in question is prevented from being able to follow a detailed instruction from a business partner. For example, doctors who test a new surgical method as part of a research project will continue to be bound by their medical oath and are obliged to carry out the surgery in the most responsible manner, possibly without providing information or following an instruction that is relevant and necessary according to the trial protocol. Similarly, a laboratory remains subject to professional standards for the analysis of, for example, blood samples. Read the full instructions here. 

Lessons learned from reprimands: Looking back at the reprimands issued by the UK Information Comissioner’s Office in the past three months, here are three brief lessons for organisations across the public and private sectors to improve their data protection practices:

• Avoid inappropriate disclosure of personal information by having policies in place and training your staff, (redacting documents properly, correct disposal, avoid accidental on-screen display of personal information).
• Respond to information access requests on time, (organisations must respond within one month of receipt of the request. However, this could be extended by up to two months if the request is complex).
• Deployment of any new apps should take a Data Protection by Design and Default approach from the very start.

Case law

Meta and consent: The CJEU decided that competition authorities can rule on GDPR compliance in the undertakings. In the test case, the German cartel office in 2019 ordered Meta to stop collecting users’ data without their consent, calling the practice an abuse of market power. According to Art. 6 of the GDPR, there are six legal bases for processing personal data, one of which is consent, but Meta decided to use only the other five legal bases. The need for the performance of the contract with the user may justify the practice only if the processing is objectively indispensable. The CJEU expressed doubts as to whether personalised content and use of the Meta group’s own services, like Meta Pixel, fulfil this criteria. For companies to be able to use the ‘consent’ lawful processing condition they need to demonstrate that a person has ‘freely given’ that consent. This may be difficult to prove when a company such as Meta holds a dominant position in the market as people have less choice over what platform they can use.

Big Tech

Google’s Privacy Sandbox: Since 2021, different features have been tested as part of Chrome Beta’s Origin Trials. As a result of these tests, and starting 13 March, some of the users of the standard version of Chrome were asked to enable three new targeting and ad measurement tools – the Privacy Sandbox. As part of the Chrome browser, it consists of a set of Google interfaces, (APIs), accessible by site publishers. These interfaces allow the continuation of targeted advertising, avoiding the technical constraints that could emerge with the end of third-party cookies. Google Chrome users included in the experimental phase are randomly selected and are informed by a specific screen when their browser is launched, asking for their consent to participate. A refusal will not affect navigation: it is still possible for users who have agreed to activate these features to reconsider their choice within the Chrome settings in the “Privacy and Security” tab and then “Privacy Sandbox”.

The post Data protection digest 3 – 16 July 2023: can the new EU-US data privacy framework respect the GDPR to the letter? appeared first on TechGDPR.

Legal processes

‘Machine learning is no excuse to break the law’: The US Federal Trade Commission alleged that Amazon, (Alexa voice assistant), kept kids’ data indefinitely to further refine its voice recognition algorithm. If approved by the federal court, on top of a multimillion fine, Amazon will have to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. Reportedly, Amazon is not alone in seeking to amass data to refine its machine-learning models. 

Similarly, the FTC proposed enforcement against Amazon’s subsidiary, Ring. The allegations say the company compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

China SCCs: On 1 June, China’s new Standard Contractual Clauses for the cross-border transfer of personal data went into force. Entities using the SCCs must meet two requirements: a) a data transfer impact assessment must be performed by the data exporter, and b) the data exporter must sign SCC-compliant agreements with overseas recipients of the data. The Chinese SCCs do not distinguish between an exporter or receiver being a controller or a processor, in contrast to the EU SCCs. As an alternative to SCCs, organisations may also be required to undergo a security check by the Cyberspace regulator or certification by recognised institutions. Read more analysis by connectontech.com. 

Montana’s new privacy law and TikTok ban: Montana became the first US state to ban the use of TikTok and prohibit mobile application stores from offering the Chinese app within the state by next year. The ban covers state networks, but also third-party firms conducting business for or on behalf of the state from using applications with ties to foreign adversaries. The state would fine any entity, (an app store or TikTok), 10,000 dollars per day for each time someone “offers the ability” to access the platform or download the app. How these prohibitions will be implemented, though, is still unclear. 

Montana’s Governor also signed a new Consumer Data Privacy Act, joining California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia, which already enacted comprehensive consumer privacy laws. The law is scheduled to take effect in October 2024.

Health care data: The US Federal Trade Commission is modernising the Health Breach Notification Rule, clarifying the rule’s applicability to health apps and similar technologies, many of which aren’t covered by HIPAA. Changes will be made to the terms “identifiable health information,” “breach of security,” “health care provider,” and “health care services or supplies,” as well as the information that must be included in the consumer notice, and more. In parallel, to bridge the gap between HIPAA safeguards and health data that is obtained outside of conventional medical settings, Washington enhanced the protection for customers’ identifiable health information by passing the “My Health My Data Act”. 

Official guidance

Generative AI: The US Congressional Research Service published a paper on Generative AI and Data Privacy. Recently the term “general-purpose models”, (GPAI), was created by academics and policymakers to refer to software programs like ChatGPT that can do a variety of tasks. Large language models, (LLMs), which have the ability to detect, predict, translate, summarize, and produce language, are the foundation for many general-purpose AI applications. Duolingo, Snapchat, and other companies have partnered with OpenAI to deploy ChatGPT in their services. However, individuals may not know their data was used to train models that are monetized and deployed across such applications. 

SAR guidance: The UK Information Commissioner’s Office has published new guidance for businesses and employers on responding to Subject Access Requests. Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records. This includes where you got their information from, what you’re using it for and who you are sharing it with. 

Organisations must respond to a SAR from a worker without delay and within one month of receipt of the request. However, you could extend the time limit for responding by up to two months if the SAR is complex or if they have sent you a number of requests. At the same time, the UK GDPR does not set out formal requirements for a valid request. Therefore, a worker can make a SAR verbally or in writing, including by social media. 

Right to object and right to erasure: The EDPB summarises the right to object in connection to the right to be forgotten in complaints from data subjects. Requests to stop processing personal data for marketing purposes and to delete already gathered data are frequently linked. Most of the cases show deficiencies in the internal procedure adopted to deal with such requests, including the accuracy of the procedure and internal communication, the timeframe for processing requests, and the accountability of the system for receiving/tracking complaints.

Workforce monitoring: Employers tend to control employees’ work performance, to keep track of the duration and frequency of the employee’s work, but also of their location and other indicators. As a basic setting, the systematic monitoring of employees using automated means, (cameras, apps), is considered a non-standard solution, states the Latvian data protection authority. It can only be used for short-term employee monitoring, and only if less privacy-intrusive means will not achieve the goal. Such processing must be clearly agreed upon in advance and must be understandable to both parties. Otherwise, this can undermine mutual trust with the employee, and even may contribute to a decline in the quality of work.

Enforcement decisions

Meta/Facebook enforcement: The largest GDPR fine to date of 1,2 bln euros has been issued by the Irish data protection authority on Meta Ireland. Following the “Schrems II” ruling Meta affected data transfers to the US on the basis of the Standard Contractual Clauses in conjunction with additional measures. But they did not prevent fundamental risks to data subjects in view of US state surveillance practices. 

Meta now must return already transferred personal data and stop other illegal processing within the next few months. The decision may have similar effects for any digital service provider subject to US surveillance laws and relying on EU Standard Contractual clauses until the problems have been resolved by the adoption of the upcoming  EU-US Data Privacy Framework by the Commission. 

Charity organisation: The ICO completed an audit of Age UK Wiltshire, (charitable and voluntary sector). AUKW requested an audit in January and submitted an audit questionnaire detailing their data protection compliance concerns. After the investigation, the main areas for improvement were identified: 

• Review and update existing data protection policies and create new policies covering records management, data sharing, DPIA, and information security. 
• Ensure that data protection training is mandatory for all staff, including annual refreshers and specialised seminars. 
• Complete an information audit to help the organisation have an understanding of all of the information that is held and its flows. 
• Create an Information Asset Register, (IAR), to record the information assets identified by the information audit and ensure that the IAR is periodically reviewed.
• Review and update the current subject access requests, (SARs), and policy, including completing identity checks, that are communicated to staff.
• Create and maintain a SARs log as a documented record of all completed and ongoing SARs. 

Video surveillance: The Italian privacy regulator ‘Garante’ imposed a 50,000 euro fine on a clothing company, (with over 160 stores), for having installed video surveillance systems in various company outlets. The company had justified the need to defend against theft and to ensure the safety of employees and corporate assets, and prevent unauthorized access. The investigation showed that all the shops were equipped with at least 3 video cameras, active 24 hours a day, 7 days a week, in the areas reserved for workers and suppliers. In larger outlets, it was up to 27. The fine was issued, taking into account the significant number of employees involved, (over 500), and points of sale, as well as the absence, (or violation), of authorization or agreement with the trade union representatives.

Tax data: The Belgian data protection authority decided to prohibit the transfers of data of Belgian “Accidental Americans” by the Belgian Federal Public Finance Service to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian data protection regulator, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. The regulator also orders the public service to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a DPIA.

Automated rejection of credit card application: Berlin’s supervisory authority imposed a 300,000 euro fine against a bank after a lack of transparency over the automated rejection of credit card applications, according to the EDPB summary. A Berlin-based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant’s income, occupation and personal details. Based on the information requested and additional data from external sources, the bank’s algorithm rejected the application without any particular justification. Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed poor creditworthiness in his case. 

Biometric ID checks: Mobile World Congress’s organizer received a 200,000 euro fine in Spain for doing inadequate biometric ID checks at the 2021 venue. For the “in-person” option, the organizer requested a complainant to upload passport details, including photographs that were transferred to a service provider in a third country for facial recognition security purposes. However, the legal basis for it was verified from consent to legal obligation in different notices. Plus, neither the privacy policies nor the email communications provided clear information on data transfers to a third country. Additionally, the organiser’s DPIA failed to assess risks or the proportionality and necessity of the system implemented, (called BREEZZ).

Doctissimo fine: Following a complaint by the Privacy International association, the French privacy regulator fined the doctissimo.fr website 380,000 euros. It mainly offers articles, tests, quizzes and discussions related to health and well-being for the general public. The regulator noted infringements concerning the duration of data retention, the collection of health data via online tests, the security of data as well as the ways cookies were deposited on user’s terminals. Additionally, the company processes personal data with other entities, in particular for the marketing of advertising spaces on the website. These relationships of joint responsibilities were not framed by any contract.

Google Analytics: The Finnish data protection commissioner has issued a notice to the meteorological institute about the transfer of personal data to the US via website tracking technologies. The institute had not defined or applied the legal basis for the transfer of data in the use of reCAPTCHA and Google Analytics services. Nor had it suspended data transfers without delay after the CJEU’s “Schrems II” decision, even though it no longer had a valid basis. The institute has taken steps to remove the tools and services from its website. The order also includes the deletion of data that had been transferred illegally to the US. 

Data security

Mobile device management: Mobile devices make it easier for employees to complete their job from home, at the workplace, or while on the road. In order to reduce an organisation’s risk profile, it is critical to manage security and device health. The US NIST explains the benefits of Mobile Device Management when an employee’s personal or corporate-owned device can be enrolled into an MDM solution to apply enterprise configurations, manage enterprise applications, and enforce compliance. To learn more about how to use standards-based, commercially available products to meet security and privacy needs you can download the latest guidance by NIST here and here. 

De-identification: The Government of Canada publishes instructions on de‑identification as a privacy‑preserving technique. Although the pseudonymisation of data is a step toward anonymisation, it still permits re-identification. The acceptable risk level must be determined based on the context. it is always preferable that privacy experts work together with data specialists. For instance, there are activities that increase the risk of re‑identification, such as integrating datasets or data matching, so it is important to continually assess privacy and re‑identification risks, even after applying privacy safeguards. 

Big Tech

NHS data sharing: According to the Guardian, NHS trusts are sharing sensitive data about patients’ health conditions, medical appointments, and treatments with Facebook without their knowledge and despite promises to never do so. An Observer investigation revealed a monitoring feature, (Meta Pixel), on the websites of 20 NHS trusts that has been collecting medical and patients’ browsing data for years and sharing it with the tech giant. The information contains specific details such as sites viewed, buttons pressed, and keywords searched, and matched to the user’s IP address. This included patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

Microsoft cookies: Microsoft Ireland revised its cookie policy for the Bing search engine in France after it received a reprimand from the country’s data protection agency CNIL for privacy violations, govinfosecurity.com reports.  In December the CNIL fined the company 60 million euros for a deceptive cookie policy that it claimed made it impossible for Bing users to stop data collection. CNIL gave Microsoft three months to comply with its cookie policy or risk further penalties of 60,000 euros per day.  In particular, Microsoft needed to obtain French Bing users’ consent to enable cookies used to combat advertising fraud.

The Privacy Sandbox: Google announced the next stages of Privacy Sandbox – General availability and supporting scaled testing. In Q1 of 2024, it plans to deprecate third-party cookies for one per cent of Chrome users. This will support developers in conducting real-world experiments that assess the readiness and effectiveness of their products without third-party cookies. This will follow the introduction in Q4 of 2023 of the ability for developers to simulate Chrome third-party cookie deprecation for a configurable percentage of their users. 

The post Data protection digest 17 May – 1 June 2023: amassing data for machine learning is ‘no excuse for breaking the law’ appeared first on TechGDPR.