GDPR compliance as a market differentiator 

Companies serious about GDPR compliance understand its role in maintaining their market position. Those who are proactive are quicker at placing themselves on a purchaser’s list of adequate suppliers. When processing data from people in Europe, the GDPR applies. It forces an organization to implement measures and maintain records of compliance. Even if an organization is not currently processing that data, building in regulatory compliance early supports future collaborations and partnerships with larger organizations and ensures the trust of product users.

Regardless of whether a software developer operates in a B2C, B2B or B2B2C context is irrelevant. The processing of personal data anywhere on that chain of services needs to comply with GDPR requirements. Thus achieving and maintaining compliance allows an organisation to be a supplier that implementing clients consider. For instance, a software developer for a small start up is able to integrate fundamental privacy by design and default principles in their design. This includes practices such as implementing end-to-end security, hashing, and other cryptographic measures.

Transparency makes the product more competitive if it is to be implemented through partnerships or sold as a SaaS. Procurement negotiations might still bring up specific questions and feature requests to be added to the agreements your organization signs as a vendor. By prioritizing compliance, any solution developed is more likely to remain on the list of suppliers worth considering especially if the negotiation deals with business in the EU. Implementing privacy preserving design features allows an organization the competitive edge of transparency.

Major fines

Tech giants, Facebook, Google and Amazon, regularly face severe fines for non compliance. These fines are essentially caused by deliberate ambiguity in their data processing and the fulfillment of their transparency requirements. Worse, they disregard their data controller obligations and get fined for a combination of hidden processing practices and implemented dark patterns. In May 2023, Meta, was hit with a 1.3 billion euro fine for lack of GDPR compliance. This is the largest fine to date. Amazon was fined for 746 million in 2021 for lack of user consent collection when advertising. When companies get fined, several factors come into play. This could potentially include their willingness to cooperate and implement corrective actions. However, a constant factor includes lack of transparency, misleading patterns and a lack of legitimization of processing.

However, most businesses are small-to-medium-sized enterprises (SMEs). This term is technically defined by the European Commission as a company with less than 250 employees. For an SME, GDPR compliance is harder to achieve due to proportionally reduced resources or access to expertise. Therefore, if an SME is able to achieve compliance, they recover the competitive advantage over larger players lost on operational costs. Tech giants are consistently pressured to maintain compliance due to their increased visibility. Therefore, compliance, when managed efficiently, is a defining competitive advantage for smaller companies.

GDPR compliance as a political or social issue 

When tech-savvy individuals go online, they tend to protect their own privacy by using strong passwords. Some examples of this includes increasingly using MFA where available or using pseudonyms and single use email addresses where possible. With the help of a few high profile breaches and updates to app marketplace practices and communication strategies, the average user has become more aware of the online privacy risks. Software developers tend to implement best security practices in their own use of software and apps. As a result, they are particularly best suited to understand the need for security. They are also specifically instructed to implement strong security practices and privacy design patterns such as content security policies for websites. As creators of technology, software developers have an ethical responsibility to protect the privacy of individuals and empower them to use their software or services more privately. 

Through implementing best design practices such as the minimization of cookies, the forced use of MFA, the encryption of user data, a privacy by default approach to design, designers create privacy-preserving environments. While the expectation might be that less tech-savvy individuals are likely to show relative indifference about their own privacy, one study entitled Caring is not enough: the importance of Internet skills for online privacy protection, argues that even if people do care they also need to be educated on how to protect their own privacy. It is not uncommon to feel helpless protecting one’s own data or safely using the internet. Typically, a lot of the burden for security falls, wrongfully, on the individual.

Should the average user be expected to know how to make use of encryption to feel safe online? 

For many, cookie banners are annoying interfaces, easily brushed away by clicking the “Accept all” button. Configuring a cookie banner to not set non-essential cookies by default, makes the organization compliant on that requirement. It also provides users with a choice. Amongst other principles, privacy by default also requires the developer to ensure the most private settings are set by default. Software designers, familiar with ePrivacy requirements, are able to notify the marketing team that silent opt-ins is illegal in the EU. This allows the organization to engage in discussions as to whether to design for compliance or to accept the risk. In accepting the risk, an organisation increasing user distrust for the benefit of tracking, profiling and advertising KPIs.

As digitization continues, there is a pervasive use of selling user data or mishandling personal information in the tech field. This trend occurs without much regard to the significance of this action. This has become regretfully normalized even though it is against the GDPR. This is likely due partially to many companies solely operating within the US. At the moment, the US does not have a federal governing law similar to the GDPR. Regardless, this precedent is pervasive.

People should have the right to use and access the internet and software related tools/services without being seen as a commodity. Through the use of tracking elements and abuse of consumer metrics, individuals are becoming commodified and sold as such. This should not be the case where individuals can be so easily manipulated and tracked through their actions online. When software developers prioritize GDPR compliance, they are able to help prevent the commodification of individuals by their company. 

GDPR compliance in software development as an intellectual challenge

It is easy to do things in a non secure manner. It would be easier to access one’s phone to text people if one didn’t have a password, but most individuals likely have a password on their phone to protect from strangers accessing the content on their device. Therefore, the easiest solution is not always the best solution. This stems from the common dilemma of convenience versus privacy that one is confronted with daily. Instead of seeing this as an issue, one should frame it a challenge. If one views compliance as an intellectual challenge of how to protect others, the issue becomes more intriguing and fun to solve. An issue bears the connotation of an obligation or nuisance. 

Individuals are motivated to do things either intrinsically or extrinsically. When a supervisor informs a developer that they must make the system compliant with the GDPR, that would be the definition of an extrinsic motivator as it is external; however, intrinsic motivation is a powerful and compelling motivator. Due to intrinsic motivation, this is part of the reason as to why computer games are fun to learn.

An intellectual challenge has a better and more enthralling connotation. This idea has been theorized since the 1950s and academics have postulated through research that intrinsic motivation is correlated with how challenging the activity is. Considering those who have a background in computer science are confronted with technical issues and problems to solve all the time, compliance is best viewed as an intellectual challenge to avoid the easiest solution but create the most secure solution. 

Concluding thoughts 

Compliance is the law. As a software developer, one will likely need to work to implement or maintain compliance with the GDPR. It is easy to see it as a tedious endeavor handed down to a higher up, who might not necessarily understand the ramifications of the technical assignment they are bestowing. Instead, one should view the GDPR through an intrinsically motivated lens as an intellectual challenge to protect the rights of individuals. There are other reasons as to why as a software developer one should care about the GDPR. This includes but is not limited to securing contracts and helping others with less knowledge of proper internet privacy practices.

The joy of the internet and technology should be able to benefit and be enjoyed by all individuals. Any individual regardless of their technical background and without the fear of loss of rights. The question should not be: “does one engage with technology and in doing so give up their right to privacy?” but rather the burden should fall less on the technically ignorant users and be built into technology inherently. 

If you are interested in taking your GDPR knowledge to the next level, dive into TechGDPR’s specialized training for developers. This course is designed to equip you with the skills and understanding needed to navigate GDPR compliance within your projects. It will help you ensure your software is up to standard and gain a competitive edge. Discover more and enroll today at GDPR for Developers – Online Course.

The post Why should software developers care about GDPR compliance? appeared first on TechGDPR.

With the introduction of the GDPR in 2018, data protection has become a popular topic both from a legal and technical perspective. The importance of efforts around privacy and data protection is personal data and its protection. Under the EU GDPR, there are key elements in the definition of personal data. 

Personal data is any information relating to an –

Article 4 of the EU GDPR mentions some examples of personal data in its definition (Art.4.1). It states that personal data could be ‘ […] an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Based on the definition of personal data and the examples stated in the EU GDPR, it may easily be inferred that technical information relating to hardware constitutes personal data, something that the new e-Privacy Regulation is expected to further clarify.

Hardware identifiers

Technical information attributed to hardware could take the form of numeric, alphanumeric or alphabetic codes used to uniquely identify a device or a batch of devices alone or within a network; for instance, the serial number of a device, the IMEI number, model number, MAC address, etc. Serial numbers are unique and assigned by a manufacturer to a device. This device could be a mobile phone, a television, a tablet, audio/video equipment, etc. According to guidance from Samsung, Serial numbers help manufacturers organise and keep track of their products. The IMEI (International Mobile Equipment Identity) number is a number that uniquely identifies a mobile communication device and no two mobile devices have the same IMEI. The IMEI number can be described as the digital fingerprint of your device. The model number is used to identify what type of device you have and applies to a number of devices that share something in common such as the manufacture or release year. While the model number is a hardware identifier, it is not unique to a device as multiple devices can have the same model number.

How can hardware identifiers be personal data?

Since these various numbers are merely hardware identifiers, how could they also be personal data? Of particular interest is the IMEI number which is often seen as the digital fingerprint of your device. Taking the definition of personal data and the IMEI number into account, the IMEI number becomes personal data as soon as it is associated with a person. Consequently, the IMEI number of a smartphone would not be regarded as personal data until it is purchased. However, when a person purchases the smartphone and activates it – which often leads to providing personal details such as name, email address, password or biometrics, i.e. opting for face ID unlock, the IMEI number becomes personal data as it is now linked to other information from the owner/user of the smartphone. 

At this point, the individual elements of the definition of personal data become important. Since personal data refers to information relating to an identified or identifiable person from direct or indirect inference, when various data points are capable of identifying a person, any data being combined with personal data, in turn, becomes personal data.  

Practical examples

Section 171 and 172 of the European Data Protection Board (EDPB) Guidelines on processing personal data in the context of connected vehicles and mobility related applications, states that when a person’s smartphone is paired with the dashboard of a rental car while using Bluetooth or USB connections, a variety of data is processed by the rental car. These might include phone identifiers, voice and data communications, contact lists, web browsing data, personal contacts, schedules, choice of music, radio and other streamed audio or video content, which all reveal personal information. As such, they help draw a precise profile of the data subject. Since IMEIs are being used to lock devices to carriers, blacklist lost or stolen phones, track the location of a smartphone, it is obvious why the IMEI number of a device should be considered as personal data after its purchase and subsequent activation. In addition, Law enforcement agencies routinely use IMEI numbers to track down criminals as well as for other forensic purposes. The use of IMEI numbers to track individuals makes a good case for why the IMEI number is personal data as soon as it becomes associated with a person by purchase, activation or however else. 

This conclusion also applies to all other hardware identifiers which are unique to the device and through which the device or its user may be traced. 

What can I do if I process IMEI numbers in the course of my business operations?

When considering whether your business processes personal data in the form of hardware identifiers, a number of factors are to be taken into account such as whether these identifiers become linked to a person through the purchase of a device, its activation or use. If you are unsure whether such identifiers constitute personal data, request a more detailed assessment from TechGDPR and its experienced consultants who will take your unique business operations into consideration and tailoring your compliance solutions.

The post Hardware identifiers: Is an IMEI number personal data? appeared first on TechGDPR.

Legal processes: UK data protection reform, privacy in the digital age

The UK Government published its response to the privacy in the digital age discussion ahead of data protection reform. During the consultation period, it engaged with a range of stakeholders, including over 40 roundtables with academia, tech and industry bodies, and consumer rights groups, providing a wide range of views. The proposals in this response are arranged across 5 chapters:

• Reducing barriers to responsible innovation, (increasing confidence in personal data processing through the use of the legitimate interest and enabling greater personal data access and personal data sharing for research and other purposes).
• Reducing burdens on businesses and delivering better outcomes for people, (reforms to reduce disproportionate impacts of subject access requests on organisations, and ways to limit unnecessary cookie banners by altering rules in the Privacy and Electronic Communications Regulations).
• Boosting trade and reducing barriers to data flows, (creating an autonomous UK international transfers regime, which supports international trade and eliminates unnecessary obstacles to cross-border personal data flows). 
• Delivering better public services, (increasing the transparency of government processing activities by ensuring that clear information is provided on the use of algorithms; and, simplifying the legal framework in relation to the police’s collection, use and retention of biometric data).
• Reform of the Information Commissioner’s Office, (implementing a new, modern governance framework, with an independent board, and requiring the ICO to account for the impacts of its activities on growth, innovation, and competition). 

The summaries of responses can be read here.

Meanwhile, Privacy International issues its submission on the UN report on the right to privacy in the digital age. “National laws are often inadequate and do not regulate, limit or prohibit surveillance powers of government agencies as well as data exploitative practices of companies”, states PI. Even when laws are in place, they are seldom enforced. PI notes how it is often only following legal challenges in national or regional courts that governments are forced to act. This is not a sustainable position: journalists, and human rights defenders often do not have the capacity, (or legal standing), to challenge governments or companies’ actions, and they may face threats if they do so, (including the same unlawful surveillance that they are challenging), and in many jurisdictions there are no independent avenues of effective redress. PI’s key advocacy points include:

• mass surveillance, 
• government hacking, 
• mobile phone data extraction,
• data retention,
• public-private partnerships and their implications for the right to privacy,
• digital ID systems and the use of biometrics for identification and authentication,
• use of encryption and anonymity technologies,
• tracking online users, and more.

Official guidance: data exporters, geolocation data

Danish privacy regulator Datatilsynet issued a statement on the concept of a data exporter (in Danish). In the light of the ECJ’s “Schrems II” judgment, Datatilsynet received an increasing number of questions regarding the transfer of personal data to third countries. The term “data exporter” is not defined in the GDPR. The concept, on the other hand, is defined in the EU Commission’s Standard Contractual Clauses, which is one of the most widely used transfer bases in Chapter V of the GDPR. The short guidance text is aimed at data controller organisations that use European data processors, but where one or more of its sub-data processors are located outside the EU/EEA. 

The regulator indicated that it will hold both data controllers and processors liable for obligations under Art. 44 of the GDPR. And the obligation of the data controller in practice is to ensure – and be able to demonstrate to the Danish data protection agency – that the data processor has established the necessary transfer basis with subcontractors overseas, and that this transfer basis is effective in light of all the circumstances of the transfer, including the implementation of additional measures if necessary. 

The EDPB adopted guidelines on certification as a tool for transfers. Art. 46 of the GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The guidelines focus on the purpose, scope, and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented. The guidelines complement guidelines 1/2018 on certification, which provide more general guidance on certification, and will be subject to public consultation until the end of September. 

The French regulator CNIL has launched a study on geolocation data collected by mobile applications. As part of its technology watch, it observed whether it was easy to obtain people’s geolocation data. It thus identified a platform linking sellers and buyers of data and making it possible to obtain free samples from data brokers. It then requested, under the same conditions as any potential customer, to be provided with a sample of data corresponding to France. 

The affected dataset is a file containing timestamped geolocation data with location points associated with nearly 5,000,000 smartphone advertising identifiers (Android and iOS) over a period of approximately one week in 2021. The transmitted data is presented as anonymised by the data seller. After a quick analysis, the CNIL considers that at least part of this data is authentic. It will check whether, on the basis of this set of data, it is able to re-identify the persons and, if so, it will inform them individually. In addition to the data contained in the file sent by the data seller, publicly accessible data will be processed, such as open diaries of public figures, data on participation in parliamentary sessions, population density maps of France, and data from venues for public sporting events.

Investigations and enforcement actions: SAs’ dispute resolution, right to access, vehicle repair and maintenance history, traffic and location data

The EDPB adopted a dispute resolution decision on the basis of Art. 65 of the GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the French SA as a lead supervisory authority, (LSA), regarding Accor SA, a company specialised in the hospitality sector headquartered in France, and the subsequent objections expressed by one of the concerned supervisory authorities (CSAs). 

The LSA issued the draft decision following a complaint-based inquiry into Accor SA, concerning a failure to take into account the right to object to the receipt of marketing messages by mail and/or difficulties encountered in exercising the right of access. The LSA shared its draft decision with the CSAs in accordance with Art. 60(3) of the GDPR. One CSA issued objections pursuant to Art. 60(4) GDPR concerning, among other things, the size of the fine. The SAs were unable to reach a consensus on one of the objections, which was then referred by the LSA to the EDPB for determination pursuant to Art. 65(1)(a) GDPR, thereby initiating the dispute resolution procedure. The EDPB has now adopted its binding decision. The decision addresses the merits of the part of the objection found to be “relevant and reasoned”.

The Swedish privacy protection authority IMY published a report that highlights the complaints that the authority received last year. The most common type of complaint concerns the rights of individuals, such as the right to access their personal data – every third complaint.  The report gives a number of recommendations to businesses, such as that they must know what rights individuals have when handling personal data and that they also have routines in place to meet these rights. For example, it is important to have routines in place to be able to handle the request. Other recommendations in the report include the requirement for businesses to be available. Individuals should be able to easily get in touch to exercise their rights. It is also important for businesses to clearly inform everyone whose personal data they process which personal data is being used and why.

Based on the complaints, it is also clear that businesses that use direct marketing need to develop their routines for interrupting mailings if a person hears from them and does not want more direct marketing or advertising sent to them.

Finland’s data protection ombudsman decided on whether vehicle repair and maintenance history data is personal data under Art. 4(1) of the GDPR. The person who bought the used car informed the regulator that he had requested information from Oy BMW Suomi Ab on the maintenance and repair history for the entire life cycle of the vehicle. The new owner asked the company for information, as he said the car had been serviced by an authorized BMW dealer. However, Oy BMW Suomi Ab did not provide any information. 

The regulator considered that vehicle maintenance history data is in principle personal data within the meaning of the GDPR concerning the owner of the vehicle during the period of ownership. Service history information may directly or indirectly describe the owner of the vehicle or its activities. Nevertheless, some of the service history information may be non-personal. The regulator does not have jurisdiction over situations involving requests for non-personal data. Finally, according to the GDPR, a person has the right to access personal data concerning him or her. As the maintenance history and repair data are not the personal data of the new owner of the purchased vehicle, the new owner does not have the right to access it. 

The regulator also considered that the data protection rules do not, in principle, prevent the transfer of vehicle maintenance history and repair information to the person who purchased the used vehicle. This could be possible, for example, in the context of a legitimate interest. Although the service provider does not have an obligation under the GDPR  to provide information on the vehicle’s service history, it does not in principle constitute an obstacle to the disclosure.

The Portuguese data protection authority CNPD ordered electronic communications providers to delete traffic and location data of all communications, for the purposes of investigation, detection, and prosecution of serious crimes, finding it unconstitutional, Data Guidance reports. CNPD noted that retaining location and traffic data of all subscribers, without exception, is disproportionate in view of the objective pursued. As such, the CNPD added that it is now unlawful for telecom operators to maintain such autonomous data processing and retain a wide range of personal data. 

Notably, the CNPD ordered electronic communications providers to delete, within a period of 72 hours from the notification of the CNPD’s decision, the personal data kept under Law No. 32/2008, (Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks), and noted that relevant entities should send a certificate of destruction of such data to the CNPD within 72 hours of its deletion. 

Data security: ransom victim shaming and extortion, Tik Tok on Oracle

Cybercrime criminals are upping their game and diversifying the ways they extort individuals and corporations warns US cybersecurity guru Brian Krebs. Ransomware groups like ALPHV/BlackCat in the past would dump your stolen data on the Dark Web, but are switching to publishing individual victim websites on the public Internet, with the leaked data made available in an easily searchable form. The group recently boasted that it had hacked a luxury spa and resort in the western US. stealing the personal information of 1,500 resort employees and more than 2,500 residents. It published an internet page, with at the top two “Check Yourself” buttons, one for employees, and another for guests. With companies in general still slow to respond to security breaches if at all, this sort of incident may be the only way some discover their PI has been compromised. 

Tik Tok says Oracle will store all the data from US users, in a bid to allay fears about its safety in the hands of a platform owned by the Chinese company ByteDance, The Guardian reports. BuzzFeed News cites recordings from 80 TikTok internal meetings it obtained, and claims that US employees of TikTok repeatedly consulted with their colleagues in China to understand how US user data flowed because they did not have the “permission or knowledge of how to access the data on their own” is reported by TechCrunch. US officials have for years expressed concern that TikTok might let China’s government have access to the data the firm collects from Americans and users from other nations. The matter escalated in 2020 when the Trump administration said it would bar the Chinese-owned mobile apps WeChat and TikTok from US app stores. 

The post Weekly digest 13 – 19 June 2022: privacy in the digital age, geolocation, access rights, ransom victim-shaming appeared first on TechGDPR.