Legal processes

Draft AI Act: The long-discussed AI legislation is expected to go through the full European parliamentary vote in mid-June. Reportedly MEPs, after two years of discussions with stakeholders, have finally reached a common political position. However, it will take a few years for it to be enforced: the EU interinstitutional ‘trilogue’ that comes after parliamentary approval may take a while. 

The most rigorous regulations will apply to the high-risk systems that could be used for biometric identification, critical infrastructure management, or by large online platforms and search engines if they create health and safety or fundamental threats for individuals. The framework includes testing, proper documentation, data quality and human oversight. Extra safeguards are promised when such systems are intended to process special categories of personal data, prioritising instead synthetic, anonymised, pseudonymised or encrypted data. 

MEPs also support the idea to put stricter data governance obligations on foundation models, (like ChatGPT), distinguishing them from general-purpose AI. 

MiCA: Meanwhile the Parliament endorsed the EU rules to trace crypto-asset transfers and prevent money laundering, as well as common rules on supervision and customer protection. The “travel rule”, already used in traditional finance, will in the future cover transfers of crypto assets. Information on the source of the asset and its beneficiary will have to follow the transaction and be stored on both sides of the transfer. The rules will not apply to person-to-person transfers conducted without a provider or among providers acting on their own behalf. The end of 2024 or early 2025 will see the full implementation of the framework. 

America’s Innovative tech: The existing legal authorities apply to the use of automated systems and innovative new technologies just as they apply to other practices, states the US Justice Department with its federal partners. The US Constitution and federal statutes prohibit discrimination across many facets of life, including education, criminal justice, housing, lending, and voting. It is illegal for an employer to discriminate against an applicant or employee due to their race, religion, gender, age, pregnancy, disability, or genetic information. The firms are also required to destroy algorithms or other work products that were trained on illegally collected data. 

Case law

Apartment surveillance: The Estonian supreme court explained the possibility of installing surveillance cameras in an apartment building if some owners do not agree. In the given case, drug gang activity in the building was spotted, but one owner contested the cooperative’s decision to install the cameras as an intrusion into his privacy and the risk of monitoring. As CCTV processes personal data, a legal basis is necessary according to the GDPR. If an agreement between the owners cannot be reached, it can be done by a majority vote. In this case, there must be a legitimate interest, which outweighs the interests or fundamental rights of the apartment owners, (eg, a security threat – in the given case).

However, the court stated, if the installation of cameras is decided by a majority vote at the general meeting, then all apartment owners must be given the opportunity to familiarize themselves with the planned conditions, including a privacy notice for the use of cameras before the meeting. In case of violation of this requirement, the decision of the general meeting would be null and void.

Official guidance

SMEs guide: An organisation not only has to process personal data according to the GDPR, but it also needs to be able to demonstrate its compliance. For this purpose, the EDPB published its Guide for SMEs. It applies whenever you process personal data about your staff, consumers, and business partners. Transparency, data minimisation, respect for individual rights and good security practices are basic precautions for both data controllers and processors. The guide contains visual tools and other practical materials. In addition, it contains an overview of handy materials developed for SMEs by the national data protection authorities.

Employer’s guide: The Irish data protection regulator meanwhile published Data Protection in the Workplace instructions. Employers collect and process significant amounts of personal data on prospective, current and former employees. Although not all organisations are required to have a data protection officer, organisations might still find it useful to designate an individual within their organisation to overview the recruitment data processing.  The guide includes explanations and examples of appropriate legal bases, storage periods, fulfilment of data subject requests, employee monitoring technologies, email status, and much more. 

Employees’ photos: The Slovenian data protection agency published its opinion regarding the revocation of consent for the publication of employees’ photos on the employer’s social networks. The processing of the employee’s personal data based on their personal consent is permissible only in exceptional cases, due to the obviously unequal position of the employer and the employee. 

Nonetheless, if the circumstances of the employment relationship do not require the production, publication and continued storage of a photograph, the employer should obtain consent, (and provide all the necessary information stipulated in Art. 13 of the GDPR). In this case, the fact that the photos are made public has no effect on the possibility of revocation of consent to their publication. And refusals or silence of the manager gives rise to the possibility of deposing a complaint with the data protection authority. 

RoPA: A fresh new guide on records of processing activities with some practical examples was issued by the Irish data protection agency. The RoPA should not just be a ‘catch all’ document that refers to other documents; all processing activities should be recorded in sufficient detail, it states. An external reader or an auditor needs to be able to fully comprehend the document. Smaller organisations may not be required to maintain a full RoPA due to their size. However, most organisations will need to record processing activities such as HR and payroll functions. It may be that a simple spreadsheet is sufficient. For more complex organisations, the data controller may opt to use a relational database or one of the RoPA tools available from third-party data protection service providers. 

Online training: During the planning stage of a seminar, explains the Latvian data protection regulator, best practice means writing down and evaluating what kind of data about the event’s visitors is intended to be processed, and for what purposes. Beyond registration data, this can include the participant’s technical data from a device and broadcast and recording of the seminar. The next questions should be what is the applicable legal basis, the types of personal data, and the storage periods necessary to achieve the goal. 

In the case of other (joint) controllers, or processors involved, they must agree among themselves, determine the specific responsibilities and inform the workshop participants. The organizer(s) can include such information in the general privacy policy or develop it separately for each individual seminar. The information must be provided in a concise, transparent, understandable and easily accessible way, (it is considered good practice to have the privacy policy no more than two clicks away from the website’s front page). 

Enforcement decisions

ChatGPT: The temporary ban against Open AI and its Chat GPT has been dropped by the Italian data protection authority. The platform has introduced the required opt-out option for the user’s data processing before running the AI chatbot. A number of European regulators are also moving into action. The French data protection authority has announced the investigation of received complaints, and the German regulators want to know if a data protection impact assessment has been conducted. At the same time, Ireland’s regulator advises against rushing into ChatGPT prohibitions that “really aren’t going to stand up”, stressing it is necessary first to understand a bit more about the technology. 

Record number of cases: The Spanish data protection agency published its 2022 report. 15,128 claims were filed, which represents an increase of 9% compared to 2021 and 47% compared to 2020. This figure rises to 15,822 including cross-border cases from other European authorities and the cases in which the agency acts on its own initiative. The areas of activity with the highest amount of fines imposed have been Internet services, advertising, labour matters, personal data breaches, fraudulent contracting and telecommunications. The main way of resolving claims involves their transfer to the data controller, obtaining a satisfactory response for the citizen in an average of less than 3 months, states the report.

Employee’s dismissal: The Danish data protection authority criticizes an employer who informed the entire workplace that an employee had been dismissed due to, among other things, cooperation difficulties – The employer’s briefing emails went further than what was necessary for the purpose – namely to inform the relevant persons about the resignation. The employer stated that making the reason for the resignation public was to avoid the creation of rumours. However, the Danish regulator found that consideration for the resigning employee weighed more heavily

Security clearance: The Danish authority also decided against a former security guard who complained that his employer, (Securitas), had passed on information about him to the intelligence services in connection with a security clearance without obtaining consent. However, Securitas insists that all on-call employees are informed of the requirement for security clearance, and the complainant had completed an employment form with a declaration of consent, as his application for security approval would have been rejected if the complainant had not completed, signed and consented to it. 

Dark patterns: In Italy, a company that offers digital marketing services was found guilty of having illegally processed personal data. It emerged that in some of the portals owned by the company, “dark patterns” were used which, through suitably created graphical interfaces and other potentially misleading methods, enticed the user to give their consent to the processing of data for marketing purposes and to the communication of data to third parties. In addition, an invitation to click on a link that led to another site to download an e-book had the user’s profile data already recognized and the consent already selected. 

Security evidence logs: For a careless response to a data access request, the Spanish data protection authority fined Securitas Direct Espana 50,000 euros, according to Data Guidance. The complainant used their right of access when their vacation home was robbed for which they had signed a security service contract, The data logs from the alarm system were not provided by Securitas Direct, and those that were sent to the complainant were incomplete, out of order chronologically, and missing the decryption keys The logs produced by the alarm system installed in the complainant’s home, stated the regulator, are considered personal data and are thus subject to the right of access.

Data security

Consumers’ personal data: New York’s Attorney General released a guide to help businesses adopt effective data security measures to better protect personal information.  The guide offers a series of recommendations intended to help companies prevent breaches and secure their data, including:

• maintaining controls for secure authentication,
• encrypting sensitive customer information,
• ensuring your service providers use reasonable security measures,
• knowing where you keep consumer information,
• guarding against automated attacks, and
• notifying consumers quickly and accurately of a data breach, etc.

Cybersecurity of AI: The European Union Agency for Cybersecurity published an assessment of standards for the cybersecurity of AI and issued recommendations to support the implementation of upcoming AI legislation. AI mainly includes machine learning resorting to methods such as deep learning, logic, and knowledge-based and statistical approaches. However, the exact scope of an AI system is constantly evolving both in the legislative debate on the draft AI Act, as well in the scientific and standardisation communities. 

The assessment is based on the observation concerning the software layer of AI. It follows that what is applicable to software could be applicable to AI. However, it does not mean the work ends here. Other aspects still need to be considered, such as a system-specific analysis to cater for security requirements deriving from the domain of application, and standards to cover aspects specific to AI, such as the traceability of data and testing procedures. Meanwhile, some key recommendations include:

• establishing a standardised AI terminology for cybersecurity;
• developing technical guidance on how existing standards related to the cybersecurity of software;
• reflecting on the inherent features of machine learning in AI;
• risk mitigation should be considered by associating software components to AI, reliable metrics, and testing;
• promoting cooperation and coordination across standards organisations’ technical committees.

Big Tech

VLOPs: The first designations of ‘Very Large Online Platforms and Online Search Engines’ under the Digital Services Act, (and the Digital Markets Act), were made public by the European Commission. As the 19 registered entities reach 45 million monthly active users, they will be subject to more regulatory requirements: user rights offerings, targeted advertising opt-outs, restriction on sensitive data and profiling of minors, as well as improved transparency and risk assessment measures. By 4 months after notification, the platforms will have to redesign their services, including their interfaces, recommender systems, and terms and conditions.

Salesforce Community leaks: A large number of businesses, including banks and healthcare, are leaking information from their open Salesforce Community websites, KrebsOnSecurity analysis has discovered  Customers can access a Salesforce Community website in two different ways: through authenticated access, (which requires logging in), and through guest user access, (which doesn’t). It appears that Salesforce administrators may inadvertently give guest users access to internal resources, (payroll, loan amount, bank account information combined with other data), which could allow unauthorised users to gain access to a company’s confidential information and result in possible data leaks.

The post Data protection & privacy digest 18 Apr – 2 May 2023: draft AI legislation finalised, and employers’ compliance in focus appeared first on TechGDPR.

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, data controllers need to consider data protection throughout the core of their organisational activities. As such, those who work to create technologies involved in data processing must consider the implications of their software in the context of the GDPR. While Data Protection by Design and Data Protection by Default are separate concepts, they are complementary. Implementing Data Protection by Design makes achieving Data Protection by Default much easier, with the reverse being true as well.

Building privacy into the heart of data processing operations and systems is part of Privacy by Design, while ensuring that the data subject’s rights are protected as a matter of standard operations is part of Privacy by Default. These concepts have been in existence since long before the GDPR came into fruition, but under the GDPR became important requirements. 

Achieving Privacy by Design and Privacy by Default is not a simple process when one’s main focus is developing and delivering products. As such, familiarity is of the essence. 

What are the most important considerations involved with these concepts, and how may data processors implement them? 

What is Privacy by Design? 

The concept of Privacy by Design was created by Ann Cavoukian in the 1990s and presented in her 2009 “Privacy by Design: The Definitive Workshop.” As Cavoukian stated, the concept of privacy by design encompasses more than just technology. Rather, Privacy by Design dictates that privacy is taken into account throughout the design process and operations of broader organisations and systems. There are seven foundational principles which constitute the basis of Privacy by Design:

1. Measures are proactive rather than reactive. They anticipate risks and try to prevent them from occurring, rather than allowing for invasions of privacy and minimising them after the fact. These measures are woven into the culture of an organisation. 
2.  Privacy is protected by default. Personal data is protected without requiring the data subject to act. In practice, the most intrusive privacy features of an app, such as geolocation tracking when that is not called for by the user, are turned off when the product is first installed or better yet, every time the app is launched.
3. Privacy is embedded into the design of systems and organisations. It is not an afterthought, but an essential part of a system’s functionality.  Designing for privacy can be quite costly so planning for it rather than redesigning to accommodate it, is a wise cost management strategy.
4. Privacy is not implemented to the detriment of other interests, but rather to accommodate all legitimate interests with full functionality. 
5. Privacy is extended throughout the lifecycle of all the data collected.  
6. Data processing activities are visible and transparent. The business practices and technologies involved are clear to both users and providers.  
7. Measures for privacy are user-centric: the interests of data subjects are at the forefront of operations. 

Cavoukian stresses that ensuring privacy does not come at the cost of other critical interests, but rather ought to complement other organisational goals. 

But how does a team implement these foundational principles into their technological design?

Methods of Implementing and Measuring Data Protection by Design for Technology Developers

The European Data Protection Board adopted guidelines for Data Protection by Design and by Default on 20 October 2020. These guidelines clarify how to implement the requirements of Article 25 in organisations that process personal data. 

Certain concepts, such as pseudonymisation, noise addition, substitution, K-anonymity, L-Diversity, T-closeness, and differential privacy, can help increase the privacy of an individual data subject, or give key information about the privacy of a data set. As a result, individuals working to achieve Privacy by Design should think about these methods as tools they can use, though not as absolute methods in and of themselves. 

• Pseudonymisation replaces direct identifiers, such as names, with codes or numbers, which allows data to be linked to an individual without the individual themself being identified. This data is still within the scope of the GDPR. Truly anonymous data is not considered personal data, and thus its processing does not fall under the scope of the GDPR. However, anonymous data, that is, data which cannot be linked back to a data subject, is different from pseudo-anonymous data in that pseudo-anonymous data has the potential to be re-linked to a data subject, even if in a difficult or indirect way. Thus, pseudo-anonymous data is still subject to the requirements of the GDPR. 
• Noise addition is often used in conjunction with other anonymisation techniques. In this technique, attributes which are both confidential and quantitative are added to or multiplied by a randomised number. The addition of noise still allows for the singling out of an individual’s data, even if the individual themself is not identifiable. It also allows for the records of one individual to be linked, even if the records are less reliable. This linkage can potentially link an individual to an artificially added piece of information. 
• Substitution functions as another method of pseudonymisation. This is where a piece of data is substituted with a different value. Like the addition of noise, substitution ought to be used in conjunction with other data protection measure in order to ensure the data subjects’ rights are protected. 

Means of measuring the privacy of data 

• K-anonymity, a type of aggregation, is a concept that is based around combining datasets with similar attributes such that the identifying information about an individual is obscured. This helps to determine the degree of anonymity of a data set. Essentially, individual information is lumped in with a larger group, thereby hiding the identity of the individual. For example, an individual age could be replaced with an age range, which is called generalisation. By replacing specificity with generality, identifying information is harder to obtain. Suppression is another method of achieving better k-anonymity. This is where a certain category of data is removed from the data set entirely. This is best-suited in cases where the data in that category would be irrelevant in regards to the purpose of the data processing. It is important to note, however, that k-anonymity itself does not guarantee that sensitive data will be protected. 
• L-diversity is an extension of k-anonymity. It provides a way of measuring the diversity of sensitive values in a dataset. Essentially, l-diversity requires each of the values of sensitive attributes within each group to be well-represented. In doing so, l-diversity helps to guarantee that a data set will be better protected against re-identification attacks. This is a helpful consideration in cases where it is possible for attributes in k-anonymised data sets to be linked back to an individual.
• T-closeness expands on l-diversity and is a strategy of anonymisation by generalisation. T-closeness creates equivalent classes which are similar to the initial distribution of attributes in a data set and is beneficial in situations where a data set must be kept as close as possible to its original form. Like k-anonymity and l-diversity, t-closeness helps to ensure that an individual cannot be singled out in a database. Additionally, these three methods still allow for linkability. What l-diversity and t-closeness do which k-anonymity cannot, is provide the guarantee that inference attacks against the data set will not have 100% confidence. 
• Differential privacy aims to ensure the privacy rights of an individual data subject are protected by ensuring the information someone obtains from the output of data analysis is the same with or without the presence of the data of an individual. This allows for data processing without an individual’s information being singled out or the individual being identified. Differential privacy provides privacy through a specific type of randomisation. The data controller adds noise to the data set, with differential privacy revealing how much noise to add. 

Privacy Design Strategies

Researchers have identified eight privacy design strategies, divided into two groups: data-oriented strategies and process-oriented strategies. Data-oriented strategies include: minimise, hide, separate, and abstract. These strategies focus on how to process data in a privacy-friendly manner. Process-oriented strategies include: inform, control, enforce, and demonstrate. These strategies focus on how an organisation can responsibly manage personal data. Article 5 of the GDPR identifies the basic principles to follow when processing personal data: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. These principles help guide the strategies, which can be exemplified by the concepts and methods of pseudonymisation, noise addition, substitution, k-anonymity, l-diversity, t-closeness, and differential privacy. These methods and processes of measuring privacy should stand as part of larger efforts to work to implement data protection into the fabric of data processing operations. 

How can technology developers learn more about Privacy by Design and Default?

Data Protection by Design and Data Protection by Default are fundamental concepts to adhere to under the GDPR. Teams which keep these concepts in mind at every level of their organisations will keep the rights of data subjects at the forefront of their operations, and thus go further in working towards GDPR compliance. Technology developers have a special role in making sure that their products have the capacity to be used in a GDPR compliant manner, and thus should have extensive familiarity with these concepts. Those interested in learning more about GDPR compliance, from the perspective of what a technology developer should consider, can participate in TechGDPR’s Privacy & GDPR Compliance Course for Developers. This course delves into what individuals working in technology development need to know about data protection so they can better understand their own duties and responsibilities under the requirements of the GDPR. 

The post Privacy by Design for Technology Development Teams appeared first on TechGDPR.