{"id":8258,"date":"2024-03-18T10:51:22","date_gmt":"2024-03-18T09:51:22","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8258"},"modified":"2025-06-11T14:04:55","modified_gmt":"2025-06-11T12:04:55","slug":"data-protection-digest-18032024-personal-data-gaps-in-information-systems-tc-string-mass-data-collectors","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-18032024-personal-data-gaps-in-information-systems-tc-string-mass-data-collectors\/","title":{"rendered":"Data protection digest 3-17 Mar 2024: Personal data gaps in information systems, TC string, mass data collectors"},"content":{"rendered":"\n

Information systems, their security, and personal data gaps are the focus of our latest digest. Also requiring your attention are invalid consent in cookie walls, the \u2018pay or okay\u2019 subscription model, Open AI \u201cSora\u201d data practices, and the crackdown on mass data collectors<\/em><\/p>\n\n\n\n

Stay tuned! Sign up to receive our fortnightly digest via email.<\/a><\/em><\/p>\n\n\n\n

Personal data gaps in information systems<\/h4>\n\n\n\n

The Spanish data protection agency AEPD examines the distinction between addressing security by focusing exclusively on information systems or from the perspective of the treatments carried out. Under the GDPR rules, a data controller must evaluate the risks to the rights and freedoms of natural persons whose data is being processed and apply measures to mitigate them. Therefore security focused on processing activities is a broader concept than security focused exclusively on systems<\/a>. The scope of application of the GDPR is the processing of personal data, understood as processes with an ultimate and specific purpose, while the scope of application of other regulations, such as cybersecurity or artificial intelligence, is oriented to information and communications systems. <\/p>\n\n\n\n

An example that illustrates this difference is the case of access control operations in personal data processing – when third parties use compromised credentials to log into a service or application. Some controllers may incorrectly claim that a breach within the meaning of the GDPR has not occurred since, according to their opinion, the information systems have not been compromised. These controllers understand that the use of valid credentials to log in to the system has not led to a personal data breach in the processing as the system has functioned correctly.<\/p>\n\n\n\n

\u201cConsent or Pay\u201d initial guidance<\/h4>\n\n\n\n

Some businesses are considering giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service. In principle, data protection law does not prohibit business models that involve \u201cconsent or pay\u201d, states the UK ICO. However, some types of access mechanisms aren\u2019t likely to comply with expectations in data protection law for consent to be \u2018freely given\u2019. The relevant context may include power imbalance, equivalence, appropriate fees, privacy by design, and information obligation:<\/p>\n\n\n\n

\n

\u201cBeing upfront and honest with people about what happens to their personal information when they use the service is a good thing.\u201d <\/em><\/p>\n
<\/cite><\/blockquote>\n\n\n\n

More official guidance<\/h4>\n\n\n\n
\"information<\/figure>
\n

<\/p>\n\n\n\n

Data obtained as part of work duties: <\/strong>The Latvian regulator DVI explains the legality of data processing through information systems that hold personal information and to which access is authorised through employment<\/a>. We may directly or indirectly come into contact with other people’s data while carrying out our job, including customers, coworkers, and residents. <\/p>\n<\/div><\/div>\n\n\n\n

The organisation that grants its employees access to the systems must ensure, (if technically possible), that the employee accesses only the information necessary to perform the duties of their position. Personal interest or curiosity is no longer an adequate basis for looking into a database. In the case of a data processing infringement, the organisation should anticipate that, as the data controller, they would be the main responsible. <\/p>\n\n\n\n

Automated decisions:<\/strong> The Spanish AEPD has updated guidance on the degree of human intervention in automated decisions<\/a>, (Art. 22 of the GDPR). Many automated decisions involve some degree of human intervention. However, to be considered as such, it has to be active and not just a symbolic gesture, that is, it has to have a certain degree of relevance and capacity. Evaluating whether human supervision is possible and effective involves evaluating both the system used and the treatment and its context. To carry out this evaluation systematically, it is recommended to objectively assess a person’s participation in the decision process. More details in the original publication (in Spanish<\/a>).\u00a0<\/p>\n\n\n\n

Public affairs:<\/strong> As part of their activity, public affairs professionals, (public affairs or lobbying consulting firms, internal departments), collect personal data relating to individuals in sectors such as government, administrative, associative, parliamentary, media actors, etc. To help them comply with the GDPR, several associations representing business and public relations professionals have jointly developed a guide, drafted in consultation with the CNIL<\/a>, (in French).\u00a0<\/p>\n\n\n\n

Legal  processes<\/h4>\n\n\n\n

EU AI Act: <\/strong>The Guardian analyses the practical implications of the upcoming regulations for customers and businesses. The act will soon become law<\/a> and go into effect gradually over the following three years. Customers will feel more certain that the AI technologies are configured for safe use<\/a> as a result. Similar to how the GDPR role model worked, the legislation will likewise have an impact outside the EU. However, the EU’s proposed cap on computing power used to train AI models is far lower than equivalent laws in the US. Consequently, European companies could even decide to relocate west to get around EU regulations, warn some tech businesses.<\/p>\n\n\n\n

\"\"<\/figure>
\n

<\/p>\n\n\n\n

European Health Data Space:<\/strong> EU legislators have struck a provisional agreement on the exchange and access of health data at the union level. Currently, the level of digitalisation of health data in the EU varies from one member state to another. The proposed regulation requires all electronic health record systems to comply with the specifications of the European electronic health record exchange format, ensuring that they are interoperable at the EU level. <\/p>\n<\/div><\/div>\n\n\n\n

Patients still will have the right to opt-out from primary and secondary use of their data or restrict access to it with some exceptions<\/a>, (eg, scientific research, public interest, vital interests). <\/p>\n\n\n\n

IAB Europe:<\/strong> The CJEU holds, as argued by the Belgian data protection regulator, that a structured character string capturing internet users’ preferences such as IAB Europe’s TC string can be considered personal data<\/a>. TC String constitutes personal data, in particular, because its purpose is to link advertising preferences to a specific individual. As a sectoral organisation which standardises and prescribes the method for capturing and transmitting user preferences, IAB Europe can be indeed considered a (joint) controller concerning the processing carried out following this method.<\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n