{"id":8739,"date":"2024-07-04T10:22:11","date_gmt":"2024-07-04T08:22:11","guid":{"rendered":"https:\/\/s8.tgin.eu\/?p=8739"},"modified":"2024-07-04T11:50:44","modified_gmt":"2024-07-04T09:50:44","slug":"data-protection-digest-04072024-end-to-end-algorithmic-audit-vinted-fine-dpo-for-small-businesses","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/data-protection-digest-04072024-end-to-end-algorithmic-audit-vinted-fine-dpo-for-small-businesses\/","title":{"rendered":"Data protection digest 18 Jun – 2 Jul 2024: end-to-end algorithmic audit, DPOs for small business, Vinted fine"},"content":{"rendered":"\n

In this issue we look at an end-to-end algorithmic audit, Vinted multimillion fine, Meta and Apple AI projects frozen in the EU, the fight against addictive feeds to minors in the US, and the Avanza Bank and Meta Pixel error case.<\/em><\/p>\n\n\n\n

Stay up to date! Sign up to receive our fortnightly digest via email<\/a>.<\/em><\/p>\n\n\n\n

End-to-end algorithmic audit<\/h4>\n\n\n\n

The EDPB offers a non-binding auditing methodology for AI systems, specifically focused on impact assessment. A socio-technical, end-to-end algorithmic audit (E2EST\/AA<\/a>), should inspect a system in its actual implementation, processing activity and running context, looking at the specific data used and the data subjects impacted. It is designed to inspect algorithmic systems used in ranking, image recognition and natural language processing. An AI system may be composed of several algorithms, and an AI service or product may include several AI systems. <\/p>\n\n\n\n

It is also an iterative process of interaction between the auditors and the development teams. The method provides templates and instructions to guide such interaction, specifying the data inputs that are necessary for auditors to complete the assessment and validate results. In particular, one of them is \u2018Model cards\u2019<\/a> – documents designed to compile information about the training and testing of AI models, as well as the features and the motivations of a given dataset or algorithmic model. <\/p>\n\n\n\n

Vinted fine<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

The Lithuanian Data Protection Inspectorate VDAI imposed a 2,385,276 euro fine on Vinted, an online second-hand clothing trade and exchange platform. Violations concern transparency of information, notification and conditions for the data subject rights<\/a>. VDAI investigated the 2021 and 2022 complaints from applicants forwarded by the French and Polish supervisory authorities regarding the company’s possible improper implementation of their requests for data deletion, (“right to be forgotten”), and the right to access data.<\/p>\n<\/div><\/div>\n\n\n\n

In response to the requests, the company stated that it would not take action because the individuals did not detail their requests following Art. 17 of the GDPR. It was also established that to ensure the platform’s and its users’ safety, the company applied “shadow blocking” without individuals knowing about such processing, (and thus unable to exercise other rights established by the GDPR and their remedies). In addition, the company did not take sufficient technical and organisational measures to ensure and to be able to demonstrate that it took, (or reasonably refused to take), steps regarding the right to access the data. <\/p>\n\n\n\n

Meta non-compliance under DMA<\/h4>\n\n\n\n

The European Commission stated Meta\u2019s \u201cPay or Consent\u201d advertising model failed to comply with the Digital Markets Act<\/a>. The binary choice forces users to consent to the combination of their data and fails to provide them with a less personalised but equivalent version of Meta’s social networks. In response to regulatory changes in the EU, Meta introduced a binary offer whereby EU users have to choose between a subscription for a monthly fee to an ads-free version, or free-of-charge access with personalised ads.<\/p>\n\n\n\n

The possible solution would be for users who do not consent to still get access to an equivalent service which uses less of their data. In case of non-compliance, the Commission can impose fines of up to 10% of the gatekeeper’s total worldwide turnover. Such fines can go up to 20% in the case of repeated infringement. The Commission is also empowered to adopt additional remedies such as obliging a gatekeeper to sell a business or parts of it<\/a> or banning the gatekeeper from acquisitions of additional services.<\/p>\n\n\n\n

Non-material damage under the GDPR<\/h4>\n\n\n\n

The CJEU has found that the damage caused by a personal data breach is not inherently less serious than a physical injury<\/a>. In the related case, a data controller managed a trading application in which a data subject opened accounts and entered personal data to do so. In 2020, their data were seized by third parties<\/a> whose identity and purposes remain unknown. <\/p>\n\n\n\n

An individual requesting compensation under the GDPR must prove not only that the infringement occurred but also that the violation caused them harm; this cannot be automatically assumed. In the event of identity theft, as in the above case, the data must have been misused by a third party. Also, determining the damages payable is up to the legal system of each Member State in each given context. <\/p>\n\n\n\n

Apple AI delayed in the EU<\/h4>\n\n\n\n
\"\"<\/figure>
\n

<\/p>\n\n\n\n

Apple decided to delay the release of three new AI features in Europe due to EU competition regulations requiring competing goods and services to be compatible with its devices. The company is concerned that to meet the interoperability requirements of the Digital Market Act, it may be required to make compromises to the integrity of its devices that endanger user privacy and data security.<\/a> The features will debut in the US this autumn, but they won’t make it to Europe until 2025. <\/p>\n<\/div><\/div>\n\n\n\n

More legal updates<\/h4>\n\n\n\n

US privacy legislation:<\/strong> On July 1, the Florida Digital Bill of Rights, Oregon Consumer Privacy Act, and Texas Data Security and Privacy Act entered into effect, joining California, Colorado, Connecticut, Virginia, and Utah. Among many things, they guarantee consumers rights to access, correct, delete, and opt out of the sale<\/a> of their data concerning targeted advertising, and certain profiling. There are also provisions relating to data minimisation, children\u2019s data, sensitive data consent, biometric data, and impact assessments. <\/p>\n\n\n\n

Foreign adversaries: <\/strong>On June 23,  the Protecting American’s Data from Foreign Adversaries<\/a> Act of 2024 entered into effect. It makes it unlawful for a data broker to sell, license, rent, trade, transfer, release, disclose, or otherwise make available specified personally identifiable sensitive data of individuals who reside in the US to North Korea, China, Russia, Iran or an entity controlled by those countries. Sensitive data includes<\/a> government-issued identifiers, financial account numbers, biometric information, genetic information, precise geolocation information, and private communications.<\/p>\n\n\n\n

Minors\u2019 data:<\/strong> To safeguard children’s internet privacy, New York State established new laws. The SAFE For Kids Act<\/a> defines operators that offer minors an “addictive feed” as a major component of their online or mobile service. Addictive feeds<\/a> rely on the user\u2019s past interactions, privacy or accessibility settings related to their device, content displayed or blocked by the user, private communication, search inquiries, chronological order etc. The other piece of legislation – the Child Data Protection Act<\/a> governs, (GDPR-enhanced), processing obligations of relevant minors\u2019 data by operators, processors and third parties. <\/p>\n\n\n\n

More official guidance<\/h4>\n\n\n\n
\"end-to-end<\/figure>
\n

<\/p>\n\n\n\n

Messenger standardised audit:<\/strong> The EDPB offers the Standardised Messenger Audit<\/a> initiative to inspect any messenger service used within businesses from a data protection perspective. It consists of two documents – the requirement catalogue<\/a> and the audit methodology<\/a>. The requirements within this catalogue are formulated in such a way so that a distinction is made between MUST, SHOULD and MAY requirements of the respective data protection principles. It is also closely based on the structure and outline of the GDPR.<\/p>\n<\/div><\/div>\n\n\n\n

Data processor:<\/strong> According to the Latvian data protection regulator, for an organisation to be considered a processor, it must meet two basic conditions – be a separate and independent organisation and process personal data on behalf of the controller. The organisation usually appoints a processor when it needs more knowledge, resources, etc. Finding such a processor would require a feasibility study: compliance of the set of security requirements<\/a> chosen by the processor with the controller’s wishes and needs, reputation, and responsibility. Finally, the signing of the agreement indicates the readiness of both parties to cooperate. Further guidance can be read here<\/a>.<\/p>\n\n\n\n

Joint controllership:<\/strong> The Bavarian State Data Protection Commissioner publishes new guidance, (in German), on the legal concept where two or more controllers jointly determine the purposes and means of processing<\/a>. The GDPR requires a clear allocation of responsibilities, including where a controller determines the purposes and means of processing jointly with other controllers or where a processing operation is carried out on behalf of a controller. However, joint responsibility may still seem less “familiar” than the contractual data processing that has always been established. <\/p>\n\n\n

<\/div>\n
\n \n

\n Receive our digest by email <\/h2>\n

Sign up to receive our digest by email every 2 weeks<\/h3>\n \n
\n
\n
\n
\n
\n
\n
\n