A company that used software designed to account for times of alleged “inactivity” and grabbed frequent photos of its employees’ computer screens was fined 40,000 euros by the French data protection regulator CNIL. The staff members were also continuously videotaped, both visually and audibly. In particular, the company had placed software on some of its workers’ PCs to track their teleworking activities. To deter property theft, it also installed a constant video monitoring surveillance system, in both a workplace and a break area. Due to the company’s modest size and the software’s instant withdrawal during the audit, it was decided not to name it. 

Stay up to date! Sign on to receive our fortnightly digest via email.

GDPR fines clarified

The CJEU clarified the calculation of GDPR fines for undertakings. The top EU court aligned the GDPR ‘undertaking’ concept with that of the TFEU, stating that the maximum amount of the fine is to be determined based on a percentage of the undertaking’s total worldwide annual turnover in the preceding business year. The concept of ‘undertaking’ must also be taken into account to assess the actual or material economic capacity of the recipient of the fine and thus to ascertain whether the fine is at the same time effective, proportionate and dissuasive. 

AI system definition

The European Commission has published the non-binding guidelines on prohibited AI practices, as defined by the AI Act, as well as guidelines on AI system definition to facilitate the first AI Act’s rules application as of 2 February. The guidelines specifically address practices such as harmful manipulation, social scoring, emotion recognition, and real-time remote biometric identification, among others.

The guidelines on AI system definition explain the practical application of the legal concept. The definition adopts a lifecycle-based perspective encompassing two main phases: the pre-deployment or ‘building’ phase and the post-deployment or ‘use’ phase. It can comprise seven main elements, (not required to be present continuously throughout both phases): 

• a machine-based system; 
• that is designed to operate with varying levels of autonomy; 
• that may exhibit adaptiveness after deployment; 
• and that, for explicit or implicit objectives; 
• infers, from the input it receives, how to generate outputs; 
• such as predictions, content, recommendations, or decisions; 
• that can influence physical or virtual environments.

Legal updates worldwide

China data privacy updates: Cyberspace Administration released measures for the administration of compliance audits on personal data protection including cross-border data transfer regulations. It applies to all personal information processors operating within the country. Processors handling data of over 10 million individuals must conduct audits at least every two years. Processors handling data of over 1 million individuals must appoint a data protection officer. These and the number of other measures take effect on 1 May 2025. 

UK privacy law reform: The Data, (Use and Access), Bill completed its House of Lords stages and had its first and second readings in the House of Commons. Several significant amendments were made to the Bill, including the addition of clauses regarding compliance with UK copyright law by operators of web crawlers, general-purpose AI models and transparency and deepfakes, as well as an extension of the direct marketing ‘soft opt-in’ not only to commercial but to the charity sector too.

The Bill will allow automated decision-making, (with exceptions on processing with a legal or similarly significant effect), with no limitation on which lawful basis an organisation can use, subject to putting specific safeguards in place. Finally, in a debate focussed on concerns about using research provisions for AI development, Parliament chose to limit the provision by adding a public interest test rather than by imposing a blanket ban.  

Direct marketing advice generator

The UK Information Commissioner launched a free online tool to help organisations ensure their direct marketing activities comply with the Privacy and Electronic Communication Regulations (PECR), and the UK GDPR. This allows organisations to reach out and promote their products and services to both new and existing customers and can assist in making sure they’re contacting people who are happy to hear from them. The tool covers email, SMS, direct mail, social media, telemarketing, etc.

TIA

The French CNIL published the final version of its Data Transfer Impact Assessment guide, (in French). Regardless of their status and size, a very large number of data controllers and processors are concerned by the issue of data transfers outside Europe. A TIA must be carried out by the exporter subject to the GDPR, with the assistance of the importer, before transferring the data to a country outside the EEA where such transfer is based on a tool of Art. 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.). There are two exceptions to this obligation for the data exporter:

• the country of destination is covered by an adequacy decision of the European Commission; 
• the transfer is made based on one of the derogations listed in Art. 49 of the GDPR.

More from supervisory authorities

Age assurance and digital services: The best interests of the child should be a primary consideration for all parties involved in processing personal data, states the EDBP. So far, the GDPR has introduced minimum age requirements in the context of information society services (Art. 8), and the Digital Services Act references age verification as a risk mitigation measure (Art. 35). Several Member States have implemented minimum age requirements for performing legal acts, exercising certain rights or accessing certain goods and services. 

The risk-based approach is also crucial when balancing the potential interference with natural persons’ rights and freedoms against children’s safety. This would therefore require that a Data Protection Impact Assessment, (Art. 35 GDPR), be conducted before processing, taking into account the nature, scope, context and purposes of the processing. Furthermore, any occurrence of automated decision-making in the context of age assurance should also comply with the GDPR.

Customer data checklist: The personal data that telecommunications providers typically process includes name, date of birth, postal address, bank details, email address and telephone numbers. This data is of interest to attackers in itself. Mobile phone numbers or email addresses are also often used as security anchors for other services. In addition, the business model of telecommunications providers involves dealing with expensive hardware. Taking into account the state of the art and the implementation costs, an appropriate level of protection must then be guaranteed in each case. To that end, the German Federal Data Protection Commission ‘BfDI’ offers a checklist for handling customer data in sales for telecommunications companies from a data protection perspective to facilitate the analysis of risks related to personal data, (in German). 

Search engine and anonymity

QWANT is a French company that launched its search engine in 2013. The data used in the context of the sale of the search engine’s advertising space, operated via Microsoft, was presented as anonymous, (the truncated IP address or the hashed IP address for the constitution of an identifier). However, in 2019, following a complaint,  the French CNIL found out that, despite the strong precautions taken to avoid the re-identification of individuals, the dataset transmitted to Microsoft was not anonymised but only pseudonymised.

In 2020, the company was alleged to have modified its privacy policies, (in various languages  due to cross-border processing), to mention:

• the transmission of “pseudonymous” data to Microsoft; and 
• to explicitly state the legal basis and advertising purposes for data transmission.

Former employee data from personal email

The Danish Data Protection Authority has decided in a case where a company had accessed and downloaded emails from a former employee’s private email account as part of a dispute between the parties, and a police report. The company informed the regulator that it was processing these data in the legitimate interest. The regulator criticised the move.  It noted that the company’s investigation was directed at the former employee’s work computer, and that access to the personal email account was discovered by accident. 

Nonetheless, the company continued to search, even after the company had become aware that it was a personal email account.

More enforcement decisions

Transaction logs failure: According to Data Guidance, the Spanish data protection authority AEPD resolved a case in which it fined GENERALI ESPAÑA, (insurance and finance services), 4 million euros for a data breach. An attacker used insurance broker credentials to get access to the personal information of policyholders, former policyholders, and other people, (about 1.5 million), as a result of a technical glitch in the customer maintenance system update. Furthermore, the lack of transaction logs made it impossible to determine the true extent of the intrusion immediately. Names and surnames, ID numbers, phone numbers, dates and birthplaces, and IBANs were among the personal information breached.

Hidden video monitoring in neonatology:  Similarly, the Polish UODO imposed approx. 275,000 euro fines on Centrum Medyczne Ujastek in Kraków, for installing image recording devices in two rooms of the neonatology department, and for failing to apply technical and organisational measures appropriate to the risk for data processed on memory cards located in the monitoring devices. Images showed newborns and their mothers performing intimate activities, including feeding and caring for children.

The children whose images were recorded no longer required intensive care, so their health was not at risk. Neither patients nor employees were informed about the recording. At the same time, the Medical Center reported to the UODO a loss or theft of memory cards from image recording devices in the above-mentioned rooms. After investigation, it was determined that the memory cards on which the recordings were located were not encrypted, and the devices used to record images were not configured properly. Finally, the risk analysis did not include the risk that was the cause of the incident and did not specify the security measures that could prevent it.

Data security

Data scraping: The Guernsey Data Protection Authority reported about a recent suspected data scraping incident in which an online business directory appeared to be scraped by a third party using an automated tool, who then attempted to sell the data. The regulator recommends key measures for any websites with business directories, user profiles, or that store personal data in any other forms:

• Rate limiting, also known as throttling, is a technique used to limit the number of actions a user can make on a website in quick succession, safeguarding against automated bots
• CAPTCHA is a widely used tool which requires users to confirm that they are human by completing a quick and simple task.

Data breach notification: The Swiss data protection authority FDPIC published guidelines on reporting data security breaches. As a rule, the report must contain a description of the circumstances of the breach and the controller’s assessment of its implications and include in particular details of the type, time, duration and extent of the breach and its already known and anticipated effects on the data subjects. The regulator also accepts voluntary reports where the controller does not assess the breach as posing a high risk to the data subjects but wishes to inform the FDPIC for other reasons. At the same time, data security breaches that lead to serious breaches of professional and manufacturing secrecy but do not affect personal data do not fall within the scope.

Big Tech

Gig economy: What would you do if your employer suddenly fired you or reduced your pay without telling you why?, asks Privacy International. Unfortunately, this is the reality for the many millions of gig workers driving or delivering for platforms like Uber, Deliveroo and Just Eat, from hiring to firing to dynamically adjusting pay to allocating jobs. To that end, PI has produced three demands for platforms to implement: 

• Maintain a public register of the algorithms used to manage workers;
• Accompany all algorithmic decisions with an explanation of the most important reasons and parameters behind;
• Allow workers, their representatives and public interest groups to test how the algorithms work.

Shift from third-party cookies to device fingerprinting? Research by DLA Piper examines Google’s plan to remove the ban on device fingerprinting—which entails gathering and combining data about a device’s hardware and software to identify the device—for businesses that use its advertising tools, with effect from February 16. This comes after Google decided to keep third-party cookies in July 2024. See the original analyses for the implications of such a move regarding consent requirements and reduced user control.

Agentic AI: Future of Privacy Forum makes a deep dive into a new technology described as “AI agents.” Unlike automated systems and even LLMs, these systems go beyond previous technology by having autonomy over how to achieve complex tasks, such as navigating on a user’s web browser to take actions on their behalf, (from making restaurant reservations and resolving customer service issues to coding complex systems). You can read the original publication for data protection considerations of such systems, such as data collection, a lawful basis for model training, data subject rights, accuracy of output, data security and ensuring adequate explainability. 

The post Data protection digest 1-15 Feb 2025: an employer can’t track alleged ‘inactivity’ of workers via screengrabs and constant video monitoring appeared first on TechGDPR.

The Commission presented an EU Action Plan to improve health sector cybersecurity. It will include hospitals, clinics, care homes, rehabilitation centres, various healthcare providers, the pharmaceutical, medical and biotechnology industries, medical device manufacturers, and health research institutions. A significant challenge for the cybersecurity of the health sector is the intersection of information technology (IT) and operational technology (OT), where different security priorities meet as regards data confidentiality, availability and reliability, and where a breach in one area can affect the other. In many cases, IT and OT are at least partly outsourced.

Deficiencies are observed in key areas such as sufficient human resources, organisations’ knowledge of their information and communications technology supply chains, and installation of up-to-date security features in products, (for services like IaaS, PaaS, and SaaS). The sector struggles with basic cyber hygiene and fundamental security measures, as illustrated by the fact that nearly all health organisations surveyed face challenges when it comes to performing cybersecurity risk assessments, while almost half have never performed a risk analysis.

Stay up to date! Sign on to receive our fortnightly digest via email.

Right of access

The EDPB published a one-stop-shop case digest on the right of access. Natural persons’ right to access personal data related to them is enshrined in Art. 8 of the EU Charter of Fundamental Rights and is, therefore, to be considered the most essential data protection right. Art. 15 of the GDPR applies to requests for access submitted after the law became applicable. It can be divided into three components: 

• Confirmation as to whether personal data related to the data subject is processed or not. 
• Access to information related to the data subject if it is processed at the time of the data subject’s access request. 
• Information about the processing and the data subject´s other data protection rights.

The CJEU has also repeatedly stated that the practical aim of the right to access, firstly, is to enable data subjects to verify that the personal data concerning them are correct and processed lawfully. In particular, the right of access is necessary to enable the data subject to exercise their right to rectification, erasure, restriction and objection to processing, as well as the right of action when they suffer damage. 

More EDPB updates

Pseudonymisation: The EDPB also awaits comments on the Guidelines on Pseudonymisation until the end of February. The GDPR does not impose a general obligation to use pseudonymisation. Similarly, the explicit introduction of pseudonymisation is not intended to preclude any other measures. However, data controllers may need to apply pseudonymisation to meet the requirements of EU data protection law, in particular, to adhere to the data minimisation principle, to implement data protection by design and by default, or to ensure a level of security appropriate to the risk. In some specific situations, Union or Member State law may mandate pseudonymisation. 

Complex algorithms: Finally, the EDPB also publishes an opinion piece on AI and effective data protection supervision. This report covers techniques and methods that can be used for the effective implementation of data subject rights, specifically, the right to rectification and the right to erasure when AI systems have been developed with personal data. However, there are several challenges:

• Limited understanding of how each data point impacts the model;
• Stochasticity of training, (random sampling of batches of data from the dataset, random ordering of the batches, and parallelisation without time-synchronisation); 
• Incremental training process, (updates relying on a specific training data point will affect all subsequent updates);
• Stochasticity of learning, (difficult to correlate how a specific data point contributed to the “learning” in the model).

AI prohibitions in the EU

From 2 February, for any organisations that offer or operate AI systems, the first key provisions of the AI Act will apply: the ban on certain AI practices in both public and private sectors, (mass surveillance, social scoring, behavoural and emotional analysis), and obligations to ensure that employees have sufficient AI skills. Additionally, manipulative AI practices that exploit human vulnerabilities are now prohibited. Particular focus is placed on protecting vulnerable groups such as children and adolescents.

From now on, such violations can not only lead to sanctions under the AI ​​Act but also trigger action from data protection authorities. 

More legal updates worldwide

China cross-border transfers: At the beginning of January, the Cyberspace Administration of China released for public consultation the draft certification measures to legitimize cross-border transfers of personal data outside of China, (CBDTs), DLA Piper reports. Chinese law requires data controllers to take one of the following three routes: a) mandatory security assessment; b) Standard Contractual Clauses filing; or c) certification.  

The certification route is available to data controllers inside China and outside the country if they fall under the extraterritorial jurisdiction of the Personal Information Protection Law, (eg, processing data of residents in China to provide products or services to them or analyse or evaluate their behaviour). Regardless of the chosen route, data controllers must implement other compliance measures for CBDTs, including consent requirements, impact assessments, and maintaining records of processing activities. 

US Child privacy: On 16 January, the FTC finalized changes to children’s privacy rules, (COPPA). By requiring parents to opt into targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetising children’s data without active permission. It requires certain websites and online services to proactively obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13, provides the right to require deletion of these data and establishes data minimization and data retention requirements. Entities will have one year from the publication date to come into full compliance.

Open Data

The French CNIL alerts data controllers who use databases freely made available on the Internet or provided by a third party that they must verify that their creation, sharing or re-use is legal. These include such areas as  scientific research, development of artificial intelligence systems, commercial prospecting, as well as data brokers. To initiate and define compliance process data controllers will need to – identify legal basis, inform individuals, minimize data, obtain explicit consent for the processing of sensitive data, maintain up to  date data processing agreements and other core documentation and conduct impact assessments.

SDK and app privacy

Software Development Kit, (SDK), plays a central role in how mobile apps work. The French CNIL has made recommendations on how to integrate SDKs and conduct controls to ensure their compliance with the GDPR. The most popular SDKs offer tools for software error management, audience measurement, ad monetization, notification management, and more. 

The SDK code embedded within the app has the same level of software access as the rest of the code written by the app developer. If permission is granted to the application, all built-in SDKs have, by default, the technical capability to access the data. This access by the SDK can then escape the developer’s control and infringe on the privacy of the users of the application. It is therefore important that the publisher gives clear instructions to the developer as to the process to be implemented for the selection and configuration of the in-app SDKs.

More official guidance

Medical wearables: The Federal Office for Information Security, (BSI), in Germany has published the results of its project on the “Security of wearables with partial medical functionalities“. The project deals with the security of wearables, (marketed in Germany), that use sensors to record health and fitness status. These sensors can be used to measure or calculate heart rate, blood oxygen saturation, sleep patterns, and calorie consumption, among other things. Many of these devices use mobile apps to evaluate sensitive data and create statistics. Vulnerabilities in devices used to record health and fitness data open up a new form of personal cybercrime for criminals. On the one hand, it is conceivable that wearables could be used specifically to attack people who have the appropriate sensors. Targeted attacks could also be made on recovery processes, for example, when sick people adjust their medication based on sensor data. 

Financial apps:  In parallel, the BSI published the technical guidelines on “Requirements for applications in the financial sector” – fintech companies, such as banks, financial service providers or start-ups in the field of financial technology. The aim is to achieve a uniformly high level of security for existing banking apps and payment services – but also for financial services on smartphones or smartwatches. These may include apps that users can use to pay in the supermarket or manage accounts, but also crowdfunding platforms or microcredit initiatives, etc. The guide in German can be found here.

Selling drivers location and behaviour data

In the US, the FTC is taking action against General Motors over allegations they collected, used, and sold drivers’ precise geolocation data and driving behavior information from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent. When consumers bought a vehicle, they were encouraged to sign up for a feature which they were often told would be used to help them assess their driving habits. 

The information notice was confusing and misleading. GM failed to clearly disclose to consumers the types of information it collected, including their geolocation and driving behavior data, such as hard braking, late night driving, and speeding, or that it would be sold to consumer reporting agencies. These consumer reporting agencies used the sensitive information GM provided to compile credit reports on consumers, which were then used by insurance companies to deny insurance and set rates. Additionally, through faulty claims on its websites and in email and social media ads, the company claimed that it deployed reasonable security and that it was in compliance with the previous EU-US and Swiss-US Privacy Shield Frameworks. 

More enforcement decisions

Loan promotion: The UK’s ICO meanwhile fined ESL Consultancy Services Ltd 200,000 pounds for knowingly sending unlawful loan promotion nuisance text messages to people who had not consented to receive them. The regulator found that in 2022 and 2023, ESL used a third party to send marketing text messages without ensuring valid consent was in place to send promotional materials. ESL also took steps to try and conceal the identity of the sender of the messages by using unregistered SIM cards. As a result the ICO received 37,977 complaints. 

Failed internal policies: An investigation of the Romanian supervisory authority revealed that the telecoms operator Vodafone Romania repeatedly  failed to ensure the confidentiality of data belonging to several customers as a result of non-compliance with internal policies. For these acts the operator had to pay an approx. 15,000 euro fine. The data security breach was caused by:

• unauthorised transmission of a picture of a data subject’s invoice to a third party;
• not hiding recipients’ email addresses and not selecting the “BCC” option when informing data subjects of changes;
• sending via WhatsApp by an employee of an authorised representative of the operator, a photo containing a screenshot of data displayed in the app interface.

Failed erasure request: The Romanian regulator also fined Orange Romania approx. 40,000 euros for a failed data erasure request. After an unsuccessful attempt to subscribe to the mobile services offered by the operator, a request was made to delete all personal data. During the correspondence, the operator requested more personal data and no complete and adequate responses were provided to the requests received. Moreover, the operator had excessively collected and stored scanned copies of documents, although they were no longer necessary for the purpose of identification related to the conclusion of a subscription contract. 

Data security

Hosting services: America’s FTC reminds us that a business website is one of the most important sales and marketing tools. It is not only the  virtual storefront, but also a repository for data – yours and your customers. Thus, when you go looking for a web host – the company that’ll store your site on its servers – security is non-negotiable. The recent FTC settlement with GoDaddy, one of the largest web hosting companies in the world, shows what can happen when security slips.

In particular, when the hosting provider neglects to inventory its assets, manage software updates, use multifactor authentication, and appropriately monitor for security threats. 

New security measures listed: The Danish data protection regulator published two new measures in its technical catalogue, both of which deal with ‘secure data transmission’. If two or more parties use external networks, such as the Internet and telecommunications networks, they often do not have the same control and protection as when rising their own networks. In such cases, the parties must assess whether the data transmission should be protected with encryption. However, encryption of data transmission can also be used to protect against “insider threats” or physical intrusion into one’s own networks. During transmission, there may also be a risk that data may become known to unauthorized persons. Validation of sender, recipient and content is thus a preventive measure that reduces the likelihood of data being read by unauthorized parties. At the same time, it can ensure non-repudiation and validation of the sender.

Valio data breach investigation in Finland

The data protection ombudsman is investigating a data security breach targeting Valio’s, (country’s largest milk processor), information network. The attacker had obtained the personnel data of Valio and its subsidiaries operating in Finland, as well as milk purchasing cooperatives. Former employees of Valio have also been targeted. In addition, the breach targeted data in the databases of the Valio Mutual Insurance Company and Valio Pension Fund. The data breach targeted a significantly larger amount of personal data than initially estimated by the data controller. 

Big Tech

Meta AI: Meta began to gradually roll out a new feature that lets its AI tool remember certain details that you share with it in 1:1 chats on WhatsApp and Messenger. The company is also rolling out a greater level of personalisation for Meta AI on Facebook, Messenger and Instagram, (by tracking and memorising details about you, including information about your personal life, ethnicity, health and family).

The changes so far only concern users in the US and Canada. The new policy promises to ”only remember certain things you tell it in personal conversations, (not group chats), and you can delete its memories at any time”. 

DeepSeek data whereabouts: Italy’s data protection regulator Garante is requesting answers from, (and temporarily blocks), the Chinese AI model DeepSeek, supposedly a low-cost and open-source alternative to US rivals, over its usage of personal data. What information has been collected, from which sources, for what purposes, on what legal basis, and whether it is stored in China? Other reports claim DeepSeek spreads misinformation, bans political prompts, and how the Chinese state might exploit users’ data. 

Open AI meanwhile warns that Chinese startups are ‘constantly’ using its technology to develop competing products. The company is reviewing allegations that DeepSeek used the ChatGPT maker’s AI models to create a rival chatbot, through a technique known as “distillation” – boosting the performance of smaller models by using larger, more advanced ones to achieve similar results, summed up in this Guardian article.

The post Data protection digest 16-30 Jan 2025: The intersection of information and operational technologies in the health sector appeared first on TechGDPR.

The Data Act will become applicable in the EU starting on 12 September 2025. In the runup, the European Commission has published an FAQ on the new legislation. Together with the Data Governance Act, it enables a fair distribution of value by establishing clear rules related to the access and use of data within the EU’s data economy. While the Data Act does not regulate the protection of personal data, the GDPR remains fully applicable to all personal data processing activities under the Act. 

This includes the powers and competences of supervisory authorities and the rights of data subjects. Sometimes, it complements the GDPR, (eg, real-time portability of data from Internet-of-Things objects). In other cases, it restricts the re-use of data by third parties, such as for profiling purposes, (unless it is necessary to provide the service to the user). In the event of a conflict between the GDPR and the Data Act, the GDPR rules shall prevail, (see Art. 1(5) of the Data Act).  

Stay up to date! Sign on to receive our fortnightly digest via email.

Corrective powers under the GDPR

The CJEU has ruled that a supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on their initiative. The case relates to a savings bank in Germany where one of its employees had consulted a customer’s data on several occasions without being authorised to do so. The employee had confirmed in writing that she had neither copied nor retained or shared the data, and the bank had taken disciplinary measures. The data controller nevertheless notified the data protection authority of this breach.

More legal updates

California tech updates: Among over a dozen new bills covering personal data and generative AI, Governor Gavin Newsom signed a bill on training data sources into law. It includes reporting provisions for developers on sources or owners of datasets, a description of data points in them, whether the datasets contain personal information, how the datasets further the intended purpose of the AI system or service, whether the datasets include any data protected by copyright, trademark, or patent and more. Changes will be due on 1 January 2026. 

California has also expanded the definition of personal data to more abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. At the same time, a landmark artificial intelligence safety bill was blocked by the governor after strong opposition from major technology companies. The draft bill required the most powerful AI models to undergo safety testing and other oversight obligations.

Lax social media privacy controls: The Federal Trade Commission has examined the data practices of major social media and video streaming services, revealing they engaged in vast surveillance of consumers to monetize their personal information while failing to adequately protect users online, especially minors. Among other things, companies feed users’ and non-users personal information into their automated systems, including for use by their algorithms, data analytics, and AI, without proper testing and oversight. Meanwhile, data subjects had little or no way to opt out of how their data was used by these automated systems.

Who determines how to secure data?

The Polish Supreme Administrative Court has made a final decision on whether a data controller can use an employee to determine how to secure data. In a related case, the probation officer of a district court lost an unencrypted pendrive with the personal data of 400 people. The analysis of the case showed that the controller had not fulfilled security obligations correctly. 

Before the incident, the controller issued the device and instructed the probation officer to implement security measures on their own. The obligation to register and encrypt the medium was introduced only after the officer lost it. Additionally, employees were only given basic training in data protection, which did not give them enough knowledge on securing digital mediums or calculating the risks of data loss. As a result, the employee decided to protect the data by carrying their drive in a locked bag.

More from supervisory authorities

Data accountability from A to Z: The Luxembourg data protection and cybersecurity authorities have recently developed DAAZ, a GDPR compliance tool that addresses the challenges faced by start-ups and small and medium-sized enterprises, (available in English). The tool comes in response to the personal data protection challenges faced by SMEs in particular, which are often at a disadvantage compared with large organisations in terms of resources and expertise.

Mobile applications: The French CNIL has published the final version of its recommendations to help professionals design privacy-friendly mobile applications. From 2025, these will be the subject of a specific control campaign. According to the latest data, a typical French consumer downloads 30 apps and uses their mobile phone for an average of 3 hours and 30 minutes per day. Among other things, the recommendations include best practices for stakeholders to ensure that users understand whether the requested permissions are really necessary for the application to function.

AI Act and GDPR: Finally, the Belgian regulator published its information guide, (available in English), on the EU AI Act from a GDPR perspective. It includes sections on AI system definition, and data protection principles such as purpose limitation, data minimisation and data subject rights in an AI context. It also emphasizes accountability, security measures and human oversight in AI development. 

Termination of employment

Although former employees have the right to request the deletion of their data, it should be understood that this right is not absolute, according to the Latvian regulator. In one example, the former employer has the right to temporarily retain an e-mail box for a certain period to ensure continuous communication with the company’s customers, (eg, by forwarding e-mails), and access information that is essential to the operation of the company. However, the employer must clearly define for how long this e-mail address will be stored and communicate it to employees. 

This does not mean that the employer can use the information found in the e-mail for other purposes. The principle of purpose limitation should be taken into account here. If an employer recovers, for example, a computer or smartphone used by an employee after the end of the employment relationship, they may discover that private e-mails or other communication channels were accessed on it. If the employee is not logged out of these accounts, the employer has no right of access, despite owning the device.

Data requests via a representative

Finland’s data protection commissioner has stated that a person can make an inspection request for their data with the help of an agent and, for example, ask the organisation to provide the agent with that information. Data protection legislation does not prevent the exercise of data protection rights through another person. An individual who contacted the regulator’s office had asked the Tax Administration to deliver all information about them to their representative’s postal address. However, the Tax Administration refused to provide information to the agent, citing that the information could only be provided to the person directly.

More enforcement decisions

Commercial legitimate interest: Hogan Lovells’ law blog reports that a Dutch court once again has recalled a decision of the data protection authority for its overly strict interpretation that purely commercial interests cannot be legitimate interests under the GDPR. The court ruled in favour of the unnamed company by suspending a 120,000 euro fine, as there was still room for legal discussion. 

The cumulative criteria for a valid legitimate interest, (eg, for direct commercial marketing), requires a careful assessment, including whether the data subject could reasonably expect the data processing. Additionally, the personal data concerned should be strictly necessary for the legitimate interests pursued, and, finally, the fundamental rights and freedoms of the data subject must be preserved. 

Meta fine for password storage in plaintext: The Irish Data Protection Commission has fined Meta Ireland 91 million euros. This inquiry was launched in April 2019, after the company notified the regulator that it had inadvertently stored certain passwords of social media users in ‘plaintext’ on its internal systems, (eg, without cryptographic protection or encryption). These passwords were not made available to external parties. 

Selling data to competitors: A man in the UK has pleaded guilty and been fined for unlawfully retaining and selling thousands of details of customer records from the car leasing company he worked for. Shortly before he resigned from his role as sales consultant, at Leaseline Vehicle Management Ltd, he sold over 3,600 pieces of personal information he’d taken from the company’s internal customer database. He approached multiple competitor companies with this information, whilst claiming that the data belonged to him.

Data security

Facial recognition: The German Data Protection Conference observes that some authorities are already using biometric facial recognition in public spaces, citing non-specific criminal procedural rules. However, the legal framework and the civil liberties of those affected – potentially all citizens – are not sufficiently taken into account. For this reason, the European legislators have excluded certain applications in the AI Act and set strict limits for others. The regulator calls upon the national legislators to create specific and proportionate legal bases for the use of facial recognition systems in public spaces.  

Minor’s data: Following the UK Ofcom’s publication of the draft Children’s Codes of Practice which are due to come into effect in early 2025, Instagram has changed the way it works for minors, connectedworld.clydeco.com reports. For all under 18s, the new “teen accounts” will activate several privacy settings by default, such as preventing non-followers from seeing their material and requiring them to manually accept new followers.

Also, the only way for 13 to 15-year-olds to change the settings is to add a parent or guardian to their account. Strict guidelines will also be applied to sensitive content to avoid suggesting potentially dangerous material and muting notifications overnight, (“sleep mode”). 

Portability right: A new portability right applies to employees and consumers in Québec, JD Supra law blog reports. The purpose is to allow individuals in private and public sectors to access their data and transfer it to another legally authorised organization of their choice. It only applies to data that has already been digitally stored, and directly provided by the individual. Though the legislation does not specify any particular format. PDFs, pictures, and proprietary formats that call for additional software or costly licensing should be avoided in favour of formats like CSV, XML, or JSON. 

The post Data protection digest 17 Sep – 1 Oct 2024: EU Data Act as an illustration of the GDPR ‘prevail’ principle appeared first on TechGDPR.

Stay up to date! Sign up to receive our fortnightly digest via email.

LLMs, data labelling and data protection

A fundamental principle of data protection law is data minimisation. Privacy International however insists that LLMs are being trained through indiscriminate data scraping and generally maximise their approach to data collection. Under data protection laws, individuals have the right to assert control over data related to them. However, LLMs are unable to adequately uphold these rights, as the information is held within the parameters of a model in addition to a more traditional form, such as a database. ‘Regurgitation’ can also lead to personal data being spat out by LLMs. Because training data is enmeshed in LLM algorithms, this can be extracted, (or regurgitated), by feeding in the right prompts. 

PI also investigated digital labour platforms that have arisen to supply data labelling for LLM training. This includes training an AI model against a labelled dataset and is supplemented by reinforcement learning from human feedback. For example, data labellers mark raw data points, (images, text, sensor data, etc.), with ‘labels’ that help the AI model make crucial decisions, such as for an autonomous vehicle to distinguish a pedestrian from a cyclist. It appeared that many such labellers can be completely disconnected from the AI developers, and are often not informed about who or what they are labelling raw datasets for. They are also subject to algorithmic surveillance and unreliable job stability. 

Third-party cookies as a cause of data breaches

JDSupra legal insights look at the disclosure of data through website cookies which may facilitate a data breach in California. In the related court case, the plaintiff claimed that an online counselling service where website users can find and seek therapy violated the California Consumer Privacy Act by allowing tracking software to retarget website users with ads. The court refused to dismiss the data breach claim. Specifically, the simple fact a user visited the website, may qualify as sensitive information because such a visit could mean they must have been seeking therapy.

Concerning whether using retargeting cookies is inherently illegal, the court refrained from rendering a decision.

US Child privacy bill

On 30 July, the Kids Online Safety and Privacy Act was passed by the Senate. KOSPA is a variation of two previously proposed bills: the Kids Online Safety Act, (KOSA), and the amended Child Online Privacy Protection Act, (COPPA 2.0). The act applies to digital platforms, particularly those with more than 10 million active monthly users. The duty of care includes options for minors to protect their data, prohibition of the use of dark patterns, and transparency regarding the use of opaque algorithms, etc. KOSPA now heads to the House, where it will be debated over potential censorship and the possibility of minors lacking access to vital information. 

Oncological oblivion

The Italian data protection authority Garante looks at “the right to be forgotten” in oncology, and whether banks, insurance companies, credit bodies, and employers can ask for information on the oncological pathology of an individual in a remission stage. Also, can a clinically recovered person adopt a child? These and other questions are answered in the FAQs published by the regulator, (in Italian). The aim is to prevent discrimination and protect the rights of people who have recovered from oncological diseases.

Chatbots and customer data

Employees sharing patient or consumer personal information with an AI chatbot have resulted in allegations of data leaks to the Dutch Data Protection Authority, (AP). The majority of chatbot developers store all data entered. Organisations must make clear agreements with their employees about the use of AI chatbots.  They could also arrange with the provider of a chatbot that it does not store the entered data. 

More official guidance

Avoiding outages and system failures: The US Federal Trade Commission insists that many common types of software flaws can be preemptively addressed through systematic and known processes that minimise the likelihood of outages. This includes rigorous testing of both code and configuration and the incremental rollout procedures. For instance, when deploying changes to automatically updating software, vendors could initially deploy it to a small subset of machines, and then roll it out to more users after it’s confirmed that the smaller subset has continued to function without interruption. 

Surveys at schools: The Latvian data protection authority investigates if a teacher can ask students to complete surveys. The educational process has long been not limited to the learning of the subject, but the psychological state of the child too. Answers given in student surveys can be divided into standard, personalised or anonymous forms. However, children often are not able to assess how much private information to give to others. Thus, security requirements, such as data non-disclosure and storage limitations must be applied in most cases.

Additional parent consent should be required if the surveys are related to the organisation of the learning process indirectly.

AI systems transparency: The German Federal Information Security Office, (BSI), published a white paper on the “Transparency of AI systems”. It says that the increasing complexity of the AI “black boxes” systems as well as missing or inadequate information about them makes it difficult to make a visual assessment or to judge the trustworthiness of the outputs. The paper defines the term transparency for various stakeholders from users to developers, and discusses the opportunities and risks of transparent AI systems, both positive, (promoting safety, data protection, avoiding copyright infringements), and negative, (the possible disclosure of attack vectors). 

Uniqlo ‘payroll’ mistake

The Spanish regulator imposed a fine of 450,000 euros, (reduced to 270,000 euros), on the UNIQLO branch in Spain, DataGuidance reports. The complainant, who provided services to UNIQLO, requested their payroll data and received an email containing a PDF document with payroll information on the entire 446-strong workforce. The document contained names, surnames, social security, bank account numbers, and more.

The breach was caused by a human error within the human resources department, but the employee in question had not informed their superior. The regulator confirmed that the negligent action of the employee does not exempt the data controller from liability.

Healthcare IT provider fine

The UK Information Commissioner’s Office has provisionally decided to fine Advanced Computer Software Group 6.09 million pounds. It provides IT and software services to the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. The decision relates to a ransomware incident in 2022, when hackers accessed several of Advanced’s health and care systems, (with the personal information of 82,946 people), via a customer account that did not have multi-factor authentication. 

More enforcement decisions

Car rental and client’s income: The Italian Garante imposed a one million euro fine on Credit Agricole Auto Bank for the illicit processing of personal and income data of customers who requested financing for the long-term rental of a car. The bank accessed the centralised fraud prevention system, also on behalf of its subsidiary, a car leasing company, despite it not having the necessary authorisation from the Ministry of Finance. 

The complainant contacted the bank to know the reasons behind the denial of the long-term rental and the inclusion of their name on a credit risk list. The bank stated these were due to the client’s negative income situation. Furthermore, the bank did not first acquire the client’s tax return form, an essential document for making a comparison with the information contained in the database. 

Dark patterns in the gambling industry: The Guernsey privacy regulator reviewed 19 online gaming sites for indicators of deceptive designs. In 42% of cases, the analysis was unable to find the website or app’s privacy settings, (in most cases those found were unnecessarily lengthy and complex). Also, it was more difficult to delete an account than it was to create one. In one of the instances, a user made their account deletion request through an on-site chatbot, as they were unable to find the ‘delete account’ option on the site. In another case, the organisation asked that a form be completed and returned to them, along with identity verification documents. Neither the documents nor the form were required to create an account. 

Data security

Lack of encryption: The Danish regulator has reprimanded the Vejen Municipality for insufficient security measures. Three stolen computers with information about children were not encrypted – and the same turned out to be the case with up to 300 other computers in the municipality. The computers were only intended for use by teachers as part of the teaching process. In practice, however, they were also used by teachers to make status descriptions of students, class handovers, etc. The regulator also issued a reminder that encryption of portable devices is a very basic security measure which is relatively easy and not very costly to implement.

GPS tracking: A court in Slovenia confirmed the decision of the Information Commissioner to restrict the use of GPS tracking of company vehicles, on a systematic, automated and continuous basis. The company did not demonstrate that such GPS tracking is a suitable and necessary measure for the protection of company vehicles and the equipment and documentation contained in them, nor to ensure employee safety or for the enforcement of potential legal claims and defence against them. 

Among other things, the court confirmed that the data obtained by the operator through the GPS tracking of company vehicles constitutes employees’ data, even though it is not recorded and stored in the tracking system itself, as the employees as drivers can be identified with the help of other documents, (eg, travel orders).

AI Grok

X agreed with the Irish Data Protection Commission to suspend the processing of the personal data contained in the public posts of X’s EU/EEA users, (processed between 7 May and 1 August), to train its AI ‘Grok’. The suspension will last while the DPC examines, together with other regulators, the extent to which the processing complies with the GDPR. The agreement was reached after the regulator submitted the case to the country’s Supreme Court.

In June, Meta also agreed with the DPC that it would delay processing EU/EEA user data for its AI tools. However, unlike Meta, X didn’t even notify its users beforehand. To make sure that X’s AI training is properly handled, the privacy advocacy group NOYB has now filed complaints with the data protection authorities in nine countries, (questioning what happened to EU data that had already been ingested into the systems, and how X can effectively distinguish between EU and non-EU data).

The post Data protection digest 3 – 16 Aug 2024: data labelling for LLMs, third-party cookies as a cause of leaks appeared first on TechGDPR.

Official guidance

APIs methodology: The French data protection authority CNIL issued a methodology guide for the use of application programming interfaces for all actors in the data-sharing chain, (in the context of a legal obligation, scientific research, for commercial or non-commercial purposes, with or without access restrictions, etc). All categories of APIs are covered by the recommendations when they are used by organisations for the sharing of personal data. Three technical roles are introduced: a) the data holder, b) the API Manager, and c) the data re-user. However,  the roles defined in this APIs methodology guide do not in any way prejudge the legal responsibility of each of the organisations. This responsibility must be determined by a case-by-case analysis. Read the full guide in French here. 

Medico-social sector: The CNIL also published a “retention periods” reference framework for the most frequent processing operations in the social and medico-social sectors and a practical guide proposing a methodology for the professionals concerned, (in French). The guidance is intended for public and private bodies such as social life support services, residential establishments for dependent elderly people, and administrative and judicial services for the protection of adults and minors.

Streaming platforms: The most common processing by streaming platforms includes identity and contact information, billing details, behavioural data, and technical information, explains the Latvian regulator. These data may be necessary to perform the contract, and other legal obligations, or to improve the service. However, additional processing for marketing needs generally falls outside this list and requires the prior consent of the user. Each legal basis provides a different scope of the data subject’s rights. Individuals should be free to stop data processing based on their consent, and the withdrawal of consent should not affect their ability to receive the content.

Legal processes

EU Data Act adopted: On 27 November a new law was adopted on fair access to and use of data. This is one of the five pieces of legislation included in the European Data Strategy package. Among other things, the data regulation sets out measures that allow users, (B2C, B2B and B2G), of various devices to access the data they create, which is often only collected by manufacturers, and to share this data with third parties to provide various data-based services. In addition, the regulation allows public sector authorities to obtain data held by the private sector if needed in emergencies. The Data Act will apply in twenty months time, in mid-2025. 

UK data protection reform: The UK government says it has carefully prepared a set of changes to the domestic, (post-Brexit), data protection legislation in 2024. Among many things, it includes clarification that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. Another example is new powers to require data from third parties, particularly banks and financial organisations, for fraud checks. The proposal also covers using biometric data, such as fingerprints, to strengthen national security. Find the full list of the latest amendments here. 

Automated decision-making: Meanwhile the California privacy protection agency released a draft rulebook on automated decision-making technologies. The proposed regulations would implement consumers’ right to opt out of, and access information about the technology, as provided for by the California Consumer Privacy Act. The agency expects to begin formal rulemaking next year. The decision-making processes in this case include decisions about employment, compensations; profiling an employee, contractor, applicant, or student; using facial-recognition technology or automated emotion assessment to analyse consumers’ behavior in public places, and more. 

Data subject rights

A copy of your data: this is a collection of personal data held by a controller in a viewable file or document. It should be understood that this is a collection of information, and not a simple copy of one or several physical documents. If you know that a controller, (natural or legal person, public institution or other body), has your data, you can request a copy. You must identify yourself by providing at least your first and last name, additional information the organisation requests, and, if possible, include the period and other details. The organisation will “extract” information from its documents, information systems and other places, and will collect it in one place so that it is valid for issuance. 

If you submit the request electronically, the organisation is obliged to issue a copy in an electronic usable form. On the other hand, if you need information in a different format, it should be indicated in the request. A copy of personal data can also be cut from an audio or video recording, explains the Latvian regulator. Possible reasons for refusal may be, for example, problems in identifying a person, the requester’s data is not or no longer at the disposal of the organisation, or a vaguely expressed personal request, such as “Show me all my data”. Likewise, data may not be released in cases where specific data is not to be released to investigative, financial institutions or other public administration bodies.

DP tools

OLIVIA: The Croatian data protection authority has presented a virtual teacher and assistant for compliance with the GDPR, (available in English), allowing entrepreneurs the opportunity to learn what their basic obligations are, test their knowledge and create basic documents (eg, self-assessment reports, information notices or cookie banner examples), which help to prove compliance. You can test the OLIVIA tool here.

Digital development: A similar tool for data protection has been issued by the Swedish data protection authority aiming at public actors working with innovation, digitisation and digital business development. The methodology is based on two overarching prerequisites:

• An organisation that is to innovate must take into account the data protection regulations on an ongoing basis during the innovation work.
• Continuous and structured cross-functional collaboration is required between the actors – lawyers, technicians and managers – that participate in the innovation work. The tool, (in Swedish only), is available here. 

Discussion papers

Health research: In Germany, medical research projects are often carried out in more than one federal state. Depending on the research location, different data protection requirements must be observed, according to the Data Protection Conference. Differences exist about the admissibility of data processing, (various legal bases), the definition of areas of protection, including patients, and relatives and permissible purposes of processing. Thus, the regulator is appealing to federal and state legislators to clarify the relevant data protection regulations and is ready to assist.

Legal bases for using AI: The Baden-Würtemberg data protection authority published a discussion paper, (in German), on the legal basis for data protection when using AI, and invited public comments. The legal bases mentioned in Art. 6 of the GDPR are generally available to use by businesses, with legitimate interest to be of particular importance, and contractual law suitable to a certain extent. Finally, the valid consent criteria could be particularly challenged due to the lack of transparency and traceability of complex AI systems. 

Mobility data: The Luxembourg data protection agency adopted an opinion on the creation of a Digital Mobility Observatory under the authority of the government. Its mission will be to provide the data necessary for the planning of infrastructure to fit the changing needs of the population and businesses. The regulator wonders whether the observatory can function without processing personal data, by carrying out mobility studies on anonymised data. 

The regulator also doubts that all the processing complies with the principles of necessity and proportionality. The observatory would have access to a series of personal data, such as place of residence, employment status, gender, household composition and income range held by various public administrations. Moreover, even private entities would be obliged to grant access to their data, such as mobile operators.

EU-US data transfers

Data Protection Review Court: The Biden administration formed the first panel of judges for a new court, mandated by the EU-US Data Privacy Framework. The Data Protection Review Court was created through a presidential Executive Order in 2022. The panel will examine claims brought by individuals in the EU who believe the US government is digitally surveilling them in violation of US laws. The attorney general-appointed special advocate will represent the claims. According to a Politico analysis, the judges have the authority to make binding and final rulings that the intelligence community must follow if they determine a violation. 

Enforcement decisions 

Non-retroactivity of DPAs: The Belgian data protection agency recently decided on the invalidity of retroactive data processing agreements. The case refers to a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement. These agreements should be in place before any personal data processing activities commence. A clause confirming the retroactive application of the agreement after the application date of the GDPR would not substitute it, as it prejudices the rights of third parties, such as data subjects. Read the analysis by DLA Piper of the case here. 

Outdated TOMs: The Norwegian Labour and Welfare Service was fined approx. 1,7 mln euros for various infringements of information security in their IT systems over a long period. This includes a large number of staff working on cases from all over the country, within several service areas, and thus having wide access to highly sensitive data. Additionally, no systematic control of staff use of the IT systems had been established, and the use of the system was largely based “on trust”.

Waste disposal: The Dutch regulator imposed a fine of 30,000 euros on a municipality for keeping information about waste from individual households for much longer than necessary. The wheelie bins and tokens for the waste compartments have a chip with a number that is linked to a home address. But the ‘dumping data’ was kept for far too long. Bin data was kept for as long as they were in use and token data was stored for 5 years. That is much longer than necessary to check whether a household exceeds the permitted waste amount. The data retention periods are now shortened to 14 days. The municipality also finally sent information letters about the technology, (in use from 2018).

Compliance audits

Customer data: The UK Information Commissioner’s Office assessed the compliance of some major customer-facing employers in the country. Some of the good practice identified was in staff training and disciplinary measures, data minimisation and access controls, and customer complaint mechanisms. For example, Uber Eats allows couriers to only view limited delivery and customer data and the delivery address. If opting for a call, temporary phone numbers appear at both ends to avoid disclosing their actual phone numbers, while messages are sent within the app. After the trip ends or in case of cancellation, the courier loses retrospective access to that data. Read more positive examples here.  

Similarly, the Commissioner’s Office carried out a consensual audit of Fluent Mortgages Horwich, after a series of complaints from individuals about disclosures of personal data to third parties, and withholding of call recordings. The regulator stated the need for more specific training for those responsible for handling data subject requests and the performance of data protection impact assessments. Also, processing activities may not all be correctly identified. As a result, the company may not have identified a lawful basis for all of their processing. 

Data security

Data classification: The US NIST has released for public comment a draft internal report on data classification concepts and considerations for improving data protection. This publication describes a  lifecycle that focuses on the high-level phases important to data classification: identify, use, maintain, and dispose of. However, not all data lifecycle phases occur for every data asset. Also, how a data asset is represented can be described in three broad categories: structured, semi-structured, and unstructured. 

Once data classifications are assigned, the organisation needs to enforce the data protection requirements. These encompass all of the controls needed to protect each data asset. An example would be: to encrypt the data asset when at rest or in transit, use a data integrity mechanism to detect tampering, allow access by members of a particular group only, and retain the data asset for a fixed period from the date it was acquired. Read more in the original paper.

Catalogue of security measures: Meanwhile the Danish data protection authority published a list of security measures that companies and authorities can consider in various contexts, (in Danish). Many of the measures contain concrete examples based on the regulator’s experience, reported data breaches, the EDPB’s guidelines and applicable ISO standards. The catalogue has been created in close cooperation between lawyers and IT security consultants and can function as a reference paper. Many measures can be implemented as part of the privacy-enhancing functions that support data protection in IT systems. However, the final assessment of necessary measures is always made by the organisation based on a concrete risk evaluation. 

Big Data

Healthcare data for sale: In the US, the University of Iowa Hospitals & Clinics is in settlement negotiations with a woman who alleges the hospital shared confidential patient information with Facebook. It allegedly installed on its websites two sets of computer code that tracks the online activity of people. That information then could be shared with Facebook, linked to the individual account, and sold to marketers who can then target the individual with ads tailored to their medical issues. The lawsuit seeks class-action status to represent a broad array of patients.

Meanwhile, in the UK, four organisations are suing NHS England, arguing that it lacks the legal authority to establish the Federated Data Platform (FDP). NHS England caused a stir when it awarded the US espionage tech company Palantir a 330 million pound contract to create and run the FDP for seven years starting in the spring of next year. The platform consists of software that will make information sharing across health service trusts, integrated care systems and regional groupings of trusts much easier. It claims this will enhance patient care, and tackle the current 7.8m-strong total case backlog, The Guardian sums up.

The post Data protection digest 16 Nov – 1 Dec 2023: APIs methodology, customer data minimisation, and digital mobility observatory appeared first on TechGDPR.

Legal processes

Financial data: The EDPS discussed recommendations to encourage data sharing to extend the range of available financial services and products, while also giving people or organisations control over the processing of their financial data. Individuals and organisations, according to the proposals, would govern access to their financial data using dashboards offered by financial institutions. Individuals would be able to monitor, limit, or authorize access to their information. Users should be supplied with comprehensive, accurate, and unambiguous information about the financial service provider asking for access to their data. It should also disclose the type of product, payment, or service for which an individual’s data will be utilized, as well as the categories of data required.

Digital Services Act: The Digital Services Act took effect for large online operators serving in the EU on 25 August. 19 platforms and search engines with at least 45 million users must comply with stricter rules concerning data collection, privacy, disinformation, dark patterns, online hate speech and more. This includes a ban on targeted advertising of minors based on profiling, and a ban on targeted advertising using special categories of personal data, such as sexual orientation or religion. Online platforms will be required to redesign their systems and prove they have done so to the European Commission, (including publishing the risk assessments). Additionally, vetted researchers can access the data of those services to conduct analyses on systemic risks in the EU. Smaller platforms will be subject to the same regulation beginning in 2024. They will, however, be supervised by national agencies rather than Brussels. 

Cybersecurity and risk assessment in California: The California Privacy Protection Agency, (CPPA), has published its proposed Cybersecurity and Risk Assessment Audit Regulations. According to the CPPA, official regulation processes for cybersecurity audits, data protection risk assessments, and automated decision-making technologies have yet to begin. These versions are intended to promote board deliberations and public participation. They provide standards for service providers and contractors, assisting organisations in meeting audit compliance. The regulations state that every business that processes personal information that potentially poses a serious risk to customers’ security must conduct an audit, (annually). It also describes the components to be evaluated and the measures to be taken, as summarized by digitalpolicyalert.org. 

EU-US Data Privacy Framework: Almost all transmissions of personal data to US-based companies, if they have committed themselves to the certification mechanism, are covered by the EU-US Data Privacy Framework, explains the Bavarian state data protection commissioner  However, for the transfers of personal data collected in the context of an employment relationship, (‘HR data’), the US business must explicitly state it in its certification. Particular attention must also be paid to onward transfers, for example, if the US processor working for the EU data exporter transmits the personal data to a sub-processor in another third country. The US adequacy decision cannot apply in this situation. 

Official guidance

‘Freedom of Information’ and data protection: Guernsey’s data protection commissioner discusses Freedom of Information requests that caused some of the most extraordinary data breaches recently, (eg, when details of thousands of police and civilian personnel employed by the Police Service of Northern Ireland were released in error). Freedom of Information generally refers to the right of citizens to access information held by public authorities. In reality, this information will often include personal data about individuals, whether that is staff, citizens or other individuals that the public authorities are in contact with. The rights of all individuals must be considered before any disclosure. If you are a data controller, you must understand your legal obligations concerning data subjects’ rights and have appropriate policies and procedures to ensure they are dealt with properly.

Biometric data: Meanwhile the UK Commissioner’s Office is currently consulting on draft guidance on biometric data. This guidance explains how data protection law applies to organisations that use or are considering using biometric recognition systems or vendors of these systems. At a glance:

• You must take a data protection by design approach when using biometric data.
• You should do a data protection impact assessment before you use a biometric recognition system. This is because using special category biometric data is likely to result in a high risk.
• Explicit consent is likely to be the only valid condition for processing available to you to process special category biometric data.
• If you can’t identify a valid condition, you must not use special category biometric data.

Employees’ digital monitoring rules: Digital work tools can record large amounts of data about employees, and therefore monitoring of it is heavily restricted, states the Norwegian privacy regulator. In most cases, the employer does not have the right to monitor the employee’s use of work tools, including the use of the Internet, unless the purpose of the monitoring is to manage the company’s computer network to uncover or clarify security breaches, etc. At the same time, it can be difficult for employers to introduce such measures in particular cases, as many regulations control different aspects of the working environment, and may include trade union approval, transparency obligations, data protection implications, and information security.

Privacy by default: This means that products and services are designed to ensure that a person’s privacy is protected from the outset and that they do not need to take any additional steps to protect their data, explains the Latvian data protection regulator. This approach is designed to minimise possible violations in the process of data acquisition and usage, and unauthorized access and risks that could arise if personal data comes into the possession of a third party. This may include minimal necessary data collection, default settings of the user account, (in “private mode”), limited data retention, (followed by automatic anonymisation or deletion of user data if the account is inactive for a certain period), user control tools, (whether to allow the user profile to be found in search engines, etc), clear information notices, (including all third parties with whom the data may be shared), and security measures, (encryption, regular security audits).

Enforcement decisions

UI Path data leak: The Romanian data protection authority has fined learning platform Uipath SRL approx. 70,000 euros for massive data loss. It did not implement adequate technical and organisational measures to ensure that, by default, personal data cannot be accessed, without the intervention of a person(s), including the ability to ensure the ongoing confidentiality and resilience of processing systems and services, as well as a process for regularly testing, assessing and evaluating the effectiveness of implemented measures. This fact led to the unauthorised disclosure and access to personal data, (user name and surname, the unique identifier, e-mail address, the name of the company where the user was employed, the country and details of the level of knowledge obtained within the courses), of about 600,000 users of the Academy Platform, for about 10 days. This violation is likely to bring physical, material or moral harm to the data subjects, such as the loss of control over their data or the loss of data confidentiality. 

Misconfigured cloud storage: The UK Information Commissioner issued a reprimand to a recruitment company: the organisation misconfigured a storage container, with 12,000 records relating to 3,000 workers, to be publicly accessible without any requirement to authenticate.  The personal data consisted of a variety of different data sets, including names, addresses, dates of birth, passports, ID documents and national insurance numbers. The company has since committed to periodically audit the configuration of cloud services as part of a wider security assessment including access rights, appropriate identity and access controls,  event logging and security monitoring. 

Vklass data leak: The Swedish privacy regulator has been reprimanding the learning platform Vklass for not being able to detect abnormal user behaviour in its learning platform and to track what happened in the system. Multiple complainants alleged that an unauthorized person came across personal data about teachers and students from the learning platform. The reports come from municipal committees and private businesses that conduct school and educational activities. The incident probably occurred because a student wrote a script that automatically saved information from the learning platform in its database and the information was then published openly on a website, which is now closed. 

Edmodo and minors’ consent: Meanwhile in the US, the Federal Trade Commission obtained an order against education technology provider Edmodo for collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the Children’s Online Privacy Protection Act Rule, (COPPA), and for unlawfully outsourcing its COPPA compliance responsibilities to schools. Among many orders, the provider is obliged to identify the account in question and delete or destroy certain data, (from students under 13 years of age), periodically provide compliance reports to the Commission, permanently refrain from collecting more personal information than reasonably necessary for the child to participate in any activity offered on the online platform, etc.

Data security

High-risk systems: For some so-called “critical processing” IT systems, a data breach would create particularly high risks for people. As a result, they require an adequate level of security. To best support the professionals concerned, the French regulator CNIL submits a recommendation for public consultation, (in French). It specifically targets so-called “critical” treatments, defined by the following two cumulative criteria: a) the processing is large-scale within the meaning of the GDPR, and b) a personal data breach could have very significant consequences either for the data subjects, for state security or society as a whole. 

This includes customer databases and other processing that bring together a large part of the population, such as in the energy, transport, banking or large-scale dematerialised public services, health treatments, etc. Risk scenarios may include attacks by organised criminal organisations or “supply chain attacks”, likely to take place over a long period; the compromise of third-party service providers responsible for IT development, maintenance or support operations; the exploitation of unknown vulnerabilities of software or hardware components, the compromise of persons authorised to access the processing. 

Email security guidance: Guidance by the UK Information Commissioner explains what organisations should, and could do to comply with email security, including several case studies and a checklist. Even if email content doesn’t have anything sensitive in it, showing which people receive an email could disclose sensitive or confidential information about them. In brief: 

• You must assess what technical and organisational security measures are appropriate to protect personal information when sending bulk emails.
• You should train staff about security measures when sending bulk communications.
• You should include in your assessment consideration of whether using secure methods, such as bulk email services or mail merge services, is more appropriate, rather than just relying on a process that uses Blind Carbon Copy.
• If you are only sending an email to a small number of recipients, you could consider sending each one separately, rather than one bulk email. 

Big Tech

Open AI for organisations: Open AI offers its most powerful version of ChatGPT to enterprises. It has longer context windows for processing longer inputs, advanced data analysis capabilities, customization options and more. According to the company, 80 per cent of Fortune 500 companies, (largest US corporations), have registered ChatGPT accounts, as determined by accounts associated with corporate email domains. Businesses have expressed concerns about privacy and security, fearing that their data may be used to train ChatGPT and that the application could mistakenly reveal sensitive consumer information to AI models. According to OpenAI, ChatGPT Enterprise users will have complete rights and ownership over their data, which will not be used for algorithm training. 

‘Algorithmic disgorgement’: At the same time, the US Federal Trade Commission reminds companies of certain obligations when using Generative AI. When offering a generative AI product, companies need to inform customers whether and the extent to which AI training data includes copyrighted or otherwise protected material. Companies should not try to “fool people” into thinking that AI-generated works were created by humans. Companies must ensure that customers understand the material terms and conditions associated with digital products. The regulator also noted that unilaterally changing terms or undermining reasonable ownership expectations can be problematic, etc. Finally, in its enforcement of data protection regulations, the Commission has lately begun to compel “algorithmic disgorgement” – the destruction of not just the illegally obtained data itself, but also artificial intelligence models and algorithms constructed using such data.

The post Data protection digest 15 – 31 August 2023: financial data processing, misconducted learning platforms, and algorithmic disgorgement appeared first on TechGDPR.

Legal processes and redress

China privacy laws updates: The Chinese Cyberspace Administration has issued administrative measures for personal data compliance audits for public input. In the case of high-risk processing operations or security incidents, the department in charge of personal data protection, (under the new PIPL legislation), may order the organisation to delegate the compliance audit to a professional institution. Similarly, businesses can perform their audits or entrust them to a recognised professional institution. However, no more than three consecutive compliance audits for the same organisation may be performed by the same institution. Companies that process more than one million people’s personal information must complete it at least once a year. 

China has considerably tightened controls on information sharing in recent years, particularly data transfers abroad, on the grounds of national security.

China generative AI: In parallel, China passed innovative legislation to govern generative AI. Interim Measures for the Management of Generative AI Services go into effect on 15 August. They apply to broad public services in China and hold firms accountable for the output of their platforms. The data used to train the systems will have to fulfil certain stringent conditions, not addressed in previous legislation, Deacons lawyers clarify:

• Providers of generative AI must take responsibility for network information security, personal data protection, and produced content quality. 
• Service providers are liable for the created material and are obliged to ban and report unlawful and illegally linked information. 

Technology created in research institutes or destined for export will be excluded. 

Swiss privacy law revised: On 1 September, the revised federal data protection act will come into force. The current law remains in force until 31 August. Major innovations will include criminal aspects of breaches of obligations, reinforced duty for data controllers to provide information to data subjects, data protection impact assessment for high-risk processing both in public and private sectors, fees for private data processors, regulators’ additional duties and powers, and more. 

India comprehensive privacy law: The Digital Personal Data Protection Bill 2023 passed in parliament before receiving presidential assent. It will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon the consent of an individual.  Consent may not be required for specified legitimate uses such as the voluntary sharing of data by the individual or processing by the state. The main criticisms of the bill include:

• The bill exempts data processing on grounds of national security which may lead to data collection, processing, and retention beyond what is necessary. 
• The bill also does not grant the right to data portability and the right to be forgotten. 
• The bill allows the transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in certain countries.
• The bill does not regulate risks of harm arising from the processing of personal data.

More analyses by PRS Legislative Research Institute are available here. 

Official guidance

Google Analytics: The use of tools like Google Analytics does not only require legal transfers to the United States, (following the announcement of the US adequacy decision by the European Commission), states the Danish data protection authority. In addition to third-country transfers, there are a large number of requirements in the GDPR that must be complied with. Among other things, you need to establish a legal basis for data processing, define data processing roles and conclude data sharing agreements, fulfil data subject rights, and much more.

Rights to data portability and restriction of processing: The wide range of digital services often leads to the desire or need to change a service provider, so it is important to be aware that we have data transfer rights. However, the Latvian data protection agency reminds us that such an option is available only if: a) the personal data processed by the organisation is based on your consent or the concluded contract; b) the information has been provided by the person themself; c) data refers to the person who requests data transfer.

Similarly, a person may face a situation where they need not delete personal data, but limit its processing. A situation may arise when an organisation holds personal data which is either inaccurate or out of date. If a person believes that their data is being processed illegally, they can also ask for its deletion or restriction of processing. There might be cases when the company does not need your personal data, but you need them to keep it, (eg, video surveillance records that a store normally deletes after a certain period of time but agrees to keep separately for police investigation needs). 

Finally, you can always ask to limit the processing of your data if you doubt that the legitimate interests of the controller are more important than your right to data protection. 

Harmful online design: The UK Information Commissioner’s Office and Competition and Markets Authority are calling for businesses to stop using harmful website designs that can trick consumers into giving up more of their data than they would like. It includes:

•  overly complicated privacy controls, 
• default settings that give less control over personal information, and
•  bundling privacy choices together in ways that push consumers to share more data.

Where consumers lack effective control over how their data is collected and used, this can harm consumers and also weaken competition. Lack of consumer control over cookies is a common example of harmful design. 

Parental control and connected devices: The French data protection regulator CNIL has issued an opinion on decrees implementing parental control over means of access to the Internet including the different functionalities that parental control devices will have to integrate on connected devices – smartphones, computers, video game consoles – blocking the download of applications and blocking access to content installed on terminals. Its activation must be offered free of charge, from the first commissioning of the device. They must also integrate the principles of personal data protection by design and by default. The CNIL has recommended two mandatory features, which could be activated according to the maturity of minors, to protect them when browsing the web:

• blacklists to block access to sites or categories of sites previously determined by parents; and
• whitelists to limit browsing to only previously authorized sites (for the youngest category). 

Enforcement decisions

TikTok in the EU: The EDPB settles dispute on TikTok processing of children’s data. The binding decision addresses the objections of the Irish, (lead), supervisory authority regarding the personal data processing of registered minors, (including those under 13 years old). The objections centred on whether there had been an infringement of data protection by design and default about age verification, and other design practices. The binding decision might result in a fine and other reprimands for the social media giant, which will become known in the next few weeks. 

AI at schools:  In Canada, a case detailed by Osler’s lawyers considers the privacy of children in educational institutions when they are exposed to AI tools. In collaboration with a consulting firm, a school district developed an algorithm to target students who were at high risk of dropping out: a machine learning methodology analyses hundreds of types of raw data from a student database to generate a set of predictive indicators. The purpose limitation for such data processing was violated, according to the investigation commission. 

When the data was initially obtained, students and their parents were not informed and hence did not consent to the use of the data to build predictive indications of dropout risk. Even though the information was used for a purpose that was compatible with the school board’s goals of ensuring academic achievement, the regulator ordered the school to delete the tool’s existing output. It also requested that the school board do a privacy impact study before deploying the Tool. More information on the case may be found in the original publication. 

Police data leak: According to BBC News, the Northern Ireland Police Service has apologised for inadvertently disclosing the personal information of all 10,000 of its personnel. In response to a Freedom of Information request, the organisation provided the identities of all police and civilian staff, as well as their locations and functions. The FOI request requested a breakdown of all employee levels and grades from the PSNI. However, in addition to publishing a table indicating the number of personnel holding jobs such as constable, the PSNI also released a spreadsheet. This contained the surnames, initials, and other information of over 10,000 officers.

Carbon copy and sensitive data: The UK Commissioner’s Office has reprimanded two Northern Irish organisations for disclosing people’s information inappropriately via email. Both the Patient and Client Council and the Executive Office disclosed personal details by using inappropriate group email options. In the first case, the organisation sent an email to 15 people, each of whom had lived experience of gender dysphoria, using the carbon copy (cc) option. The people who received the email could reasonably infer that the other recipients also had experience of gender dysphoria, given their inclusion in the email. In the second case, following the report of the historical institutional abuse inquiry, the organisation sent an e-newsletter to 251 subscribers using the ‘to’ field. People included in the email were likely to be victims and survivors, as the newsletter content was tailored to survivors who were wishing to engage, or who were already engaging with the compensation scheme.

DDoS attack: The UK Information Commissioner also issued a reprimand to My Media World/ Brand New Tube. An unauthorised third party gained access to ITS’s systems and exfiltrated the personal data of 345,000 UK data subjects. The company has been unable to determine the specific cause of the incident concluding on separate occasions that a server misconfiguration and a DDoS attack were responsible for the access to their systems. The company also did not have any evidence of appropriate technical and organisational measures to protect users’ data. The nature of the data affected included the names, email addresses and passwords of users. The organisation must now ensure they have:

• appropriate contracts in place with any third-party providers which set out the roles and responsibilities of each party, 
• maintained records of processing activities, and
• regular scans and testing of their environment, record outcomes and address any issues promptly. 

More security best practices recommended to organisations by ICO can be found here and here. 

Data security

Connected beacons: Connected tags, which have been around for several years, make it possible to locate and find the objects to which they are attached. While technology is useful for finding lost objects, states the French data protection regulator, many media stories show that they can be misused to track the location of people without their knowledge. Only the owner can detect the beacon and therefore track its movements. However different measures have been put in place by manufacturers of connected beacons to allow you to detect them in case of doubt.

If you have an iPhone, you’ll get a notification when an AirTag you don’t own moves with you for a period of time. A feature will then allow you to connect to the AirTag to make it ring. If you have the latest version of Android, you will automatically receive a notification when a separate AirTag from its owner moves at the same time as you for a while. If you do not have a smartphone, the AirTag will beep its position if it is too far from its owner for a certain time. 

The use of a connected beacon to follow a person without their consent is a criminal offence, punishable by one year’s imprisonment and a fine of 45,000 euros. More information on how to detect and disable the tags is in the original publication. 

Big Tech

Meta compulsory fine: The Norwegian data protection authority has imposed a compulsory fine on Meta – approx. 90,000 euros per day. The background is that Meta does not comply with the Norwegian data protection authority’s ban on behaviour-based marketing on Facebook and Instagram. However, Meta has petitioned the Oslo district court for a temporary injunction against the ban. 

The ban does not prohibit personalised marketing on Facebook or Instagram as such. Meta can, for example, target marketing based on information that users enter on their profile, such as place of residence, gender and age, or interests that users themselves state that they want to see marketing about. The decision also does not prevent Meta from showing behaviour-based marketing to users who give valid consent to it.

Google user tracking: A US court denied Google’s request to dismiss a lawsuit alleging that the company violated the privacy of millions of individuals by secretly tracking their internet usage, Reuters reports. The plaintiffs claimed that Google’s analytics, cookies, and applications allowed the Mountain View, California-based business to follow their activities even when they used Google’s Chrome browser in “Incognito” mode and other browsers in “private” mode. Since June 2016, Google users have been covered by the case. It demands at least 5000 euros in damages for each user. 

Connected vehicles: Finally, the California privacy protection agency announced a review of data privacy practices by connected vehicle manufacturers and related technologies. These vehicles are embedded with several features including location sharing, web-based entertainment, smartphone integration, and cameras. Data privacy considerations are critical because these vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle. 

The post Data protection digest 31 July – 14 August 2023: privacy laws development, AI evaluations at school, and security of connected devices appeared first on TechGDPR.

Legal processes: threshold for cookies, advertising claims’ mediation, China’s outbound transfers

The EDPB approved a minimum threshold for the use of cookies and subsequent processing of the data collected. No cookies that require consent can be set without positive action expressed by the user, or purely on the grounds of the data controller’s legitimate interest. The absence of refuse options, visible and accessible at any time, on any layer of the banner, constitutes an infringement. The limitations, such as for strictly necessary technical cookies, must be indicated. Any confusing information, designs and colours are not acceptable.

The Spanish data protection agency AEPD announced a mediation system to expedite the resolution of advertising claims, (in Spanish). It has approved the modification of the Autocontrol Code of Conduct ‘Data processing in advertising activity’ , which includes out-of-court procedures to resolve individual’s complaints more quickly. Advertisers must respond within a maximum period of 15 days, proposing the actions they deem pertinent for mediation. The maximum duration of the procedure will be 30 days.

The Cybersecurity Administration of China has published guidelines on outbound data transfers of personal and important data from China to other jurisdictions, whitecase.com reports. Organisations must comply with these guidelines by 1 March or risk administrative, civil and criminal penalties. In certain cases the measures include security assessments and approval from the state before engaging in outbound data. Outbound data transfers in this case include:

• an entity in China actively sends data to a recipient in another jurisdiction, or 
• permits a person or entity outside China to access data generated in the course of the data processor’s operations in China;
• multinational intragroup transfers of data, and 
• operating centralised document management systems for global operations, with servers hosted outside China. 

Official guidance: consent evidence, data storage periods and deletion, TOMs, training, recruitment data

Denmark’s privacy regulator explained the balance between consent evidence requirements and data minimisation. The data controller should be able to demonstrate that the data subject has given consent. However, the rule only applies as long as the data processing is ongoing. After the end of the processing activity, (eg, the data subject has withdrawn their consent), ​​there is no obligation to demonstrate that evidence. Moreover, the data controller has a duty to delete personal and additional data without undue delay after consent withdrawal, (unless needed for claims to be established or defended and only for a short period of time).

The Portuguese privacy regulator CNPD published a guidance on technical and organisational security measures, aimed at data controllers and processors. The CNPD lists a set of TOMs that must be considered by organisations in their risk prevention and minimisation plans, (in Portuguese). The list is dynamic and not exhaustive due to rapid technological changes and is therefore subject to updates whenever necessary. The increasing number of security incidents in the past year revealed that if organisations had been equipped with adequate security measures, the risks would have been lower and the impact on the rights of data subjects smaller. 

The GDPR states that the organisation, (controller), is obliged to limit the storage of personal data with the intention that the data is not stored longer than is necessary to achieve its purpose. The Latvian privacy regulator DVI explains how to determine the data storage period, and what to do when it is expired. The organisation must have internal procedures in place in order to determine:

• that the purpose has been achieved, and the data cannot be further used for any other unrelated purpose ,(eg, if the deadline specified in the regulatory act has been reached, or the loss of the legal basis);
• the frequency with which the purposes of the data processing and their justifications will be reviewed;
• how to receive a signal that personal data has expired, and
• how to inform data subjects of these periods, (or the criteria that were taken into account to determine them), in the privacy policy. 

In the end, data must be deleted completely, without possibility of recovery. The deletion procedures must include finding persons responsible, location of the data, deletion follow-up, informing processors and other controllers, and the data subjects.

The Latvian regulator also issued a reminder of the importance of data protection training. It is necessary to familiarise employees with the framework created in the organisation for data protection and processing: cyber security, specific industry regulations, employee liabilities for violations, data breach responses, and reviewing procedures. A desired outcome would be: a customer is asked to provide his personal data for identification; if the client has questions about why this is necessary, the employee should be able to reasonably answer it and indicate that more detailed information is available in the privacy policy. 

A recruitment process necessarily involves the processing of a significant amount of personal data about candidates. The rise of new technologies has multiplied recruitment channels, (social networks, personalised advertising, specialized search engines), and communication tools used (videoconferencing, chatbots, mobile applications). It has also led to the creation of databases of a large volume allowing the use of artificial intelligence or the use of tools to assess the “soft skills” of candidates. In this context, the French regulator CNIL offers a guide and a set of practical sheets, Q&As, to support recruitment stakeholders in their compliance, (in French). 

Investigations and enforcement actions: game developers, spy pixels, psychometric tests, unwanted membership, Covid-related algorithms, email security

The UK’s ICO published Age Appropriate Design Code Audit, (AADC), of Facepunch Studios, a games developer. Facepunch does not require a user account, although some gameplay data and device information is collected in-game. Facepunch also share some personal data of users with third parties in order to operate parts of or functions within their games or services. The audit concluded that Age assurance measures in place should be improved, by assessing and reliably determining the actual ages of current UK child users, regularly monitoring the effectiveness of the third-party age gate used, and assessing which elements of an online service are appealing to or likely to be accessed by children. Where actual user ages are not established with certainty, the AADC standards should be applied to all users. 

The Danish data protection authority criticized Vækstfonden, (Denmark’s investment fund), for using spy pixels in its newsletters. As with the processing of personal data using cookies on websites, the use of spy pixels requires a processing basis according to the GDPR. Spy pixels were to analyze which articles the recipients clicked on in order to optimize the organisation and sending of the newsletters. But they had not observed the obligation to provide information regarding the processing. Vækstfonden has stated that they have changed suppliers for sending out newsletters and that the fund has updated its privacy policy. 

Spain’s AEPD fined Thomas International 40,000 euros for processing of sensitive data, Data Guidance reports. The complaint concerned a psychometric test provided by Agroxarxa, which was run by Thomas International. Though Agroxarxa stated that candidates were not required to provide sensitive personal data, the psychometric test requested it, adding that its provision was required by the HR department of Agroxarxa. Thomas International provided the same questionnaire to all clients that used its services, allowing for the processing of sensitive personal data even when not requested by the client.

In the US, the Federal Trade Commission is sending payments totaling more than 973,000 dollars to 17,064 people who lost money after NutraClick automatically enrolled them in unwanted membership programs for supplements and beauty products and misled consumers about when they had to cancel trial memberships to avoid monthly charges.

The Italian privacy authority has sanctioned three local health authorities, who, through the use of algorithms, had classified patients in relation to their Covid-related complications risks. Data of the patients had been processed in the absence of a suitable regulatory basis, without providing the interested parties with all the necessary information, (in particular on the methods and purposes of the processing), and without having previously carried out an impact assessment. 

Ireland’s privacy regulator fined a nursing homes operator. The credentials of a user account at a nursing home were captured on a fake website via a phishing email. This allowed the bad actor to set up email forwarding of all inbound emails to a third-party email account. Adequate technical and organisational measures could have included appropriate encryption of data being transferred over external networks, suitable phishing training, and regular testing of the safeguards. 

Meanwhile, the Swedish privacy regulator fined an insurance company for sending sensitive personal data via e-mail without sufficient protection. The email was only encrypted in transit. The encryption ended before the message had reached the final recipient and there was thus a risk that unauthorised persons could read the message in plain text after the encrypted transmission had ended.

Data security: ISO 31700 Privacy by Design, AI Risk Management Framework by NIST, taxonomy of ICT incidents, mobile data

The International Organisation for Standardisation has finally published the long-awaited ISO 31700. It establishes high-level requirements, (and use cases), for privacy by design to protect privacy throughout the lifecycle of a consumer product, including data processed by the consumer. This includes consumers’ personally identifiable information and other data processed, (collected, used, accessed, stored, and deleted), or intentionally not collected or processed by the organisation and by the digital goods and services within the digital economy. The preview document is available here.

America’s NIST published an AI Risk Management Framework. AI systems and the contexts in which they are deployed are frequently complex, making it difficult to detect and respond to failures when they occur. AI risk management can drive responsible uses and practices by prompting organisations and their internal teams who design, develop, and deploy AI to think more critically about context and potential or unexpected negative and positive impacts. Core concepts remain human centricity, social responsibility, and sustainability.

In Italy, the National Cybersecurity Agency offered a new taxonomy of incidents on ICT assets, subject to mandatory notification. After initial access, execution, installation & lateral movements, it talks about “Actions on objectives”, which refers among other things to: collecting from within the network confidential and sensitive data or detecting their presence outside the systems authorised to process them; exfiltrating data from within the network to external resources or manipulating, degrading, disrupting, or destroying systems, services, or data. 

Could your phone be leaking data that you are not aware of? asks the US NIST. It goes on to explain how control of the data may be lost due to unauthorized or unwarranted transmission of data to an external source. Mobile data leaks can also occur when mobile device privacy settings or applications are misconfigured. This includes personally identifiable information, financial and health data, video and audio files, information about the way an individual uses the Internet, and location tracking data. Thus, organisations have to:

• Manage mobile device settings;
• Preserve confidentiality, by employing data in transit protection;
• Keep mobile operating system and applications up to date;
• Apply zero trust principles;
• Separate work from personal information, by deploying a Bring Your Own Device;
• Apply App vetting to identify security and privacy risks;
• Apply Mobile Threat Defense solutions that monitors for device-, app-, and network-based attacks.

Big Tech: the Digital Services Act’s deadline, Replika AI chatbot ban

The European Commission has published non-binding guidance to help very large online platforms and search engines within the scope of the Digital Services Act, (DSA), to comply with their requirement to report user numbers in the EU, at the latest by 17 February, and at least once every six months afterwards, (for small businesses and start-ups the info must be provided on the request of authorities). In the nearest future very large online platforms and search engines will be subject to additional obligations, such as making a risk assessment and taking corresponding risk mitigation measures on users’ rights online. 

Replika, an AI chatbot company, is not allowed to use the personal information of Italian users, according to Italy’s data protection agency, which cites risks to children and emotionally fragile individuals. The US-based start-up offers users personalised avatars that talk and listen to them. The lack of an age-verification mechanism, such as filters for minors or a blocking mechanism if users do not explicitly state their age, was one of many issues that the Italian regulator highlighted. Additionally, the processing of personal data by the company is illegal because it cannot be justified by a contract that a minor is unable to sign.

The post Data protection & privacy digest 19 Jan – 3 Feb 2023: threshold for cookies, spy pixels, consent evidence, data storage and deletion appeared first on TechGDPR.