Regulatory updates

5 years of the GDPR: The EDPB considers that the application of the GDPR in the first 5 and a half years has been successful. It is too early to revise the regulation, although several important challenges lie ahead, such as procedural rules relating to cross-border enforcement. The EDPB will keep on supporting the implementation of the GDPR in particular by SMEs, seeking greater clarity and uniformity of guidance and powers available. The existing tools in the GDPR have the potential to achieve this goal, provided that they are used in a sufficiently harmonised way. In addition, the supervisory authorities need sufficient resources to continue carrying out their tasks. 

“Cookie fatigue”: The EDPB also welcomed the voluntary business pledge initiative by the European Commission to simplify the management of cookies and personalised ads choices by consumers. It would ensure that users receive concrete information on how their data is processed, as well as on the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. However, the EDPB flagged that adherence to the cookie pledge principles by organisations does not equal compliance with the GDPR or ePrivacy Directive.

COPPA: The US Federal Trade Commission plans to strengthen children’s privacy rules to further limit companies’ ability to monetize children’s data. The new rule would require targeted ads to be off by default, limit push notifications, restrict surveillance in schools, limit data retention, and strengthen data security. COPPA rules require US websites and online services that collect information from children under 13 to obtain verifiable parental consent before collecting, using, or disclosing personal information from these children, (persistent identifiers, geolocation data, photos, videos, and audio). 

UK BCRs

The UK Information Commissioner updated a guide on the binding corporate rules for organisations managing data transfers between the UK and EU. Organisations with an existing EU BCR can add the UK Addendum thus creating a new UK BCR, to include UK-restricted transfers. It contains all relevant provisions of Art. 47 of the UK GDPR, meaning that your EU BCR will work in the UK. Finally, under the terms of the UK BCR Addendum, if your EU BCR is suspended, withdrawn or revoked, this also suspends, withdraws or revokes your UK BCR. This means that you must not transfer personal data under your UK BCR and you must use another international transfer mechanism.

Log data access

An administrative court in Finland has published a decision regarding the right to inspect log data. An employee of the bank, who was also a customer of the bank, demanded to know the persons who had reviewed his customer information during the bank’s internal audit. The bank refused to disclose the identity of the employees because the log data resulting from viewing the data was the personal data of the employees in question. However, the bank did give the reason why customer data had been viewed. 

The person complained about the bank’s procedure to the data protection commissioner’s office. The regulator rejected the request and stated that the bank does not need to provide information about the identity of employees. The case ended in the CJEU. The EU top court ruled that everyone has the right to know the times and reasons for queries made to their data. However, there is no right to receive information about persons who have processed information under the authority of their employer and by the employer’s instructions.

Health data processing

Certain processing of health data is subject to the performance of preliminary formalities with the data protection authority. To facilitate the procedures of the bodies concerned and the compliance of their processing, the French regulator CNIL has published, (in French), reference standards to which they must refer: 

• “soft law” and guide frameworks (eg, data retention periods,  processing of personal data for the management of pharmacies); and
• the repositories for processing subject to authorisation, (eg, creation of a health data warehouse, research requiring the collection of consent).

Other official guidance

Sports archives: The storage of sports archives must comply with the regulations on the protection of personal data. Some personal data collected on athletes, federal officials or club presidents, such as results, awards, photographs and posters, may be of historical interest, invoked by the players in the ecosystem, (in particular institutions, clubs, sports federations, professional leagues), to justify the retention of data without limitation in time. In practice, the purposes associated with the retention of this data are very numerous, and the retention periods will vary. 

Also, depending on the status of the person who produced or received them, these records are either public or private. For example, the results of a sports competition organised by a delegated federation, (eg, the results of the championships of France), constitute public archives. On the other hand, in the context of a gala, if a sports competition is organised by the same delegated federation, the documents produced constitute private archives (the gala does not fall within the scope of the public service missions assigned to the organising delegated federation).

Purchase data: The Finnish data protection authority considers that keeping purchase data for the entire duration of the customer relationship does not adhere to the data minimisation principle. In the related Kesko, (retail company), case, the purchase data of a loyalty system, detailed and product-specific, had been processed for various reasons including for business development, and targeting of marketing. The customers themselves had been able to see their purchase information for five years. Kesko was then ordered to clearly define retention periods, clarify the purposes of the use of personal information, and delete or anonymize data that had been stored longer than necessary. 

Cross-border enforcement

Joint controllership: The EDPB published the final decision of the Hungarian supervisory authority about infringement of Art. 26 of the GDPR. The Slovak supervisory authority objected to processing carried out by a foundation as the presumed controller of two Hungarian–language websites. Certain recordings available on the foundation’s websites presumably feature children performing and singing specifically from a Slovak primary school. The Hungarian regulator established that there was no arrangement between the foundation and the school within the meaning of Art. 26 (1) of the GDPR, concerning joint processing and their respective responsibilities.  

Sanctions

Illegal university telemarketing: In the US, the Federal Trade Commission has sued Grand Canyon University for deceptive advertising and illegal telemarketing. The agency says the university, its marketer, and its CEO deceptively advertised the cost and course requirements of its doctoral programs and made illegal calls to consumers. Prospective students were told that the total cost of “accelerated” doctoral programs was equal to the cost of just 20 courses.

In reality, the school requires that almost all doctoral students take additional “continuation courses” that add thousands of dollars in costs. The defendants also used abusive telemarketing calls to try to boost enrollment. The university advertised on websites and social media urging prospective students to submit their contact information on digital forms. Telemarketers then used the information to illegally contact people. 

AI facial recognition banned: Also in the US, Rite Aid will be prohibited from using facial recognition technology for surveillance purposes to settle charges that the retailer failed to implement reasonable procedures and prevent harm to consumers in hundreds of stores. From 2012 to 2020, Rite Aid deployed AI-based facial recognition technology to identify customers who may have been engaged in shoplifting or other problematic behaviour. The complaint, however, charges that the company failed to take reasonable measures to prevent harm to consumers, who, as a result, were falsely accused of wrongdoing. 

Deleted CCTV footage: The Greek data protection agency fined Alpha Bank for failure to satisfy the right of access of its customer, who exercised the right of access to the recorded material from the store’s video surveillance system. It emerged that the bank failed to deal with the complainant’s request promptly, resulting in the material being scheduled to be deleted when the retention period expired. The authority found a violation of Art. 12 and 5 of the GDPR.

Audit reports

Cyber security framework: The UK Information Commissioner has carried out a voluntary data protection audit of Lewisham and Greenwich NHS Trust. One of the areas of improvement found included a cyber security framework that should be further embedded, by integrating new cyber staff roles into the organisation, and ensuring staff with key cyber security responsibilities complete additional specialised training relevant to their responsibilities. 

This should be supported by continuing security controls in place, such as plans to implement multi-factor authentication to protect higher risk or more sensitive personal data processing activities, and a regular programme of practical social engineering or phishing tests to ensure staff are familiar with such scams and what action to take.

Cyber risks relating to third-party suppliers should be reviewed periodically to ensure the Trust has assurance that cyber security controls are in place and effective. Further to this, Data Protection Impact Assessments should identify cyber risks and mitigating controls. Additionally, Information Asset Owners should be actively involved in assessing the cyber risks and monitoring the effectiveness of the mitigating controls. 

Ongoing work to replace or decommission legacy devices that cannot receive security patches and phase out or update servers with unsupported operating systems should continue. All network devices should be able to receive security patches that address cyber vulnerabilities, and systems approaching the end of life should be removed or updated on time.

Data breaches

Car parking data stolen: Europe’s largest parking app operator has reported itself to information regulators in the EU and UK after hackers stole customer data. EasyPark Group, the owner of brands including RingGo and ParkMobile, said customer names, phone numbers, addresses, email addresses and parts of credit card numbers had been taken but said parking data had not been compromised in the cyber-attack, the Guardian reports. The breach brings to light the centralisation of parking services, as physical meters and parking attendants are gradually replaced by websites and apps. 

Data security

Children’s privacy: The Spanish data protection authority presented its age verification system. It consists of the principles that an age verification system must comply with, a technical note with project details and practical videos that demonstrate how the system works on different devices and using several identity providers. The risks of the age verification systems currently used on the Internet, eg self-declaration or sharing credentials with the content provider, have demonstrated clear risks of the location of minors, lack of certainty on the declared age, exposure of the identity to multiple participants, and mass profiling. 

PETs: Privacy-enhancing and preserving technologies generally refer to innovations that facilitate the processing and use of data in a way that preserves the privacy of individuals. While there is no unified definition denoting a technology as a PET, the Centre for Information Policy Leadership’s year-long study investigates and provides 24 case studies on its three main categories: 

• cryptographic tools that allow certain data elements to remain hidden while in use; 
• distributed analytics tools where data is processed at the source; and 
• tools for pseudonymisation and anonymisation. 

Authentication: Logging in with a password is still one of the most commonly used forms of authentication. Depending on what you have to protect, this may also be enough, states the Dutch data protection authority. Yet logging in with a single factor remains unsafe. It is better to use multiple factors, such as a password combined with a code via SMS. Using biometric data, even if very reliable, demands extra protection and must therefore meet stricter security requirements. Another alternative is a digital token – the unique series of numbers is not generated from your characteristics but is stored on a chip in your access card. However, it would only work if it is and remains strictly personal. 

Big Data

TikTok Australia: The Australian Information Commissioner has launched an inquiry into the platform’s use of marketing pixels to track people’s online habits, The Guardian reports. This can include where they shop, how long they stay on websites and personal information, such as email addresses and mobile phone numbers of non-TikTok users. The probe will determine whether TikTok is harvesting the data of Australians without their consent. Chinese conglomerate, ByteDance, which owns the video-sharing platform has denied it violated Australian privacy laws. New privacy legislation in response to a review of the Privacy Act is expected to land in the Australian parliament this year and will allow more inquiries like this.

Body-related data: Organisations building immersive technologies, from everyday consumer products like mobile devices and smart home systems to advanced hardware like extended reality headsets, often rely on large amounts of data about individuals’ bodies and behaviours, states the Future of Privacy Forum. Thus, it offers detailed and illustrated instructions, on how to document body-related data categories, (raw voice recording, facial geometry, fingerprints), handle complicated data practices, (eg, eye tracking), evaluate privacy and safety risks, and implement best security practices. Download the framework here. 

Cookie depreciation: Google begins the next step toward phasing out third-party cookies in Chrome: testing Tracking Protection, a new feature that limits cross-site tracking by restricting website access to third-party cookies by default. The company will roll this out to 1% of Chrome users globally, (a key milestone in their Privacy Sandbox initiative to phase out third-party cookies for everyone in the second half of 2024).  Participants for Tracking Protection are selected randomly — and if you’re chosen, you’ll get notified when you open Chrome on either desktop or Android.

The post Data protection digest 18 Dec – 2 Jan 2024: EDPB says too early to revise GDPR, cross-border enforcement challenge ahead appeared first on TechGDPR.

Legal processes: patient rights vs data access rights

The Belgian data protection authority has clarified the right of access and right to rectification regarding medical records under the GDPR and the patient rights legislation. The subject of the complaint was a medical report drawn up post-treatment. The plaintiff’s treating psychologist refused their request for a copy of the final report. After obtaining a copy through their general practitioner, the plaintiff claimed that an incomplete answer was provided by the processing manager because his right to full access to his data under the data protection law was limited. 

In its decision, the regulator stated that the right to information and access, (under the GDPR), and the right of access, (under the Patient’s Rights Law), are not absolute, cms-lawnow.com reports. The limitation in the patient’s rights legislation concerning the right to information and inspection is related to the fact that the information is not communicated, and access is not granted to the patient if this would cause “evidently serious harm to the patient’s health”. Similarly, rectification of data requested by the data subject could undermine the accuracy of the medical diagnosis and even results of the treatment, and would be possible only in the case of incorrect processing of personal data.

Official guidance: EU digital strategy, data transfers to Russia, children’s pictures

The French data protection authority CNIL clarified its position with regard to the EU’s digital strategy, and, namely, the upcoming Data Governance Act and Data Act, following the adopted position of the EDPB and EDPS. In short, this strategy aims to develop a single data market by supporting responsible access, sharing and re-use of data between actors in the data economy, in particular related to the use of connected objects and the development of the Internet of Things, while respecting the values of the EU and in particular data protection. With regard to the rights of access, use and sharing of data provided for by the Data Act, the CNIL and its counterparts ask the co-legislators to ensure:

• additional guarantees for the persons concerned,
• the legality, necessity and proportionality of the obligation to make data available to public sector bodies and EU institutions due to exceptional need, and 
• strict definition of the hypotheses of “public emergency” or “exceptional need”,
• a clear supervision process by data protection authorities.

The EDPB meanwhile has issued a statement on personal data transfers to the Russian Federation. It reiterates that the transfer of personal data to a third country, in the absence of an adequacy decision of the European Commission pursuant to Art. 45 GDPR, is only possible if the controller or processor has provided appropriate safeguards, and on the condition that enforceable rights and effective legal remedies are available for data subjects, (Art. 46 GDPR). Russia does not benefit from an adequacy finding from the European Commission. Therefore, transfers of personal data to Russia must be carried out using one of the other transfer instruments provided for in Chapter V of the GDPR. 

With this in mind, the EDPB notes that, when personal data are transferred to Russia, data exporters under the GDPR should assess and identify the legal basis for the transfer and the instrument to be used among those provided by Chapter V GDPR, (eg, Standard Contractual Clauses or Binding Corporate Rules), or the derogations for specific situations, in order to ensure the application of appropriate safeguards. 

In the midst of summer holiday plans, Norway’s data protection authority Datatilsynet reminds parents and other responsible persons of the proper usage of children’s pictures. The guide is made for both parents and employees at schools, kindergardens or other places where there is a high possibility of taking pictures of children. The data protection check list includes these main provisions:

• Legality: never share photos of other people’s children without the consent of their guardians.
• Images: think about the content and use filters or poorer resolution, it makes the images less interesting to others.
• Quantity: share as few photos as possible.
• Channel usage: be aware of how you share your photos. Dont leave it open to the public. Create closed groups.
• Delete regularly: Take a spring cleaning and delete previous photos you have published on a regular basis.
• Always ask the children: Use questions such as “Do you think it’s okay for me to share this picture with the  family or friends?” Then you make it understandable to them. Respect the answer. 

European Health Data Space

Another joint opinion by EDPB-EDPS clarifies the data protection challenges with regard to the future European Health Data Space. The proposal aims at supporting individuals to take control of their own health data, supporting the use of health data for better healthcare delivery, better research, innovation and policy making, and enabling the EU to make full use of the potential offered by a safe and secure exchange, use and reuse of health data. However, the regulators warn that it may actually weaken the protection of the rights to privacy and to data protection, especially considering the categories of personal data and purposes that are related to the secondary use of data.

The proposal will add yet another layer to the already complex collection of provisions, (to be found both at EU and Member State levels), on the processing of health data. The interplay between those different pieces of legislation needs to be crystal clear. With regards to the scope of the proposal, the EDPB and the EDPS recommend excluding from it wellness applications and other digital applications, as well as wellness and behavioural data relevant to health. Should these data be maintained, the processing for secondary use of personal data deriving from the above applications should be subject to prior consent within the meaning of the GDPR. Moreover, it may fall within the scope of the e-Privacy Directive. Finally, the EDPB and the EDPS urge the co-legislator to ensure legal clarity on the interplay between the data subject’s rights introduced by the proposal and the general provisions contained in the GDPR on data subject’s rights. 

Investigations and enforcement actions: Clearview’s fine, e-commerce program’s security, multi factor logins, land and mortgage register, delivery service data on sale

The Danish data protection agency Datatilsynet expressed serious criticism of Sports Connection, (a webshop), for not having implemented appropriate security measures in connection with a hacker attack, where unauthorized persons collected customers’ payment information. Last year the company reported a breach of personal data security to the authorities. Sports Connection became aware of the unauthorized access when the company discovered that a field had been added to the shopping basket on the webshop, which had not previously been there. Via a security hole in a e-commerce program, a malicious program code was injected, which made it possible to upload a file to the webshop, which meant that the webshop’s check-out page could be tampered with. 

Datatilsynet concluded in this case that Sports Connection, by not updating its e-commerce program to the latest version at the time of the attack, had not taken appropriate organisational and technical measures to ensure a level of security appropriate to the risks. When choosing a response, the agency emphasized that it is a known risk scenario that frequently-used e-commerce platforms are targets for attempts to compromise built-in weaknesses. In addition, the regulator has emphasized that this is the customers’ payment information, which was not secured, and that the company has no documentation on the continuous and adequate upgrade required of its e-commerce program.

The Greek data protection authority made headlines last week by sanctioning the controversial facial recognition firm Clearview AI 20 million euros and prohibiting it from collecting and processing the personal data of people in Greece. It has also ordered the deletion of any data on Greek residents already collected, TechCrunch reports. Their counterparts in France, Italy and UK have already issued similar decisions in the last year. In the US Clearview faced major restrictions too, while in Canada and Australia they also appear to be in breach of local privacy regulations. 

Clearview have scraped hundreds of millions of images of individuals from social media profiles without clear consent. Despite a legal backlash, the company is expanding sales of its facial recognition software to companies mainly serving the police: “Instead of online photo comparisons, the new private-sector offering matches people to ID photos and other data that clients collect with subjects’ permission”. The images are stored as long as customers wish and are not shared with others, nor used to train Clearview’s AI, the company states. 

The Polish privacy regulator UODO imposed an administrative fine on the chief national surveyor, for the failure to report the breach of personal data protection to the supervisory body and the failure to notify the persons whose personal data was disclosed online. Here are some findings of the case:

• for over 48 hours on the website maintained by the Chief Surveyor of the Country, land and mortgage register numbers were visible. With the number it was easily possible to determine data about real estate owners, including names, surnames, parents’ names, or address,
• the data protection office learned about the breach not from the controller, who should report it to the supervisory authority, but from the media,
• the defendant maintained that the land and mortgage register numbers are not personal data, and
• argued that the numbers are also visible on other websites and that the short-term appearance on their website did not carry any risk of violating the rights and freedoms of the data subjects.

In its decision, the regulator returned to the definition of personal data specified in Art. 4 GDPR, according to which personal data is any information about an identified or directly or indirectly identifiable natural person. UODO pointed out that the administrator cannot justify their unlawful activity by the existence of private entities operating websites that allow access to the content of land and mortgage registers. In addition, the assessment of the risk of violating the rights or freedoms of a natural person should be made from the point of view of the interests of the affected person, and not the interests of the controller. The person can then judge for themselves whether, in their opinion, the security incident may have negative consequences for them and take appropriate remedial action. On the other hand, the lack of such a data breach notification not only takes away that possibility, but may have negative consequences for the person.

The Romanian data protection body ANSPDCP completed an investigation at a delivery company (Delivery Solutions), following a complaint filed by a natural person who reported that the database of the service was for sale online. It was found that personal data belonging to over 26,500 individuals, (information that accompanies the shipment of any package, courier codes, sender name, name and surname of the recipient, telephone number, address, delivery status, type of service, package weight, amount receivable, delivery range), were available for sale on the RaidForums website  and could be accessed via an open link. Delivery Solutions was fined approx. 3,000 for failing to implement adequate technical and organisational measures to ensure a level of security appropriate to the risk of data processing.

Data security: US location, health, and other sensitive data

The US Federal Trade Commission, (FTC), committed to fully enforcing the law against illegal use and sharing of highly sensitive data. “Among the most sensitive categories are  data collected by connected devices, a person’s precise location and information about their health. Smartphones, connected cars, wearable fitness trackers, “smart home” products, and even the browser you’re reading this on are capable of directly observing or deriving sensitive information about users”, the FTC states. 

It goes on to underline the “always on” aspect of connectivity and how intrusive that can be. Even unused, a device is in constant communication with local and national networks. Constant location data can reveal where people work, sleep, socialize, worship, and seek medical treatment. Each user actively generates their own sensitive data, via apps testing their blood sugar, recording sleep patterns, monitoring blood pressure, or tracking fitness. They share face and other biometric information to use apps or device features. Combining location and user-generated health data creates a “new frontier of potential harms to consumers” says the FTC, which concludes, “The marketplace for this information is opaque and once a company has collected it, consumers often have no idea who has it or what’s being done with it.” 

The FTC has additional guidance for businesses on consumer privacy and data security.

Big Tech: Ring’s audio, TikTok presses pause on privacy policy changes

Just a day before it was due to take effect TikTok postponed its new privacy policy, after the Italian data protection agency ‘Garante’ officially warned the Chinese social media giant it breached EU privacy rules. TikTok told users the changes would deliver targeted advertising without seeking their consent for using data on their devices. The Italians have told TikTok they reserve the right to impose penalties if the policy changes are not scrapped. TikTok insists the changes were made in the legitimate interests of the company and its partners, but after consultations with lead regulator Ireland, acting on the Italian ruling, the policy changes have been “paused”, pending analysis by Ireland’s Data Protection Commission.

Amazon’s doorbell camera system Ring is in the spotlight after product testing revealed it recorded audio well beyond the proximity of its location, and a US Senator called for better privacy in the device. Ring rejected the request by Democrat Ed Markey of Massachusetts, but his concerns are shared by security and privacy experts. Markey did not call for a restriction of the microphone range, but to require users to switch it on, and not have it active as a default setting. Ring claimed this might “confuse” customers, and did not rule out Ring’s future use of facial recognition technology when responding to the request that it never be employed. Markey called for support for the  Facial Recognition and Biometric Technology Moratorium Act currently in Congress.

The post Weekly digest 11 – 17 July 2022: patient rights, land registers, user-generated health data, targeted ads & privacy appeared first on TechGDPR.

Legal processes and redress

The EU Commission approved the political agreement reached between the EU Parliament and EU Member States on a European Data Governance Act. Three-way negotiations have now concluded, paving the way for final approval of the legal text. The Data Governance Act will create the basis for a new system of data governance in accordance with EU rules, the GDPR, and consumer protection and competition rules. More data will be available and exchanged in the EU, across sectors and Member States. It aims to boost data sharing and the development of common European data spaces, such as manufacturing or health, as announced in the European strategy for data. The regulation includes:

• increasing trust in data sharing in order to lower costs, 
• allowing novel trustworthy data intermediaries for data sharing,
• facilitating the reuse of certain data held by the public sector, (eg, health data for clinical research of rare or chronic diseases),
• allowing users control over the data they generate, (eg, data volunteerism, when companies and individuals make their data available for the wider common good under clear conditions).

On 1 December, a new law regulating data protection and privacy in telecommunications and telemedia came into effect in Germany, (TTDSG). It contains updated provisions on digital legacy, privacy protection for terminal equipment and consent management. For example, it aims to stem the cookie deluge and give website visitors more control over the data the website collects. It also intends to provide more clarity in the regulatory jungle of  the GDPR, the ePrivacy Directive, the German Telemedia Act, and the German Telecommunications Act, Herbert Smith Freehills LLP reports. Other key takeaways for companies from the TTDSG are:

• All technologies, except those that are “strictly necessary”, may only be activated on the basis of having obtained explicit consent, (eg, marketing cookies, local storage or other storage locations on users’ devices). 
• The scope of application of the consent management platforms has been extended, (eg, storage of information that is not personal data is also subject to consent).
• The TTDSG also applies to apps, messenger services, smart home devices, and the IoT.

EU Member States may allow consumer protection associations to bring representative actions against infringements of the GDPR, according to a CJEU Advocate General. Those actions must be based on infringements of data subject rights derived directly from the regulation. In the related case, the Federation of German Consumer Organisations complained that Facebook Ireland made free games supplied by third parties available in the platform’s App Centre without clear information to users on data processing purposes. The GDPR does not preclude national legislation which allows consumer protection associations to bring legal proceedings on the basis of unfair commercial practices and consumer protection. In the AG’s view, ”Member states may provide for the possibility for certain entities to bring – without a mandate from the data subjects and without there being a need to claim the existence of actual cases affecting named individuals – representative actions designed to protect the collective interests of consumers, provided that an infringement confers subjective rights on data subjects”.

The Irish Council for Civil Liberties, the ICCL, has launched a formal complaint against the EU Commission before the European Ombudsman. This complaint  has two components:

• The Commission has failed to properly monitor the application of the GDPR, and
•  has neglected to act against Ireland’s failure to properly apply the GDPR. 

The ICCL revealed that 98% of Ireland’s major cross-border cases remain unresolved. As a result, EU enforcement against Google, Facebook, Microsoft, Apple, and other Big Tech is paralysed. The Data Protection Commissioner is the “lead supervisory authority” under the GDPR for Big Tech firms who have their European headquarters in Ireland. No other enforcer in the EU can intervene if the Irish regulator takes the lead role. The ICCL has repeatedly alerted the Irish Government about its responsibilities, and has testified on this point in Parliament. 

Official guidance

The French CNIL has published updated recommendations on Remote quality control of clinical trials taking into account the current Covid-19 crisis. Quality control, or monitoring, consists of verifying the completeness and accuracy of data transmitted by investigation centers to sponsors in order to ensure the reliability of the study results. In particular it consists of verifying, by a clinical researcher of the sponsor account, source documents, (medical files, laboratory analysis reports), and comparing it to the observational data collected by the investigator. Data confidentiality takes a key role in the process, as the person in charge of quality control should only have access to the personal data necessary to perform checks.

In the current sanitary context, the CNIL had previously considered that it was not necessary to file a request for their authorization if remote monitoring was implemented. It was the responsibility of data controllers and their subcontractors to document the solutions they chose during this period and to be able to demonstrate that they presented sufficient guarantees for the rights and freedoms of the persons concerned. However, all studies initiated as of January 1 will require the filing of an authorization request with the CNIL. Also, for ongoing studies, the information note must be updated and submitted to the persons concerned, (directly, by post, or in a call), with documentation of the patient’s non-objection in their medical file. Thus, the medical file of a person who has objected cannot be subject to remote quality control.

“Two protections are better than one!” The CNIL has also published its guidance on Two-factor authentication: “Banking, e-commerce, electronic messaging, social networks: everyone has personal accounts on many websites. Each of them contains personal data , some of which are particularly sensitive”. In Two or Multi-factor authentication “what you know”, (a username/password), can be combined with “what you have”, (a single use code, a USB token, a smart card). Since the end of 2019 banks and payment service providers in the EU have had to implement multi-factor authentication for most remote actions, (adding beneficiary of transfers, ordering checkbooks, change of address). The CNIL recommends activating multi-factor authentication each time a service offers it, even if vulnerabilities remain to certain sophisticated attacks such as real-time phishing, the interception of SMS messages containing authentication codes or SIM swapping.

Data breaches, investigations and enforcement actions

The UK Information Commissioner’s Office, (ICO), fined EB Associates Group 140,000 pounds for over 107,000 illegal pension cold calls. The Government banned the practice in 2019 to try and stop people being scammed out of their life savings. The ICO has ordered EB Associates to stop making further illegal calls or face court action. EB Associates did not have the valid consent – freely given, specific and informed – to instigate the making of these calls. Instead, EB Associates contracted the lead generators, (and paid up to 750 pounds for the referrals), to make the calls, knowing the cold calling ban was in place, in order to try and bypass the law.

The ICO has also fined the Cabinet Office 500,000 pounds for disclosing the postal addresses of the 2020 New Year Honours recipients online. The Cabinet Office failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of people’s information. In 2019 the Cabinet Office published a file on the governmental website containing the names and unredacted addresses of more than 1,000 people announced in the New Year Honours list. People from a wide range of professions as well as celebrities across the UK were affected. After becoming aware of the data breach, the Cabinet Office removed the web link to the file. However, the file was still cached and accessible online to people who had the exact webpage address. The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times.

The Italian regulator Garante sanctioned a public transportation company over remote monitoring of workers. An employee complained about the monitoring of staff through the telephone management system of the call center dedicated to customer care. The company had justified the use of these technological tools with the need to verify the quality standards and manage any complaints, specifying that it had informed the workers and trade unions. Following an inspection, it emerged that the employees had not in fact been adequately informed. Furthermore, this system was not limited to the management of telephone calls, but also allowed the recording, replaying of telephone calls and the storage for an unspecified time of other information, such as the duration of the telephone calls, numbers contacted, date and time of the call. Considering the collaboration offered by the company, and immediate deactivation of the system, the authority applied a fine of 30,000 euros.

Spanish regulator AEPD imposed a fine of 20,000 euros on a business support services company for violating Art. 5 of the GDPR – the unlawful use of fingerprints in changing rooms and toilets. The investigation was initiated following a claim against the installation of fingerprint readers for workplace entrances and exits. Fingerprints fall into a special category, biometric data pursuant to Art. 4 of the GDPR. The use of fingerprints to access changing rooms and toilets was a repeated and continuous unjustified interference in the rights and freedoms of employees, DataGuidance reports.

Romanian regulator ANSPDCP sanctioned a call center, (data processor), 2,000 euros in violation of  Art. 29 and 32 of the GDPR. The investigation was initiated as a result of a notification of  a personal data breach which was transmitted by an operator, (data controller). The personal data processing security breach was due to a call center employee erroneously attaching to an operator’s client an excel file containing the data of that operator’s customers who had Internet Banking services. The breach led to unauthorized disclosure or unauthorized access of certain personal data, such as e-mail address, username, user ID, telephone number, customer name and customer code, of 11,169 individuals. It was established that the call center, as the person authorized by the operator, did not take appropriate measures to ensure that any person acting under its authority and having access to personal data did no processing except at the specific request of the data controller.

In Lithuania, the data protection inspectorate, (VDAI), punished car rental company Prime Leasing UAB 110,000 euros for violating Art. 32 of the GDPR – obligation to ensure the security of the processing of personal data. The company’s customers complained that personal data had been disclosed on a public forum website. Furthermore, the data was actually obtained from an unprotected database backup. Prime Leasing did not assess the risk associated because it claimed it was unaware that the file existed in its infrastructure. The VDAI found that the data of around 110,302 users had been disclosed including names, addresses, telephone numbers, emails, personal identification numbers, type of payment card, the last four digits of payment cards, and payment cards dates of validity. According to the inspectorate, the confidentiality of personal data stored in the file should have been protected by at least one of the following basic security measures: 

• authenticated access to the file only for the company’s employees; 
• connecting to the repository only from the company’s internal computer network; 
• storage of the file after encryption, (entrusting the encryption keys only to authorized company employees), or proper monitoring of information resources.

The Danish data protection agency published, (only in Danish), a Christmas calendar with 24 “doors” on data protection and security breaches. The first week of December cards included cases relating to health data, webshops and bank hacking, followed by the latest analytics and infographics. Many more doors to open before Christmas Eve!

Opinion

The importance of cybersecurity risk management in private equity, (PE), is analysed by Ropes & Gray LLP:

“As PE firms can potentially hold large amounts of personal data from their portfolio companies, they are not immune from cyber risk. Indeed, the GDPR permits national authorities to fine “undertakings” as a whole, which means that parent companies may be fined for infringements of their subsidiaries.”

According to the analysis, this is a result of the commercial reality stemming from increasing competition limiting the time available to conduct pre-deal due diligence. As a result, cyber due diligence for competitive auctions usually takes place post-deal. As a recent example, in 2020, the UK data protection authority fined Marriott 18.4 mln pounds for a cyber-attack stemming from a vulnerability in the data processing systems of Starwood, a company Marriott acquired in 2016. Thus, PE firms should test their resilience against realistic mock scenarios they or their portfolio companies might be subject to, such as a supply chain compromise or extortion-based attack.

Data security

What can starling murmuration teach us about better managing data privacy? Analysis by Gilbert + Tobin lawyers from Australia: “It is not just a pretty stunt; rather, it is an illustration of how optimal outcomes can be produced when intelligence is aggregated and utilised at a group level, an emerging concept known as swarm intelligence”.

Following the theory, machine learning techniques are applied on information sharing across a secure, decentralised, and privacy-preserving network to enable intelligence to develop at a group level. Individual systems upload insights and knowledge they produce to a common network, which incrementally refines a core model that all participants have the benefit of using, (eg, the data is locally stored and only the insights are shared and used centrally.)  Read more revelations and a case study on medical applications in the original publication. 

Human error is the leading cause of serious data breaches, according to a new report released by New Zealand’s Office of the Privacy Commissioner, (OPC). Since reporting of serious privacy breaches became a legal requirement in the country a year ago, the OPC has seen a nearly 300% increase in privacy breach reporting compared to the same 11-month period the year before. Human error has been the leading cause of serious privacy breaches during this period, (61%), with email error accounting for over a quarter of those breaches. Other types of privacy breaches in human error reporting were accidental disclosure of sensitive personal information, data entry errors, confidentiality breaches, redaction errors, and postal and courier errors.

Big Tech

Russia’s  communications regulator Roskomnadzor has filed cases against US tech firms Google and Meta that could see fines imposed on their annual turnover in Russia, Reuters reports. Russian law allows for companies to be fined between 5% and 10% of annual turnover for repeated violations. Court dates for both companies – neither of which immediately responded to a request for comment – were set for December 24. Russia has increased pressure on foreign tech companies, slowing down Twitter since March and routinely fining others for content violations. Google has paid more than 382,000 euros in fines this year. Google, Twitter and Meta have significantly reduced the number of posts prohibited by Moscow on their platforms. Additionally, Russia demanded that 13 foreign and mostly US tech companies be officially represented on Russian soil by the end of 2021 or face possible restrictions or outright bans.

The UK competition authority the CMA is demanding Facebook sell Giphy citing risks over users’ data. Facebook, the largest provider of social media sites and display advertising in the UK, acquired Giphy in 2020, the largest provider of GIFs. The merger would further increase Facebook’s dominance and Facebook would have benefitted from Giphy’s data collection practices and integration with other services. With the acquisition of Giphy, Facebook could limit the ability of rival apps to compete with Facebook in social media and could demand individuals’ data as a condition for rival companies to use Giphy. In particular, through the acquisition of Giphy, Facebook would potentially be able to:

• obtain users’ personal data processed via Giphy and potentially combine it with the vast amount of data it already processes to profile users and predict their behaviour;
• by modifying Giphy’s API, increase the categories of personal data collected;
• Impose on clients, (including Facebook’s competitors in the social media market), conditions for the use of Giphy, preventing clients from protecting their users’ data;
• Increase its capacity to deliver targeted ads both to Giphy’s users and internet users even outside Facebook’s platform and services through increased tracking.

The Australian Competition and Consumer Commission is also reviewing the Facebook/Giphy merger.

Facebook plans to force more at-risk accounts to use Two-factor authentication. The platform joins Google and others in requiring stronger protections for its most vulnerable users. Facebook’s parent company, Meta, has required since last year that advertising accounts and administrators of popular pages turn on two-factor. “While Meta says that its current initiative applies only to the politicians, activists, journalists, and others enrolled in its Facebook Protect program, this seems like a sort of test for figuring out how to make two-factor authentication as easy as possible for everyone to turn on. Meta is also working to make sure it can help troubleshoot any related issues that may arise for users around the world”, The Wired reports.

The post Weekly digest Nov 29 – Dec 5, 2021: data volunteerism, cookie deluge, remote clinical trials, starling murmuration & privacy appeared first on TechGDPR.