Legal processes and redress

Court-dismissed fine: A multimillion-euro fine imposed by the Spanish privacy regulator has been overturned by a court decision, according to a publication by Clifford Chance law firm. The AEPD fined Banco Bilbao Vizcaya Argentaria 5 million euros in 2020, the first of many hefty fines for GDPR violations in the country’s corporate sector. In the above case, the AEPD received several complaints about commercial communications. Ultimately, it found that BBVA’s privacy policy, which was applicable to all of its clients and to processing other than the sending of marketing communications, violated the duty of information, and occasionally misused consent and legitimate interest as the basis for processing. However, the decision and fine with regard to BBVA’s privacy and the initial complaints were completely at odds, and the court found that the AEPD had broken the sanctioning procedural rules. 

EU Health Data Space: EU legislators are actively working on safeguards for the upcoming European Health Data Space. This includes promoting patients’ understanding and control of their personal health data. The latest amendments look at the main characteristics of electronic health data categories: patient summary, electronic prescription, electronic dispensation, medical image and image report, laboratory result, and discharge report. Under the Commission’s proposal, researchers, companies, and institutions will require a permit from a health data access body, to be set up in all member states. Access will only be granted to use de-identified data for approved research projects, which will be carried out in closed, secure environments, Sciencebusiness.com publication sums up. 

Iowa privacy legislation: Iowa enacted its new comprehensive privacy law, making it the sixth US state to do so after California, Virginia, Colorado, Utah, and Connecticut. It will take effect in 2025. Anyone conducting business in Iowa or creating goods or services marketed toward Iowans who does one of the following is subject to the law: processes at least 100,000 consumers’ personal data; processes 25,000 consumers’ personal data, and more than 50% of gross revenue is generated from the sale of it. The law does not apply to financial institutions, nonprofit organizations, institutions of higher education, information bearing consumers’ creditworthiness, various research data, protected health information, and more.

Utah minors protection: Utah enacted two laws to limit children’s access to social media, making it the first US state to demand parental consent before children can use Instagram and TikTok. It also makes suing social media companies for damages simpler. To date, US lawmakers have had difficulty enacting stricter federal laws governing online child safety. Under Section 230 of the US Communications Decency Act, media service providers are largely shielded from liability for the content they provide. 

Online service providers are also not required by federal statutes to use a particular method of age verification. Because of this, some have minimum age restrictions and ask users to enter their birthdate or age before granting access to the content. These restrictions are typically stated in the terms of service. According to Utah legislation, all users must submit age verification before creating a social media account. Minors under the age of 18 must have parental or guardian consent. 

Official guidance

AI white paper: Principles, including safety, transparency, fairness, contestability, and redress will guide the use of AI in the UK, as part of a new pro-innovation national blueprint. Reportedly, Britain has more businesses offering AI goods and services than any other European nation, and hundreds more are being founded annually. Regulators pledge to provide organisations with advice over the coming year, as well as other resources like risk assessment templates. Currently, there is no deadline envisaged in the UK for passing AI legislation. Meanwhile, the EU AI act, which inherited a more risk-based approach and is being discussed by parliamentarians, can be reasonably expected this year. 

Data protection by default: UK privacy regulator the ICO published resources to help UX designers, product managers, and software engineers embed privacy by default. The guidance looks at key privacy considerations for each stage of product design, from kick-off to post-launch when designing websites, apps, or other technology products and services. The ICO has also published videos with experts, technologists, and designers. 

Employment guide: The Danish data protection authority’s guidance on data protection in employment relationships has been revised, (in Danish only). The update includes the acquisition of criminal records and references. The regulator also clarified an employer’s obligation to disclose information, trade union processing activities, workers monitoring needs, the use of IQ and personality tests, and more. In parallel, the Lithuanian regulator is preparing similar guidance for employees, business, and public sector, (in Lithuanian only). 

Joint controllers: What is the difference between joint and independent data controllers? Joint controllers are established when the entities involved in processing perform it for the same or common purposes. Joint management can be established even when the entities pursue purposes that are only closely related or complementary, explains the Slovenian data protection authority. Purposes and means of processing are not always the same for all joint controllers but must be mutually determined via an agreement. They can also be defined by law. Subsequently, joint controllers are jointly and severally liable for damages. 

Suspected data breach: Pursuant to the GDPR, in the event of a personal data breach that is likely to cause a high risk to the rights and freedoms of individuals, the data controller must notify the data subject without undue delay. However, notification is not mandatory if any of the conditions stipulated in Art. 34 (3) of the GDPR are met. Regardless of the above, in case of a suspected breach, (eg, unauthorised disclosure of a large amount of personal data), you have the right to request information from the data controller, (if they processed your data), as to whether your personal data is included in the incident, concludes the Croatian data protection agency.

Enforcement decisions

ChatGPT ban: The Italian supervisory authority Garante has clamped down on ChatGPT. The limitation of the processing of Italian users’ data by OpenAI, the US company that developed and manages the platform, is temporary until it establishes privacy procedures. ChatGPT suffered a data breach on March 20 concerning user conversations and payment information for subscribers to the paid service. Garante noted the lack of information to users and all interested parties whose data is collected by OpenAI, but above all the absence of a legal basis that justified the collection and storage of personal data in order to train the algorithms. 

Additionally, as evidenced by the checks carried out, the information provided by ChatGPT does not always correspond to the real data, thus establishing inaccurate processing of personal data. Finally, the service is aimed at people over 13 but does not use any filter for verifying the age of users and exposes minors to answers that are absolutely inappropriate with respect to their degree of development and self-awareness. OpenAI, which does not have an office in the EU but has appointed a representative in the European Economic Area, must communicate within 20 days on the measures taken.

Wrongful copy: The Greek data protection authority looked into a complaint from a Vodafone subscriber who received a CD containing the conversations of another person  after requesting access to the recorded conversations with the Vodafone call center. Although Vodafone was immediately notified by the complainant, it did not take any investigative steps to confirm the incident, but initially contented itself with the processor’s response that it did not locate the complainant on the phone. It subsequently contacted her to return the CD. Vodafone was ordered to send the correct file and was fined 40,000 euros (Art. 15 and Art. 33 of the GDPR).

Email correspondence: Employees’ right to privacy is unaffected by a legitimate interest in processing personal data for legal defense. The Italian privacy authority fined a company that continued to use an employee’s email account after they had left the firm, viewing the content, and setting up forwarding to a company employee. The former collaborator had gathered references from potential clients they had met at a fair. The company claimed that a legal dispute resulted from the collaborator’s attempt to get in touch with them. Fearing losing relationships with potential customers, the company had not only written to them to explain that the person had been removed, but had also viewed the communications.  

GPS monitoring: Tehnoplus Industry in Romania was fined for a GPS system installed on a company car, without the employee having been informed, or having previously exhausted other less intrusive methods to achieve the purpose of processing – monitoring the service vehicle. Tehnoplus Industry excessively processed the location data related to the complainant even outside working hours. Subsequently, the purpose and the legal basis of this processing and in addition the excessive storage period of the data collected, (over the established 30 days limit); were also unlawful.  

In parallel, the French privacy regulator imposed a fine on Cityscoot for geolocating customers almost permanently in breach of the data minimisation principle. During the rental of a scooter by an individual, the company collected data relating to the geolocation of the vehicle every 30 seconds. In addition, the company kept the history of these trips. None of the established purposes of the processing, (the treatment of traffic offenses, handling customer complaints, user support, and theft management), could justify the monitoring and could have been organised without constant tracking.  

Data security

Cybersecurity tools: The French regulator CNIL has updated its guidance on the security of data protection, (in French). It supports professional actors processing personal data by recalling the basic precautions to be implemented. 17 fact sheets look at the latest recommendations on authenticating users, tracing operations and managing incidents, securing the workplace, guiding IT development, securing exchanges with other organizations, encryption, and much more. 

The European Union Agency for Cybersecurity also releases a tool to help small and medium-sized enterprises assess the level of their cybersecurity maturity. This tool contributes to the implementation of the updated Network and Information Security, (NIS2), Directive. The majority of SMEs are excluded from the scope of the Directive due to their size and this work provides easily accessible guidance and assistance for their specific needs.

Similarly, the UK National Cyber Security Centre launches two new services to help small organisations stay safe online:

• The Cyber Action Plan can be completed online in under 5 minutes and results in tailored advice for businesses on how they can improve their cyber security.
• Check your Cyber Security – which is accessible via the Action Plan – can be used by any small organisation including schools and charities and enables non-tech users to identify and fix cyber security issues within their businesses.

Mobile threat defense: America’s NIST investigates mobile threat defense applications that provide real-time information about a device’s risk level. Like any other app, MTD is installed on a device by a user. The app then finds undesirable activity and alerts users so they can stop or minimize the harm. For instance, it alerts users when it’s time to update their operating systems. Additionally, users of the app can receive alerts when someone is listening in on their internet connection. However, without being integrated with a mobile device management system, MTD applications are only marginally effective in your enterprise environment.  

Big Tech

Child Care apps: In the US childcare facilities are using technology more and more reports edsurge.com which tells the story of a parent who signed her child up for child care. She wasn’t expecting to have to download an app to participate, and when that app began to send her photos of her child, she had some additional questions. Laws like the Family Educational Rights and Privacy Act and the Children’s Online Privacy Protection Act don’t apply in these circumstances, so parents will need to conduct some independent research. The other aspect is that cameras have the potential to make teachers and other classroom employees anxious or otherwise not themselves, she says. They may feel that administrators or parents don’t trust them and make them avoid some activities like dancing. 

You are (not) hired: Reportedly, a third of Australian companies rely on artificial intelligence to help them hire the right person, while there are no laws specifically governing AI recruitment tools. Applicants are often unaware that they will be subjected to an automated process, or if not, on what basis they will be assessed. For instance, AI might say you don’t have good communication skills if you don’t use standard English grammar, or you might have different cultural traits that the system might not recognise because it was trained on native speakers. Another concern is how physical disability is accounted for in something like a chat or video interview. Read more analysis by the Guardian in the original publication. 

Vehicle data: Because data ownership remains undefined under EU law the Commission’s proposed Data Act for fair access to such information, particularly in the vehicles sector, appears to have hit problems. Legislative proposals were expected to regulate a connected car sector estimated to be worth more than 400 billion euros by the end of the decade. Now car services groups warn very few big players are able to access this data, skewing the market, Reuters reports.

The post Data protection & privacy digest 19 Mar – 2 Apr 2023: court-dismissed fine, cybersecurity tools, ChatGPT clampdown appeared first on TechGDPR.

  Legal processes and redress

DPOs enforcement action: The EDPB launches coordinated enforcement action on the designation and position of data protection officers. DPOs across the EU will be sent questionnaires, with the possibility of further formal investigations and follow-ups. According to the Portuguese data protection agency, it will ask DPOs to voluntarily participate in the action and they do not have to identify themselves or the organisation concerned. The Spanish privacy regulator says it will analyse the practices of tens of thousands of public and private sector entities, (education, banking, health, security, financial solvency, etc.) 

The questions will be related, among others, to the designation, knowledge, and experience of the data protection officers, their tasks, and resources. Special attention will be paid to the independent and effective performance of the tasks of the DPO, and their possible conflict of interest, (where they exercise additional functions of compliance officers, IT managers, etc.), explains the Bavarian data protection supervisor. The requirement for DPOs to report directly to the highest management level of the controller or processor, and their operating conditions, (based on organisational charts, annual reports, etc), also will be checked.

UK Data Protection reform resumes: The Data Protection and Digital Information Bill was reintroduced in the House of Commons. Followed by a rapid change in the UK government last summer, the reading of the old document did not occur as expected. Much of the new bill is the same as the withdrawn one. The new document also followed a detailed co-design process with industry, business, privacy, and consumer groups. It would reduce burdens on companies and researchers and boost the economy by 4,7 billion pounds over the next decade. The research briefing on the draft reform bill is available here. 

Creditworthiness and profiling risks: The CJEU’s Advocate General suggests that the automated establishment of the ability of a person to service a loan constitutes profiling under the GDPR. In the related case, a German company governed by private law, (SCHUFA), provided a credit institution with a score for the citizen in question, which served as the basis for a refusal to grant credit. The citizen requested SCHUFA erase the entry concerning her and to grant her access to the corresponding data. The latter merely informed her of the relevant score and of the principles underlying the calculation method, without informing her of the specific data included, arguing that the calculation method is a trade secret. Other related cases concerned the lawfulness of the storage of citizen data from public registers, (on discharge from remaining debts), by credit information agencies.

Official guidance

Data subject access rights: The Latvian data protection agency DVI explains what the right to access your data means. Every natural person has the right to obtain accurate information about their data, (or a copy of it), held by an organisation. For example, a person participated in a job interview and has not passed the rounds of applicant selection. In order to find out whether or not the company has stored personal data, the person can contact the company and ask, and if this is the case, demand an explanation for what purpose it is processed. The individual must first contact the organisation using the communication channels or methods specified in the privacy policy. The request should be as clear as possible, and include:

• identifying information of the requester, (the organisation has the right to additional information, so the person can be identified correctly);
• an indication whether the information is desired for all data or for a specific case;
• an indication of the period for which information is to be provided;
• precise requests referring to all or any of the above questions.

The organisation may refuse the request if it was already answered or it is disproportionally large, unidentified, or the information is covered by other regulatory acts. But if the organisation does not respond to the request within a month, and does not provide the information, (or the reasons for refusal), the person has the right to file a complaint with the data protection authority. 

Dematerialised receipts: The French privacy regulator CNIL looked at dematerialised receipts that merchants can offer you in place of traditional printed ones. You still must have the choice of whether or not to receive it, (via email, sms), as dematerialisation is not provided for by law. The dematerialised receipts allow the merchant to collect and reuse your data for advertising: but they must respect your rights by asking for your consent or by allowing you to opt out. If a merchant offers the retrieval your receipt by scanning a QR code with your smartphone, only the technical data necessary to establish the connection between the devices should be collected. Finally, the creation of a loyalty or online account is not mandatory to obtain your receipt. 

User and Entity Behavior Analysis: UEBA techniques have a multitude of applications that always have something in common: recording user behavior in the past, then modeling this behavior in the present, and, if possible, predicting what it will be like in the future. According to the Spanish privacy regulator AEPD, techniques used online collect massive amounts of data and almost always apply machine learning or AI. Users are always people, entities can be animals, vehicles, mobile devices, sensors, etc. The application of these techniques depends on the specific application domain, since it may be interesting to analyse the individual behavior of people or their behavior from a social perspective in three main domains: 

• service and marketing optimisation; 
• cybersecurity; 
• health and safety.

When personal data is processed, the principles established in the GDPR are mandatory, including transparency, data minimisation, and purpose limitation. But in many cases, users are not informed about the types of techniques that are being used, the depth of the treatment, the scope of data sharing, or the potential impact that a data breach may have.

Algorithmic fairness: The UK privacy regulator ICO decided to update its guidance to help organisations adopt new technologies while protecting people and vulnerable groups. New content was added on AI and inferences, affinity groups, special category data, as well as things to consider as part of your DPIA. The updated guidance explains the differences between fairness, algorithmic fairness, bias, and discrimination. It also explains the different sources of bias that can lead to unfairness and possible mitigation measures. There is a new section about data protection fairness considerations across the AI lifecycle, from problem formulation to decommissioning. Technical terms are also explained in the updated glossary.

Enforcement decisions

Irish queries: The Irish data protection authority DPC in its 2022 report stated that the most frequent GDPR topics for queries and complaints were: access requests, fair-processing, disclosure, direct marketing, and right to be forgotten, (delisting and/or removal requests). At the same time, breach notifications were down 12% on 2021 figures. The most frequent cause of breaches reported arose as a result of correspondence inadvertently being misdirected to the wrong recipients, at 62% of the overall total. Where possible the DPC endeavored to resolve individual complaints informally – as provided for in the Data Protection Act 2018. Overall, the DPC concluded 10,008 cases in 2022 of which 3,133 were resolved through formal complaint handling. 

Medical research data: The French privacy regulator CNIL reminds two medical research organisations of their legal obligations – to carry out an impact assessment on data protection and to properly inform individuals. Health research must be authorised by the CNIL or comply with a reference methodology. These methodologies require a DPIA to be carried out before starting the research. A single analysis may cover a set of processing operations that present similar risks, (eg, similar projects, using the same IT tools). 

Information notices provided by the two organisations also did not specify the nature of the information collected or its retention period, contact details of the data protection officer or the procedures for appealing to the CNIL. Finally, an information notice stated that the data was anonymised, which was not the case since the identity of the patients was only replaced by a three-digit “patient number” and a “patient code” composed of two letters corresponding to the first initial of the name and surname of the person concerned.

Political affiliation data: In Romania, a political party was fined following a data breach notification. The data stored in an operator’s server hosting an application became subject to a phishing attack. It was found that the operator did not implement adequate technical and organisational measures to ensure an appropriate level of security, such as the encryption/pseudonymisation of personal data stored, which led to the loss of the confidentiality of the data processed by accessing unauthorised use of personal data such as name, surname, personal number code, e-mail, telephone number, and political affiliation data.

Non-conformant data breach notice: The Norwegian data protection authority Datatilsynet imposed a fine of approx. 220,000 euros on the US company Argon Medical Devices for breaching the GDPR. In July 2021, Argon discovered a security breach that affected the personal data of all their European employees, including in Norway. Argon believed that they did not need to report the security breach until after they had a complete overview of the incident and all its consequences. The US company sent a notice to the Norwegian regulator only in September 2021, long after the 72-hour deadline for reporting a breach under the Art. 33 of the GDPR. The security breach concerned personal data that could be be used for fraud and identity theft.

Data Security

PETs: The OECD offers guidance on emerging privacy-enhancing technologies – digital solutions that allow information to be collected, processed, analysed, and shared while protecting data confidentiality and privacy. This often includes zero-knowledge proofs, differential privacy, synthetic data, anonymisation, and pseudonymisation tools, as well as homomorphic encryption, multi-party computation, federated learning, and personal data stores. However, the majority of these tools lack standalone applications, have limited use cases, and are still in the early stages of development.

Big Tech

Meta and Dutch users: Facebook Ireland acted unlawfully when processing the personal data of Dutch users, states an Amsterdam court. Between 2010 and 2020, users’ personal information was processed illegally for marketing purposes. Additionally, it was distributed to third parties devoid of legal justification and without properly informing users about it. Also, consent was not obtained before processing sensitive personal data for advertising purposes, such as sexual orientation or religion. This concerned both information voluntarily provided by users and information that Facebook Ireland collected by observing users’ online browsing patterns outside the Facebook service. 

Meta tracking tools: According to the Austrian data protection authority DSB, the use of Facebook’s tracking tools (Login and Meta Pixel) is a violation of both the GDPR and the “Schrems II” ruling. As a result of US surveillance laws requiring companies, like Facebook, to disclose users’ information to the authorities, the CJEU determined in 2020 that using US providers violates the GDPR.  According to the NOYB foundation, which launched the complaint, numerous websites track users using Meta tracking technology to display personalised ads. Websites using this technology also send all user data to US multinationals. And while the EU-US Data Privacy Framework is waiting for approval from the European Commission, the US government continues bulk surveillance of EU users. 

Meta’s WhatsApp settlement in the EU: The European Commission and the European network of consumer authorities have closed their investigation into Meta’s messaging app WhatsApp following a complaint made by the BEUC, (the European Consumer Organisation). WhatsApp has committed to better explain the policy changes it intends to make and to give users a possibility to reject them as easily as to accept them. Unfortunately, this will only apply to future changes to the app. However, the complaint identified multiple breaches of consumer and data subject rights since 2021 including aggressive commercial practices, and unclear and misleading terms of use and notices to its users. 

The post Data protection & privacy digest 4 – 17 March 2023: position of DPOs, user behavior analysis, creditworthiness and profiling appeared first on TechGDPR.